Community discussions

MikroTik App
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Wireguard on Ac2 behind Ac3

Tue Jan 05, 2021 11:39 pm

Hi

I already posted this in another older topic, but apparenly it's not visible enough.

I'm having some problems with Wireguard on Hap Ac2 (7.1 beta3). I manage to get port forwarding working on my main router (Hap AC3) and now i would like to make a wireguard server on one of the CAPsMAN client (HapAC2).

It seems, that connection is working, since i can ping my phone's IP from Wireguard server and also i can ping Wireguard server from my phone. But that is all that is working. I can't get acces to any device in local network and also not to the internet from my phone. In allowed IP's on client i have 0.0.0.0/0.

Should i enter some aditional routes in IP/routes or maybe some firewall rules?

HapAC3 has an ip 192.168.3.3 and is also gateway and DNS server for my network. If i check for firmware upgrade on HapAc2, new firmware check works, so internet acces is working.
[admin@MikroTik] > export hide-sensitive
# jan/05/2021 22:31:35 by RouterOS 7.1beta3
# software id = 1W79-SWFL
#
# model = RBD52G-5HacD2HnD
# serial number = C6140BFD9F14
/interface bridge
add admin-mac=C4:AD:34:EA:50:EA auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-eC/gn(17dBm), SSID: Kmetija, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5745/20-Ceee/ac(17dBm), SSID: Kmetija 5, CAPsMAN forwarding
set [ find default-name=wlan2 ] installation=indoor ssid=MikroTik
/interface wireguard
add listen-port=51821 mtu=1420 name=WG
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add list=all name=main
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wlan2
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=WG public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=10.0.0.3/32 interface=WG public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
/interface wireless cap
# 
set bridge=bridgeLocal caps-man-addresses=192.168.3.3 discovery-interfaces=\
    bridgeLocal enabled=yes interfaces=wlan2,wlan1
/ip address
add address=192.168.3.31/24 interface=ether2 network=192.168.3.0
add address=10.0.0.1/24 interface=WG network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dns
set servers=192.168.3.3
/ip firewall filter
add action=accept chain=input dst-port=51821 log=yes protocol=udp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.3 pref-src=
    "" scope=30 target-scope=10
Thank you for suggestions.
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard on Ac2 behind Ac3

Wed Jan 06, 2021 12:39 am

The issue might be that there is no route from your devices back to the WireGuard subnet (10.0.0.0/24).

When a WireGuard client is sending traffic to a local device, the packets will go client -> ac2 -> local device and then the local devices will try to send an answer to the 10.0.0.0/24 network. They will send it to the ac3, since this is their default gateway, but the ac3 does not route the traffic to the ac2, because it has no route to it. So either you have to add a route at the ac3 (10.0.0.0/24 via ac2) or you SNAT your WireGuard clients.
Last edited by mfrey on Wed Jan 06, 2021 12:41 am, edited 1 time in total.
 
rplant
Member Candidate
Member Candidate
Posts: 280
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard on Ac2 behind Ac3

Wed Jan 06, 2021 12:47 am

Hi,

Perhaps try the following.

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24 out-interface=bridge-local

And probably change where the local network ip address is placed (on bridge-local rather than ether2)

** Probably not exactly this (would need to remove/disable existing), perhaps edit using winbox **
/ip address
add address=192.168.3.31/24 interface=bridge-local
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Wed Jan 06, 2021 1:53 am

Hi,

Perhaps try the following.

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24 out-interface=bridge-local

And probably change where the local network ip address is placed (on bridge-local rather than ether2)

** Probably not exactly this (would need to remove/disable existing), perhaps edit using winbox **
/ip address
add address=192.168.3.31/24 interface=bridge-local
I added firewall masquarade rule as you suggested and changed location of IP adress to bridge (i also did this yesterday but it just keeps jumping back to ether2, where LAN is connected every few hours). I tried but it stil doesn't work. There must be some small thing i am missing. Is there any option to add default gateway ip to the configuration? Currently i only have DNS in configuration options.

There must be a way to configure this proberly on Mikrotik behind NAT. I'm currently running WG on RPI3 also behind NAT and it works flawlessly but it maxes out at 70 Mbps.
 
rplant
Member Candidate
Member Candidate
Posts: 280
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard on Ac2 behind Ac3

Wed Jan 06, 2021 8:37 am

perhaps also

/interface list
add interface=WG list=LAN
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Thu Jan 07, 2021 7:12 pm

The issue might be that there is no route from your devices back to the WireGuard subnet (10.0.0.0/24).

When a WireGuard client is sending traffic to a local device, the packets will go client -> ac2 -> local device and then the local devices will try to send an answer to the 10.0.0.0/24 network. They will send it to the ac3, since this is their default gateway, but the ac3 does not route the traffic to the ac2, because it has no route to it. So either you have to add a route at the ac3 (10.0.0.0/24 via ac2) or you SNAT your WireGuard clients.
Sorry, i somehow completly overseen your post. Probably because of the late hour and yesterday i was to busy to try it.

Your solution actualy worked :) The only thing not working now is, that when i'm connected through wireguard i don't have acess to my LAN, internet work's normally. Any suggestions in that direction?
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Thu Jan 07, 2021 11:28 pm

Ok, mystery solved. I had to disable the drop forward invalid rule on my main router and everything started to work.

So i added an exception for Wireguard IP range and now it works.

The question that still remains is, why is my main router (Ac3) dropping this connections from Wireguard on (Ac2) as invalid?
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid src-address=!10.0.0.0/24
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard on Ac2 behind Ac3

Mon Jan 11, 2021 10:57 pm

Sorry, i somehow completly overseen your post. Probably because of the late hour and yesterday i was to busy to try it.
My comment was in moderation for quite some time, so that might be the reason why.

The reason for the traffic being dropped is the following: When a WireGuard client sends a packet to a local device, the ac2 directly forwards the packet to the local device, omitting the ac3. The response however is being sent to the ac3 by the local device. The ac3 detects that this packet is a response, but it is not aware of any request in its connection tracking tables, so the packet has the state invalid.

If you don't need to be able to address your WireGuard clients from your local network, I'd recommend you to NAT the clients at the ac2. It will save you a lot of hassle, especially if you use firewalls on your local servers.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Mon Jan 11, 2021 11:36 pm

How can i do this? I don't realy need acces to clients. Sorry for begginers questions, i'm still learning.
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard on Ac2 behind Ac3

Tue Jan 12, 2021 1:11 pm

Just follow the the instructions for source NAT here: https://wiki.mikrotik.com/wiki/Manual:I ... Source_NAT
You have to follow the instructions on your ac2 with the out-interface being your LAN interface. This will "hide" your WireGuard clients "behind" the local IP address of your ac2. The ac3 does not need to be aware of that.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Tue Jan 12, 2021 2:10 pm

Just follow the the instructions for source NAT here: https://wiki.mikrotik.com/wiki/Manual:I ... Source_NAT
You have to follow the instructions on your ac2 with the out-interface being your LAN interface. This will "hide" your WireGuard clients "behind" the local IP address of your ac2. The ac3 does not need to be aware of that.
Thank you for very good explanations of everything. I used masquarading. It works as you said it will.

If in the future i would need acces from my main router to one of the wireguard clients is there any good way to do this without braking this NAT rule? Or maybe use some different approach?
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard on Ac2 behind Ac3

Tue Jan 12, 2021 6:26 pm

If you only want to access a single port on one of the WireGuard clients, you could use port forwarding (https://wiki.mikrotik.com/wiki/Manual:I ... FTP_server). Then all packets sent to your ac2 on the the selected port will be forwarded to a port of a defined WireGuard client.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Wireguard on Ac2 behind Ac3

Tue Jan 12, 2021 6:37 pm

I was thinking more in a way of full port range to one client. But it's not a problem if it isn't possible. I will probably never use it in such way anyway. Thank you again for all your help.

Who is online

Users browsing this forum: No registered users and 22 guests