Community discussions

MikroTik App
 
letsroute
just joined
Topic Author
Posts: 3
Joined: Tue Jan 12, 2021 1:58 am

Wireguard - Unable to access computers on different LAN

Sat Jan 23, 2021 3:43 am

Topology:
Fios Router -> PC / Devices (192.168.1.X)
Fios Router -> 4011 Router 7.1beta3 (192.168.1.X - WAN Port 1) -> Laptop (192.168.88.X - LAN Port 2) / 4011 (192.168.88.1 - LAN)

*Fios Router is connected to Port 1 (WAN) on the 4011, while the laptop is connected to Port 2 (LAN) on the 4011. Fios router provides DHCP on 192.168.1.X subnet, while 4011 provides DHCP on 192.168.88.X subnet.

Wireguard: VPN provider is Mullvad. Used the following config that they provide that i edited (thanks to redskilldough for the original post on how to set it up):
[Interface]
PrivateKey = aaaabbbb
Address = 10.1.1.1/32,aaaa:bbbb:cccc::1:23ab/128
DNS = 1.1.1.1

[Peer]
PublicKey = zzzzyyyy
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 2.2.2.2:3333

I did the following steps to setup Wireguard on 4011:
  1. Wireguard -> New Interface. Left defaults and added private key (aaaabbbb) from config file -> Apply -> OK
  2. Wireguard -> Peers -> Added public key (zzzzyyyy), endpoint: 2222, endpoint port: 3333, allowed address (allowedips): 0.0.0.0/0 -> Apply -> OK
    *The configuration file lists 0.0.0.0/0 for Allowed Address, I believe this means that all clients can use the VPN?
  3. IP -> Address -> New Address -> Address=10.1.1.1/32 (from interface config), Interface=wireguard -> Apply -> OK
    *I currently have my wireguard (10.1.1.1), ether1 (address=192.168.1.85/24 / network=192.168.1.0), and bridge (address=192.168.88.1/24 / network=192.168.88.0) addresses in the list
  4. IP -> Firewall -> NAT tab -> Add -> Chain=scrnat, Out. Interface=wireguard, action=masquerade -> Apply -> OK
    *My understanding is that masquerade allows all the clients traffic to route through the VPN
  5. Terminal ->
    /routing table add name=mullvad
    *I'm not exactly sure how this works, i think this is new for ROS 7?
  6. IP -> Firewall -> Mangle -> Chain=prerouting, Source Address=192.168.88.X (laptop), Action=mark routing, New Routing Mark=mullvad
    * Does this just mark all the traffic coming from the laptop as 'mullvad' traffic, and then the next step routes this traffic to the VPN?
  7. Terminal:
    /ip route add dst-address=0.0.0.0/0 gateway=wireguard1@main routing-table=mullvad
    * My understanding of this route is that it will route all traffic through wireguard.

I also disabled fasttrack as this just slows everything down to a crawl.

Issue: All the traffic is being routed through wireguard for the defined IP (laptop), but the laptop can't access any of the PCs in the WAN. Without wireguard setup everything works perfectly fine, which makes sense based on the routing. I tried adding a route a few different ways without success, any help would be appreciated!

EDIT: It looks like if I setup a new mangle i can access the other LAN: IP -> Firewall -> Mangle -> chain=prerouting, src address: 192.168.88.X (laptop), dst address: 192.168.1.0/24, action=mark routing, new routing mark=main - is this the correct solution?
 
daddyfix
just joined
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Wireguard - Unable to access computers on different LAN

Sat Mar 13, 2021 10:36 pm

Use this to connect the two networks (Wireguard Clients and LAN). The wireguard default server port is 51820
/ip firewall nat add chain=dstnat dst-port=<internet port> action=dst-nat protocol=udp to-addresses=<IP to Wireguard Server> to-ports=51820
 
AnAnAs
newbie
Posts: 25
Joined: Fri Apr 13, 2018 11:08 pm
Location: France

Re: Wireguard - Unable to access computers on different LAN

Wed Jul 07, 2021 6:48 pm

Hello,

Yes, I am also having the same problems,
I can't find any solution,

1 Client works well
but when a second Peers is created, the first Peers no longer works.
Why ?
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard - Unable to access computers on different LAN

Wed Jul 07, 2021 7:38 pm

but when a second Peers is created, the first Peers no longer works.
This is because Wireguard uses the allowed-addresses to determine which peer the packet should be sent to. If the address you are pinging is in the allowed-addresses range for peer 1, it sends it to peer 1. If it is in the allowed-addresses for peer 2, it sends it to peer 2. In your case you have incorrectly duplicated allowed-addresses for both peers so they are the same. As a result, the router does not know which peer to send the packet to, and your ping is probably being sent to the wrong peer, or simply dropped because it matches multiple peers.

In this case, you have essentially assigned a whole /24 to peer 1 and the same /24 to peer 2 as a duplicate. It is unlikely that your road warrior client is going to need 253 IP addresses, most likely they will be quite happy with just one. So you should reduce the allowed-addresses size configured on the MikroTik router to a /32 for each peer (you don't have to change the netmask under IP address, only allowed-addresses).
 
AnAnAs
newbie
Posts: 25
Joined: Fri Apr 13, 2018 11:08 pm
Location: France

Re: Wireguard - Unable to access computers on different LAN

Wed Jul 07, 2021 10:48 pm

very good i will try tonight.
This is strange because I am doing the exact same configuration on a WireGuard server installed on an Ubuntu.
It allowed me to communicate the clients together.
 
AnAnAs
newbie
Posts: 25
Joined: Fri Apr 13, 2018 11:08 pm
Location: France

Re: Wireguard - Unable to access computers on different LAN

Thu Jul 08, 2021 12:03 am

Perfect
It's Work !

Thx mducharme !!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 15 guests