Community discussions

MikroTik App
 
letsroute
just joined
Topic Author
Posts: 3
Joined: Tue Jan 12, 2021 1:58 am

Wireguard - Unable to access computers on different LAN

Sat Jan 23, 2021 3:43 am

Topology:
Fios Router -> PC / Devices (192.168.1.X)
Fios Router -> 4011 Router 7.1beta3 (192.168.1.X - WAN Port 1) -> Laptop (192.168.88.X - LAN Port 2) / 4011 (192.168.88.1 - LAN)

*Fios Router is connected to Port 1 (WAN) on the 4011, while the laptop is connected to Port 2 (LAN) on the 4011. Fios router provides DHCP on 192.168.1.X subnet, while 4011 provides DHCP on 192.168.88.X subnet.

Wireguard: VPN provider is Mullvad. Used the following config that they provide that i edited (thanks to redskilldough for the original post on how to set it up):
[Interface]
PrivateKey = aaaabbbb
Address = 10.1.1.1/32,aaaa:bbbb:cccc::1:23ab/128
DNS = 1.1.1.1

[Peer]
PublicKey = zzzzyyyy
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 2.2.2.2:3333

I did the following steps to setup Wireguard on 4011:
  1. Wireguard -> New Interface. Left defaults and added private key (aaaabbbb) from config file -> Apply -> OK
  2. Wireguard -> Peers -> Added public key (zzzzyyyy), endpoint: 2222, endpoint port: 3333, allowed address (allowedips): 0.0.0.0/0 -> Apply -> OK
    *The configuration file lists 0.0.0.0/0 for Allowed Address, I believe this means that all clients can use the VPN?
  3. IP -> Address -> New Address -> Address=10.1.1.1/32 (from interface config), Interface=wireguard -> Apply -> OK
    *I currently have my wireguard (10.1.1.1), ether1 (address=192.168.1.85/24 / network=192.168.1.0), and bridge (address=192.168.88.1/24 / network=192.168.88.0) addresses in the list
  4. IP -> Firewall -> NAT tab -> Add -> Chain=scrnat, Out. Interface=wireguard, action=masquerade -> Apply -> OK
    *My understanding is that masquerade allows all the clients traffic to route through the VPN
  5. Terminal ->
    /routing table add name=mullvad
    *I'm not exactly sure how this works, i think this is new for ROS 7?
  6. IP -> Firewall -> Mangle -> Chain=prerouting, Source Address=192.168.88.X (laptop), Action=mark routing, New Routing Mark=mullvad
    * Does this just mark all the traffic coming from the laptop as 'mullvad' traffic, and then the next step routes this traffic to the VPN?
  7. Terminal:
    /ip route add dst-address=0.0.0.0/0 gateway=wireguard1@main routing-table=mullvad
    * My understanding of this route is that it will route all traffic through wireguard.

I also disabled fasttrack as this just slows everything down to a crawl.

Issue: All the traffic is being routed through wireguard for the defined IP (laptop), but the laptop can't access any of the PCs in the WAN. Without wireguard setup everything works perfectly fine, which makes sense based on the routing. I tried adding a route a few different ways without success, any help would be appreciated!

EDIT: It looks like if I setup a new mangle i can access the other LAN: IP -> Firewall -> Mangle -> chain=prerouting, src address: 192.168.88.X (laptop), dst address: 192.168.1.0/24, action=mark routing, new routing mark=main - is this the correct solution?
 
daddyfix
just joined
Posts: 16
Joined: Mon Dec 14, 2020 4:25 pm

Re: Wireguard - Unable to access computers on different LAN

Sat Mar 13, 2021 10:36 pm

Use this to connect the two networks (Wireguard Clients and LAN). The wireguard default server port is 51820
/ip firewall nat add chain=dstnat dst-port=<internet port> action=dst-nat protocol=udp to-addresses=<IP to Wireguard Server> to-ports=51820

Who is online

Users browsing this forum: No registered users and 5 guests