Community discussions

MikroTik App
 
vadamlyuk
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2018 12:02 pm

v7.1beta4 Wireguard: missing packets

Thu Mar 04, 2021 12:33 pm

Hi,

I'm trying to setup Wireguard peer-to-peer link:

[V-Mikrotik-252] (wg - 10.3.252.1/24) <----> ( wg - 10.3.252.2/24) [P-Mikrotik-252] (eth - 10.11.3.252/24). <---> (eth - 10.11.3.183/24) [P-TEST]

10.3.252.1 and 10.3.252.2 ping each other ok, and I can see ICMP packets on both sides of wireguard link
but when I'm trying to ping from 10.11.3.183 to 10.3.252.1 I can see ICMP packets only on 10.3.252.2, but not on 10.3.252.1

Could somebody give me idei where I can find missing packets and than find the reason whats going on.

V-Mikrotik-252 config:
/interface wireguard
add listen-port=42321 mtu=1420 name=wg private-key="..."
/interface wireguard peers
add allowed-address=10.3.252.2/32,10.11.0.0/16 interface=wg persistent-keepalive=3s public-key="..."
/ip address
add address=10.3.252.1/24 interface=wg network=10.3.252.0
/ip route
add check-gateway=ping distance=11 dst-address=10.11.0.0/16 gateway=10.3.252.2

P-Mikrotik-252 config:
/interface ethernet/interface wireguard
add listen-port=42311 mtu=1420 name=wg private-key="..."
/interface wireguard peers
add allowed-address=10.2.0.0/15 endpoint-address=... endpoint-port=42321 interface=wg persistent-keepalive=3s public-key=""
/ip address
add address=10.11.3.252/24 interface=vl3 network=10.11.3.0
add address=10.3.252.2/24 interface=wg network=10.3.252.0
/ip route
add check-gateway=ping distance=11 dst-address=10.2.0.0/15 gateway=10.3.252.1

P-TEST config:
/ip address
add address=10.11.3.183/24 interface=vl3-backbone network=10.11.3.0
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.11.3.252

Sniffer output on 10.3.252.2:
12 time=9.063 num=13 direction=tx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54587 fragment-offset=0 ttl=64 

13 time=9.408 num=14 direction=tx interface=wg src-address=10.11.3.183 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=24337 fragment-offset=0 ttl=254 

14 time=10.409 num=15 direction=tx interface=wg src-address=10.11.3.183 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=24420 fragment-offset=0 ttl=254 

15 time=10.649 num=16 direction=tx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=1 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54653 fragment-offset=0 ttl=255 

Sniffer output on 10.3.252.1:
 2 time=6.723 num=3 direction=rx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54587 fragment-offset=0 ttl=64 

 3 time=8.309 num=4 direction=rx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=1 fp=no ip-packet-size=56 ip-header-size=20  dscp=0 identification=54653 fragment-offset=0 ttl=255
 

As you can see there ara only wg keep-alive packets on 10.3.252.1, but no ICMP from 10.11.3.183
 
andryan
newbie
Posts: 40
Joined: Fri Nov 30, 2007 10:33 pm
Location: Jakarta, Indonesia
Contact:

Re: v7.1beta4 Wireguard: missing packets

Thu Mar 04, 2021 1:28 pm

On P-Mikrotik-252, try adding add 10.11.0.0/16 to allowed-address, so that it would be allowed-address=10.2.0.0/15,10.11.0.0/16.
 
vadamlyuk
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2018 12:02 pm

Re: v7.1beta4 Wireguard: missing packets

Thu Mar 04, 2021 2:14 pm

On P-Mikrotik-252, try adding add 10.11.0.0/16 to allowed-address, so that it would be allowed-address=10.2.0.0/15,10.11.0.0/16.
I've set allowed-address=10.0.0.0/8 on both sides P-Mikrotik-252 and V-Mikrotik-252
and no any changes
 
vadamlyuk
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2018 12:02 pm

Re: v7.1beta4 Wireguard: missing packets  [SOLVED]

Thu Mar 04, 2021 4:00 pm

I'm trying to setup Wireguard peer-to-peer link:

[V-Mikrotik-252] (wg - 10.3.252.1/24) <----> ( wg - 10.3.252.2/24) [P-Mikrotik-252] (eth - 10.11.3.252/24). <---> (eth - 10.11.3.183/24) [P-TEST]

10.3.252.1 and 10.3.252.2 ping each other ok, and I can see ICMP packets on both sides of wireguard link
but when I'm trying to ping from 10.11.3.183 to 10.3.252.1 I can see ICMP packets only on 10.3.252.2, but not on 10.3.252.1
I found the source of the problem: from V-Mikrotik-252 side I had 2'nd wireguard peer with allowed-address=0.0.0.0/0 and this was the cause, dispite of this link hasn't been active (current-endpoint-address="" current-endpoint-port=0)

Anyway allowed-address wireguard peer option have to be described more deeply in future.
May be my case have to be checked by MT developers as a bug.
 
vadamlyuk
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2018 12:02 pm

Re: v7.1beta4 Wireguard: missing packets

Thu Mar 04, 2021 4:02 pm

I'm trying to setup Wireguard peer-to-peer link:

[V-Mikrotik-252] (wg - 10.3.252.1/24) <----> ( wg - 10.3.252.2/24) [P-Mikrotik-252] (eth - 10.11.3.252/24). <---> (eth - 10.11.3.183/24) [P-TEST]

10.3.252.1 and 10.3.252.2 ping each other ok, and I can see ICMP packets on both sides of wireguard link
but when I'm trying to ping from 10.11.3.183 to 10.3.252.1 I can see ICMP packets only on 10.3.252.2, but not on 10.3.252.1
I found the source of the problem: from V-Mikrotik-252 side I had 2'nd wireguard peer with allowed-address=0.0.0.0/0 and this was the cause, dispite of this link hasn't been active (current-endpoint-address="" current-endpoint-port=0)

Anyway allowed-address wireguard peer option have to be described more deeply in future.
May be my case have to be checked by MT developers as a bug.

Hmm, it's seems to be exactly a bug.
Even wireguard peer with allowed-address=0.0.0.0/0 is disabled - it's also cause problems.

Who is online

Users browsing this forum: No registered users and 18 guests