I'm trying to setup Wireguard peer-to-peer link:
[V-Mikrotik-252] (wg - 10.3.252.1/24) <----> ( wg - 10.3.252.2/24) [P-Mikrotik-252] (eth - 10.11.3.252/24). <---> (eth - 10.11.3.183/24) [P-TEST]
10.3.252.1 and 10.3.252.2 ping each other ok, and I can see ICMP packets on both sides of wireguard link
but when I'm trying to ping from 10.11.3.183 to 10.3.252.1 I can see ICMP packets only on 10.3.252.2, but not on 10.3.252.1
Could somebody give me idei where I can find missing packets and than find the reason whats going on.
V-Mikrotik-252 config:
Code: Select all
/interface wireguard
add listen-port=42321 mtu=1420 name=wg private-key="..."
/interface wireguard peers
add allowed-address=10.3.252.2/32,10.11.0.0/16 interface=wg persistent-keepalive=3s public-key="..."
/ip address
add address=10.3.252.1/24 interface=wg network=10.3.252.0
/ip route
add check-gateway=ping distance=11 dst-address=10.11.0.0/16 gateway=10.3.252.2
P-Mikrotik-252 config:
Code: Select all
/interface ethernet/interface wireguard
add listen-port=42311 mtu=1420 name=wg private-key="..."
/interface wireguard peers
add allowed-address=10.2.0.0/15 endpoint-address=... endpoint-port=42321 interface=wg persistent-keepalive=3s public-key=""
/ip address
add address=10.11.3.252/24 interface=vl3 network=10.11.3.0
add address=10.3.252.2/24 interface=wg network=10.3.252.0
/ip route
add check-gateway=ping distance=11 dst-address=10.2.0.0/15 gateway=10.3.252.1
P-TEST config:
Code: Select all
/ip address
add address=10.11.3.183/24 interface=vl3-backbone network=10.11.3.0
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.11.3.252
Sniffer output on 10.3.252.2:
Code: Select all
12 time=9.063 num=13 direction=tx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54587 fragment-offset=0 ttl=64
13 time=9.408 num=14 direction=tx interface=wg src-address=10.11.3.183 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=24337 fragment-offset=0 ttl=254
14 time=10.409 num=15 direction=tx interface=wg src-address=10.11.3.183 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=24420 fragment-offset=0 ttl=254
15 time=10.649 num=16 direction=tx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=1 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54653 fragment-offset=0 ttl=255
Sniffer output on 10.3.252.1:
Code: Select all
2 time=6.723 num=3 direction=rx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=0 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54587 fragment-offset=0 ttl=64
3 time=8.309 num=4 direction=rx interface=wg src-address=10.3.252.2 dst-address=10.3.252.1 protocol=ip ip-protocol=icmp size=56 cpu=1 fp=no ip-packet-size=56 ip-header-size=20 dscp=0 identification=54653 fragment-offset=0 ttl=255
As you can see there ara only wg keep-alive packets on 10.3.252.1, but no ICMP from 10.11.3.183