Community discussions

MikroTik App
 
strarsis
just joined
Topic Author
Posts: 10
Joined: Tue May 24, 2016 7:28 pm

WireGuard: Response packets not routed

Sat Jun 19, 2021 11:28 pm

Model: `hex PoE RB960PGS`
OS: `routeros-7.1beta6-mipsbe` (for WireGuard support)

The router was set up as a WireGuard peer (interface `localnet`; IP address range `192.168.9.x`)
The local network on router eth0 has the IP address range `192.168.8.x`.
The peers in WireGuard `localnet` network should be able to access the clients in local network.

Currently the WireGuard peers can ping the router and each other, but not the clients in local network.
torch shows that the ping ICMP packet indeed reaches the client in local network (`192.168.8.x`), and the client answers back to the `192.168.9.x` peer,
but the response packet isn't routed back to the WireGuard network, hence the pinging peer doesn't see a ping response.

The router got an IP address added (`192.168.9.4`), hence a "Connected route" has been automatically added f or `192.168.9.0` to interface `localnet`.
This doesn't seem to suffice as the response packets are not routed back.

The firewall also has been configured to accept packets from `192.168.8.x` to `192.168.9.x`and vice versa (`accept` action; `forward` chain).

Is this a bug or a missing piece of configuration?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: WireGuard: Response packets not routed

Tue Jun 22, 2021 1:08 pm

Missing piece of configuration for sure.
But post a diagram and config exports.
 
strarsis
just joined
Topic Author
Posts: 10
Joined: Tue May 24, 2016 7:28 pm

Re: WireGuard: Response packets not routed

Wed Jun 23, 2021 2:28 am

Config:
# jun/23/2021 00:56:54 by RouterOS 7.1beta6
# software id = 4ZPU-G4YK
#
# model = RB960PGS
# serial number = <redacted>
/interface bridge
add admin-mac=08:<redacted>:C1 auto-mac=no comment=defconf name=bridgeLocal
/interface ethernet
set [ find default-name=ether2 ] name=ipcam1 poe-out=forced-on poe-priority=1
set [ find default-name=ether1 ] name=uplink
/interface wireguard
add listen-port=13231 mtu=1420 name=localnet private-key="<redacted>"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,\
    romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=uplink
add bridge=bridgeLocal comment=defconf interface=ipcam1
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=uplink list=WAN
add interface=ipcam1 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.0/24 endpoint-address=<redacted> endpoint-port=61951 interface=\
    localnet persistent-keepalive=5m public-key="<redacted>"
/ip address
add address=10.0.0.0/24 interface=localnet network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.8.1 interface=uplink name="Router main"
/ip firewall filter
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.8.0/24
add action=accept chain=forward dst-address=192.168.8.0/24 src-address=10.0.0.0/24
/ip firewall nat
add action=dst-nat chain=dstnat comment=IPcam disabled=yes dst-port=8000 in-interface=localnet protocol=tcp \
    to-addresses=192.168.8.109 to-ports=80
/ip route
add disabled=no dst-address=10.0.0.0/24 gateway=localnet routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=<redacted>
/system identity
set name=poe-managed
Diagram:
Image

The Ubuntu system (10.0.0.1) as a Wireguard peer (and Wireguard "server") is unable to ping the ipcam.
Mikrotik torch shows that the ICMP ping packets indeed reach the IPCam (`192.168.8.109`) but the response packets from that IPCam back to `10.0.0.1`,
albeit also shown in torch, are not routed back, hence pings will timeout:
Screenshot 2021-06-23 013858.png
(Torch on eth `ipcam`)
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: WireGuard: Response packets not routed

Wed Jun 23, 2021 3:07 am

/ip address
add address=10.0.0.0/24 interface=localnet network=10.0.0.0
I'm not sure if this is the cause of your problem, but 10.0.0.0/24 is not a valid address given that subnet mask. You should use something that doesn't end in .255 or .0 for a /24.
 
strarsis
just joined
Topic Author
Posts: 10
Joined: Tue May 24, 2016 7:28 pm

Re: WireGuard: Response packets not routed

Wed Jun 23, 2021 3:58 am

Thanks for your reply! Alright, I changed the IP address from `10.0.0.0` to `10.0.0.4` (`/24`).

However, the response packets from `192.168.109` (ipcam on eth `ipcam1`) to `10.0.0.1` (pinging on `localnet`) are still stuck, not routed back to `localnet` (WireGuard peer interface).
 
strarsis
just joined
Topic Author
Posts: 10
Joined: Tue May 24, 2016 7:28 pm

Re: WireGuard: Response packets not routed

Wed Jun 23, 2021 6:32 pm

Any tricks for debugging this? Can I see how the packets are flowing in RouterOS?
Connection marking maybe missing?

Who is online

Users browsing this forum: No registered users and 4 guests