Community discussions

MikroTik App
 
jaydabi
just joined
Topic Author
Posts: 7
Joined: Thu Aug 12, 2021 4:24 pm

Wireguard - Unexpected Behavior

Thu Aug 12, 2021 4:50 pm

Hey folks,

we set up a RB4011 with RouterOS 7.1beta6 . We want to tunnel all client traffic through our WireGuard server.

That's the config we use on an unconfigured RB4011:
/system identity
set name=router-1

/system clock
set time-zone-name=Europe/Berlin

/ip dhcp-client
add add-default-route=yes disabled=no interface=ether1

/interface bridge
add name=bridge_default

/interface bridge port
add bridge=bridge_default interface=ether2
add bridge=bridge_default interface=ether3
add bridge=bridge_default interface=ether4
add bridge=bridge_default interface=ether5
add bridge=bridge_default interface=ether6
add bridge=bridge_default interface=ether7
add bridge=bridge_default interface=ether8
add bridge=bridge_default interface=ether9

/interface wireguard
add disabled=no listen-port=12345 mtu=1420 name=wireguard_default private-key=\
    "***"

/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=no endpoint-address=*** \
    endpoint-port=55820 interface=wireguard_default persistent-keepalive=10s \
    public-key="***"

/ip address
add address=172.16.1.2/24 disabled=no interface=wireguard_default network=172.16.1.0
add address=192.168.10.254/24 interface=bridge_default network=192.168.10.0

/ip pool
add name=dhcp_pool_default ranges=192.168.10.70-192.168.10.90

/ip dhcp-server
add address-pool=dhcp_pool_default disabled=no interface=bridge_default name=dhcp_default

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254

/routing table
add disabled=no name=wireguard

/routing rule
add action=lookup disabled=no dst-address=192.168.10.0/24 src-address=192.168.10.0/24 table=main
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=192.168.10.0/24 table=wireguard

/ip route
add distance=1 gateway=172.16.1.1 routing-table=wireguard
add distance=1 dst-address=192.168.10.0/24 gateway=bridge_default routing-table=\
    wireguard

/ipv6 settings
set disable-ipv6=yes
Not a big deal so far and it seemed to work as expected. After a while we determined that some traffic to some endpoints is behaving very weird. There are IP addresses that we can ping and trace, but as soon as we try to send HTTPS traffic, it looks like packets are lost somewhere within the RB4011 ...

First we thought it might be an issue with the tunnel itself, so we tried to use other clients instead RouterOS, like a Ubuntu Linux. When using any client other than RouterOS, we cannot reproduce this behavior. As we use the same WireGuard instance server side, we can also rule out it is a configuration issue on the WireGuard server.

As I don't see anything obviously wrong in RouterOS configuration and we have the same issue on several RB4011, I assume there is an issue within the RouterOS 7.1beta6 version.

An endpoint that always seems affected is duckduckgo.com , but we also have issues downloading Apps from Apple App-Store as well as iOS Updates.

Has anyone experienced something like this and know what to do?

Cheers
J
Last edited by jaydabi on Mon Aug 16, 2021 11:07 am, edited 1 time in total.
 
whatever
Member
Member
Posts: 351
Joined: Thu Jun 21, 2018 9:29 pm

Re: Wireguard - Unexpected Behavior

Thu Aug 12, 2021 6:34 pm

Could be caused by MTU settings.
Is PMTUD working? Does modifying TCPMSS in SYN packets to 1300 fix HTTPS?
 
jaydabi
just joined
Topic Author
Posts: 7
Joined: Thu Aug 12, 2021 4:24 pm

Re: Wireguard - Unexpected Behavior

Fri Aug 13, 2021 9:06 am

Thanks for getting back, MTU indeed sounds like a possible cause here. I will check and report back as soon as I am in the office again. May take a week in worst-case.

Cheers
J
 
tx6376
just joined
Posts: 10
Joined: Tue Feb 02, 2021 8:35 pm

Re: Wireguard - Unexpected Behavior

Fri Aug 13, 2021 2:04 pm

/ip address
add address=172.16.1.2/24 disabled=no interface=wireguard_default network=172.31.1.0
172.16.x.x or 172.31.x.x ?

Cheers.
 
jaydabi
just joined
Topic Author
Posts: 7
Joined: Thu Aug 12, 2021 4:24 pm

Re: Wireguard - Unexpected Behavior

Mon Aug 16, 2021 11:13 am

Could be caused by MTU settings.
Is PMTUD working? Does modifying TCPMSS in SYN packets to 1300 fix HTTPS?
Setting the mss will fix the issue.
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn out-interface=wireguard
Is there a reason why the mss ist not automatically set to a reasonable value by RouterOS? In other words, is this a bug or expected behavior?

---

@tx6376 : That's just a typo that does not exist in the real config.

Who is online

Users browsing this forum: No registered users and 16 guests