Network Overview:
A lot of examples on the net show WireGuard PostUp & PostDown configs for their WireGuard server. However, since mine is behind NAT, I don't require masquerade rules and the like. I have set two rules on the MikroTik firewall/router I control at network B, namely, forwarding to the WireGuard server, and then setting the route back to the WireGuard server.
Here is my MikroTik configuration. Note, the rule to catch the invalid packets. Any harm in leaving this always on? What is creating these invalid ping replies? Pings to other networks work fine. It is only pings to hosts on the same network as the WireGuard eth0 interface that produce these. Also note that Send Redirects is on (otherwise all replies come back as invalid).
MikroTik Router setup:
Code: Select all
/ip settings
set send-redirects=yes secure-redirects=yes rp-filter=strict tcp-syncookies=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN comment="Default masquerade"
add action=dst-nat chain=dstnat dst-port=51820 to-ports=51820 in-interface-list=WAN protocol=udp to-addresses=10.0.10.2 comment="WireGuard Server"
/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=10.0.10.2 comment="Set route back to WireGuard server"
/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"
add action=drop chain=input comment="Drop"
add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Allow VLAN"
add action=accept chain=forward connection-state=invalid src-address=10.0.10.0/24 dst-address=10.0.60.0/24 in-interface=CORP_VLAN out-interface=CORP_VLAN comment="Why invalid for WireGuard Server?"
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN comment="Allow port forwards"
add action=drop chain=forward comment="Drop"