Hi,
I have working wireguard between phone and my home(AX3). Rasberry pi is connected to the AX3 thorough LAN. I can access to web GUI of Rasberry but IM not able to connect Rasberry thorough SSH. Do you know where could be problem?
OK, I'm going to sit on the porch with anav now...Ok,
AX3 has 10.255.255.4 WG adress
Mobile phone has 10.255.255.4 WG adress
RPI has 192.168.1.3. local adress
Log deleted/export file=anynameyouwish ( minus router serial# and any public WANIP info or keys etc. )
Yes, I see it now as well.Wireguard is part of LAN. The log may not show it but WG is in LAN.
This rule does not have a log action.add action=accept chain=forward dst-address=192.168.1.3 dst-port=22 \
protocol=tcp src-address=10.255.255.4
/ip firewall address list
add address=192.168.1.X list=ADMIN { admin desktop wired }
add address=192.168.1.Y list=ADMIN { admin laptop wired }
add address=192.168.1.XY list=ADMIN { admin laptop wifi }
add address=192.168.1.DC list-ADMIN { admin smartphone }
add address=10.255.255.X list=ADMIN { admin remotely connecting via wg }
add address=192.168.2.X list=ADMIN { in the off chance you or the admin at the hapac needs sometimes to config router from there over WG etc. }
/ip firewall filter
{input chain}
(default rules)
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access to router in-interface-list=LAN src-address-list=ADMIN
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" { LAST RULE to put in, ensure admin access rule prior }
{forward chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
(admin rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept in-interface=wireguard1 dst-address=192.168.1.0/24 comment="wg users to local LAN"
add action=accept src-address=192.168.1.0/24 out-interface=wireguard1 comment="local LAN to wg"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=forward in-interface-list=WAN dst-port=22 \
protocol=tcp to-addresses=???????
add action=accept chain=forward in-interface-list=WAN dst-port=22 protocol=\
tcp to-addresses=?????