I'm struggling with a lab config between two CHRs running RouterOS 7.9
The topology is like this:
Code: Select all
LAN A -------------> Router A -----> Internet ------> Provider (carrier NAT) --------> Router B ------------> LAN B
192.168.77.0/24 192.168.88.0/24
Router A has a public IP on its outside interface, router B doesn't due to the carrier NAT in the provider network. The tunnel will obviously only be able to be initiated by router B but this is OK.
I have built the following Wireguard config:
Router A
Code: Select all
/interface wireguard
add listen-port=25070 mtu=1420 name=vpn-to-b
/interface wireguard peers
add allowed-address=192.168.77.0/24 endpoint-port=25070 interface=vpn-to-b public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
/ip address
add address=1.2.4.7/24 interface=ether1 network=1.2.4.0
add address=192.168.77.1/24 interface=ether2 network=192.168.77.0
add address=10.255.255.2/30 interface=vpn-to-b network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.77.0/24
/ip route
add distance=1 gateway=31.22.44.1
add dst-address=192.168.88.0/24 gateway=vpn-to-b
Code: Select all
/interface wireguard
add listen-port=25070 mtu=1420 name=vpn-to-a
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-address=1.2.4.7 endpoint-port=25070 interface=vpn-to-a public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.255.255.1/30 interface=vpn-to-a network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
/ip route
add distance=1 gateway=10.0.0.2
add dst-address=192.168.77.0/24 gateway=vpn-to-a
The keys look OK:
Router A
Code: Select all
[admin@A] /ip/firewall/nat> /interface wireguard print
Flags: X - disabled; R - running
0 R name="vpn-to-b" mtu=1420 listen-port=25070 private-key="gM+uCt/2WJajqM55VwpohdZBu2VtQ/l+LIRRYHYNkE0=" public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
Code: Select all
[admin@B] /ip/firewall/nat> /interface wireguard/print
Flags: X - disabled; R - running
0 R name="vpn-to-a" mtu=1420 listen-port=25070 private-key="cKD9fR/8bKGhunHpcsnivQFJr3ZD7DOEMgGFzqLgq2U=" public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
I would be grateful for any help as I can't see what's wrong here.
Thanks