Community discussions

MikroTik App
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

WireGuard access to LAN resources

Fri May 26, 2023 11:12 am

Hi everyone, I have a problem with WireGuard on my MicroTik about access to LAN resources. I've create it with instructions from this site: https://odroid.pl/blog/wireguard-vpn/ (it's in polish language).
The difference in my configuration is that WG is 192.168.4.x and LAN is 192.168.0.x, I also set a different port and dns to 8.8.8.8.
Connection is working, I can login via winbox to MT, use remote desktop to login to computer-serwer (by lan ip), ping sent via winbox reached the target but from windows cmd not, I can't see devices and don't have access to files from 192.168.0.x.
I'm not very good at this things and I don't know where can be the problem.
Thanks for any ideas.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Mon May 29, 2023 3:52 am

post your config
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc --> usuń numer seryjny routera oraz wszelkie publiczne informacje i klucze WANIP )
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Mon May 29, 2023 10:10 am

ok I added the file
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Mon May 29, 2023 6:28 pm

(1) Error on IP address for LAN
should be
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0


(2) The other source possible interference are your NAT rules.
There is no need to sourcenat the Wireguard traffic. You have a known local IP address so the router knows where to send traffic and for the most part its incoming.
In other words, any incoming wireguard traffic from 1192.168.4.2 already has a return route in table main and if you are using wireguard to access the local MT WAN,
it will get sourcenatted out the normal WAN.

SO REMOVE THIS......
add action=masquerade chain=srcnat out-interface=wr_serv

(3) The other weird sourcenat rules which seem more like mangle rules with passthrough involved are suspect.
I dont see their purpose ??? Certainly the second one dealing with the wireguard should be DELETED>
The first one has to do with your other VPN which is not my concern.

add action=passthrough chain=srcnat dst-address=192.168.0.0/24 protocol=tcp \
src-address=10.8.0.0-10.8.0.20
add action=passthrough chain=srcnat dst-address=192.168.0.0/24 protocol=tcp \
src-address=192.168.4.0-192.168.4.10



As a side note............
WHY are your L2TP VPN ranges within the same subnet as the bridge LAN. I wouldnt do that but its probably personal choice as ipsec is illogical. >-)
At least the pools dont overlap :-)
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Tue May 30, 2023 9:50 am

(1) Ok I changed it

(2) I don't add this rule, so it had to be added automaticaly when WireGuard was created. I disable it for now.

(3) Deleted. The first rule also was added automaticaly, it's for l2tp vpn, I added the second just to try if it help.

After all 3 changes I still don't have the access, only to winbox and remote desktop. When I try to connect with NAS in browser by IP it's also not reachable.

The dst. range for l2tp is the same as LAN because also was a problem with the net files access and with this setup it works.
As I said I'm not so good at this things and most of them I'm doing for the first time, l2tp works but you're right that it's not as it should and that's why I want to change to WireGuard.

And thank you for the answer.
Last edited by Strazak on Tue May 30, 2023 10:52 am, edited 1 time in total.
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Tue May 30, 2023 10:20 am

The next thing I discovered is that not only RDP to comp-serv work, the billing and waste recording(?) software have access to SQL, connection is by LAN ip so it must know where to search but the mapped drive (also by IP) have no connection to the same device.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Tue May 30, 2023 7:02 pm

You are missing the boat here.
Before touching the config you need to be accurate and honest about all the requirements for traffic,
Also you should post your latest config after you made the changes for viewing to see what can be done next.
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Wed May 31, 2023 9:05 am

Sorry I'm still learning.
In config is information about rule you said to remove, but as I mentioned I tried to disable it instead.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Wed May 31, 2023 2:06 pm

You didnt fix up your NAT? There is no need to nat your wireguard traffic.......... should be deleted.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wr_serv
add action=passthrough chain=srcnat dst-address=192.168.0.0/24 protocol=tcp \
src-address=10.8.0.0-10.8.0.20
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Wed May 31, 2023 2:08 pm

Other than that I dont see any particular issues.....
I would set detect internet to NONE, as it has been known to cause 'funny' issues and its purpose is not well known anyway.
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Wed May 31, 2023 3:37 pm

It was disabled but I delete it completely and change the "detect internet" to none but it's still in the same situation, strange that I delete and change few things and practically nothing happens..
I connect to WG and checked in cmd "ipconfig /all" and default gateway for WG is set to 0.0.0.0, I don't know if it's ok? Thought there should be something.

And cofiguration on client:
[Interface]
PrivateKey = ILtFinB7d0k0vEV9.....
Address = 192.168.4.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = /lT7r/wuIF50EOjFlne.......
AllowedIPs = 0.0.0.0/0
Endpoint = ****:21998
PersistentKeepalive = 10
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Wed May 31, 2023 3:57 pm

Strange, your IP address seems fine...........

/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=192.168.4.1/24 interface=wr_serv network=192.168.4.0



Dont think it will change anything but you can get rid of this default rule that does not apply.
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Wed May 31, 2023 4:06 pm

Your firewall rules are not blocking anything but they are not clear and could be better.

Suggest change this line
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:

add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept in-interface=wg-serv out-interface-list=LAN
add chain=forward action=accept comment="allow port forwarding" connection-nat-state=dstnat
add chain=forward action=drop comment="drop all else"


In this case, we dont infer anything but clearly state what is allowed, such as internet traffic, Lan to WAN,
traffic from wireguard to the LAN,
port forwarding,"
Then drop everything else.
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources

Fri Jun 02, 2023 2:11 pm

I remove this DNS rule and nothing change.

When I delete rule from firewall and add what you suggest also nothing change about WG but I lost access to files by l2tp. Honestly I doesn't know what rule need to be created for this so I just quickly bring firewall back to previous state.
It starts to be frustrating why 192.164.4.* can't see devices from 192.168.0.* but only in terms of file exchange (and e.g. login to printer by IP in browser)...
Idk if it have some meaning but in case of l2tp default gateway is empty, in WG is 0.0.0.0.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Fri Jun 02, 2023 3:20 pm

Well if all the settings are good, then make the firewall rules would be my suggestion.
Additionally set this rule to none its known to cause issues and has no benefit that I am aware of.
/interface detect-internet
set detect-interface-list=all
 
Strazak
just joined
Topic Author
Posts: 8
Joined: Fri May 26, 2023 10:15 am

Re: WireGuard access to LAN resources  [SOLVED]

Tue Jun 06, 2023 11:42 am

Ehh.. It's hard to admit but it was fault of firewall rule on the comp-serv and NAS... I found someone with similiar problem and similiar solution so I change few things and everything is working.
I feel stupid now but it was a lesson..
Thank you for help and I'm grateful for all advices, thanks to them I corrected MT settings to work better.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard access to LAN resources

Tue Jun 06, 2023 3:20 pm

Glad you got it sorted!
 
MikolajRozek
just joined
Posts: 4
Joined: Mon Sep 18, 2023 1:07 pm
Location: Rome
Contact:

Re: WireGuard access to LAN resources

Mon Sep 18, 2023 1:16 pm

Hi,

I am happy that you have managed the problem. but I am fighting with a similar problem in that I have access in both directions with RDP (LAN <-> WG), I can access MT in any way (winbox, www, local, outside), and I can ping my VPN client, but I can not ping LAN PC (but router yes, from VPN client). The next problem is this I would like to share the catalogue in LAN and for WireGuards clients but I am fighting without success, is there something specific to allow shared location to be accessible in VPN?

EDIT: I have found the solution. The thing is, in the topics about this problem that I have seen, the problem was the firewall in MT, but in my case it was just ESET firewall at the PC that was VPN Client, and now everything nicely going in both direction

Cheers
 
unkis17
just joined
Posts: 13
Joined: Thu Jan 13, 2022 5:19 pm

Re: WireGuard access to LAN resources

Fri Mar 08, 2024 4:44 am

Adding to this topic as I believe I am having the same issue. I am quite new to MT products. I have a HAP AX3 (only a few weeks, replaced pfSense VM to isolate Network from Server) and am using stock config (QuickSET). I also have a CRS326 in SWOS for a few years now, but clearly am not using it to its full potential.)

I have success with WireGuard App on a Windows Client PC connecting from outside connection (via DuckDNS) and I can see the handshake in WinBox. But I can't get anywhere once I make the handshake. My intent is to get to my ProxMox Web Interface should I need to from outside the home network.

I think my main issue is I don't know how to route the WireGuard Subnet to the LAN subnet.

I have attached my config file as I saw was instructed earlier. i tried comparing the two, but I just don't understand enough of the command line at this time to make my way through it.

Any suggestions would be greatly appreciated!

Unkis
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 32 guests