Community discussions

MikroTik App
 
horizondust
just joined
Topic Author
Posts: 2
Joined: Mon Jun 05, 2023 12:08 am

Wireguard Road Warrior Problems

Mon Jun 05, 2023 12:40 am

I followed the instructions in this (and other) guides: MikroTik Wireguard server with Road Warrior clients

I can connect and handshaking works. It is my understanding that I should now be able to ping the Wireguard server from the client, which I cannot.

Server config:
# jun/04/2023 16:14:56 by RouterOS 7.9
# software id = 95II-DH98
#
# model = CCR1009-7G-1C-1S+
# serial number = HE808VWZSKD
/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridgeLAN
add arp=proxy-arp fast-forward=no mtu=1500 name=bridgeWAN
/interface ethernet
set [ find default-name=ether1 ] comment="to Internet/Zeecon" l2mtu=1588
set [ find default-name=ether2 ] l2mtu=1588
set [ find default-name=ether3 ] l2mtu=1588
set [ find default-name=ether4 ] comment="to switch/LAN"
/interface wireguard
add listen-port=44355 mtu=1420 name=wireguard
/interface list
add exclude=dynamic name=discover
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=OVPN_Pool ranges=172.16.100.100-172.16.100.150
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=172.16.100.1 name=Open-VPN-Profile remote-address=OVPN_Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name="" disk-lines-per-file=500
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridgeWAN hw=no ingress-filtering=no interface=ether1
add bridge=bridgeWAN hw=no ingress-filtering=no interface=ether2
add bridge=bridgeLAN hw=no ingress-filtering=no interface=ether3
add bridge=bridgeLAN hw=no ingress-filtering=no interface=ether4
/ip settings
set accept-redirects=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=sfp-sfpplus1 list=discover
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=bridgeLAN list=discover
add interface=bridgeWAN list=LAN
add interface=wireguard list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256-cbc enabled=yes \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=Open-VPN-Profile
/interface wireguard peers
add allowed-address=10.10.105.3/32 interface=wireguard public-key=\
    "haBPq4+PwfvYZllBDQbQXjcPm90bL2JbkJAx9cbkAH4="
/ip address
add address=[public_ip_router]/30 comment="Static Internet Address" interface=\
    bridgeWAN network=[ISP_gateway]
add address=172.16.0.1/22 interface=bridgeLAN network=172.16.0.0
add address=192.168.1.1/22 comment="subnet for ubiquiti m5 ap and clients" \
    interface=bridgeLAN network=192.168.0.0
add address=10.10.105.1/24 interface=wireguard network=10.10.105.0
/ip dns
set servers=8.8.4.4, xxx.xxx.xxx.xxx
/ip firewall address-list
add address=xxx.xxx.xxx.xxx/24 list=Administrator
add address=xxx.xxx.xxx.xxx/24 list=Administrator
add address=xxx.xxx.xxx.xxx/24 list=Administrator
/ip firewall filter
add action=drop chain=input comment="drop DNS from WAN" connection-state=new \
    dst-port=53 in-interface=bridgeWAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=bridgeWAN protocol=udp
add action=accept chain=input comment="allow established connections" \
    connection-state=established
add action=accept chain=input comment="allow related connections" \
    connection-state=related
add action=accept chain=input dst-port=44355 log=yes log-prefix=wg protocol=\
    udp src-address-list=Administrator
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=\
    "allow external ICMP for admin range only" in-interface=bridgeWAN \
    protocol=icmp src-address-list=Administrator
add action=accept chain=input comment="Allow local ICMP" in-interface=\
    bridgeLAN protocol=icmp
add action=accept chain=input comment="accept local traffic" disabled=yes \
    in-interface=!bridgeWAN src-address=172.16.0.0/22
add action=accept chain=input in-interface=bridgeLAN
add action=accept chain=input comment="allow RDP for admin range only" \
    dst-port=51572 log-prefix=RDP protocol=tcp src-address-list=Administrator
add action=accept chain=input comment=\
    "allow winbox only for admin range only" dst-port=8291 protocol=tcp \
    src-address-list=Administrator
add action=accept chain=input comment=\
    "allow webgui only for admin range only" dst-port=80 protocol=tcp \
    src-address-list=Administrator
add action=accept chain=input comment=\
    "allow OpenVPN only for admin range only" dst-port=1194 log=yes \
    log-prefix=1194 protocol=tcp src-address-list=Administrator
add action=accept chain=input disabled=yes dst-port=1194 log=yes log-prefix=\
    1194 protocol=udp
add action=accept chain=input comment="allow ssh only for admin range only" \
    dst-port=22 protocol=tcp src-address-list=Administrator
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="default fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="allow established connections" \
    connection-state=established
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface=bridgeLAN out-interface=bridgeWAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward disabled=yes in-interface=bridgeWAN \
    src-address=172.16.100.0
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="internet traffic NAT rule" \
    out-interface=bridgeWAN
add action=dst-nat chain=dstnat comment="Panasonic PBX" dst-port=38760 \
    in-interface=bridgeWAN protocol=tcp to-addresses=172.16.5.100 to-ports=\
    38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
    dst-port=38760 protocol=tcp to-addresses=172.16.0.152 to-ports=38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
    dst-port=38760 protocol=tcp to-addresses=172.16.5.100 to-ports=38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
    icmp-options=8:8 protocol=icmp to-addresses=172.16.0.220
add action=dst-nat chain=dstnat comment=RDP dst-port=51572 log=yes \
    log-prefix=RDP protocol=tcp to-addresses=172.16.0.220 to-ports=3389
add action=masquerade chain=srcnat comment=OpenVPN disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[ISP_gateway]
add disabled=yes dst-address=172.16.0.220/32 gateway=*E
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=xxx.xxx.xxx.xxx/32,172.16.0.0/22
set api-ssl disabled=yes
/ppp secret
add name=jj profile=Open-VPN-Profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=FaithAcademy_CCR1009
/system logging
add action=disk topics=ovpn
add prefix=firewall: topics=firewall
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether4 filter-ip-address=172.16.5.0/24 filter-stream=yes \
    streaming-enabled=yes streaming-server=172.16.1.23
Client config:
[Interface]
PrivateKey = 
Address = 10.10.105.3/32
DNS = 8.8.8.8

[Peer]
PublicKey = iL9W08Zk48tXu5z0XqbyamdV1KZoQi4/8v3H+napzRQ=
AllowedIPs = 10.10.105.0/24
Endpoint = 107.182.96.246:44355
PersistentKeepalive = 10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road Warrior Problems

Tue Jun 06, 2023 3:33 pm

(1) Your interface member list is very weird.
Typically you dont need any discover.
All you need is LAN and WAN and sometimes in a complex or business environment one may have a management or trusted vlan.
Also for some VERY STRANGE reason your lan bridge is NOT part of the LAN and your WAN bridge is part of the LAN, and there is WAN member.

It looks like your copying configs and dont really know what you are doing.
In these cases best to simplify!!!!!

/interface list member
add interface=bridgeLAN list=LAN
add interface=wireguard list=LAN

add interface=bridgeWAN list=WAN


(2) I dont understand your WAN setup. It appears you ahve two WANs but then you dont assign them two IP addresses etc. So not sure if you have a legitimate wan setup.
Where this really comes into play is that it is unclear which WAN your road warrior comes in on, and thus if we cannot guarantee the same WAN out is used in the initial handshake, connectivity may not be possible.

(3) Why are you attempting to use two different subnets for the bridge LAN ??? Again, non-standard and WEIRD.
add address=172.16.0.1/22 interface=bridgeLAN network=172.16.0.0
add address=192.168.1.1/22 comment="subnet for ubiquiti m5 ap and clients" \
interface=bridgeLAN network=192.168.0.0


If you want a third subnet create one properly.

(4) Which brings me to the fact you are completely missing subnet structure, NO IP POOLS, NO dhcp server, NO dhcp server network ??????

++++++++++++++++++++++++++++++++++++++++++

In summary, there is much work to be done to make a clean, simple, efficient working config before tackling wireguard, including removing many of the extra firewall rules for nothing.
 
horizondust
just joined
Topic Author
Posts: 2
Joined: Mon Jun 05, 2023 12:08 am

Re: Wireguard Road Warrior Problems

Thu Jun 08, 2023 4:50 pm

My ISP actually setup all of the bridge stuff, and as I have discovered, he is no expert. I will be happy to follow your suggestions.

2) I dont understand your WAN setup. It appears you ahve two WANs but then you dont assign them two IP addresses etc. So not sure if you have a legitimate wan setup.
Where this really comes into play is that it is unclear which WAN your road warrior comes in on, and thus if we cannot guarantee the same WAN out is used in the initial handshake, connectivity may not be possible.

Sorry, I can't address this one because I not sure where you are seeing two WANs? Again, happy to follow any suggestions you have.

(3) Why are you attempting to use two different subnets for the bridge LAN ??? Again, non-standard and WEIRD.
add address=172.16.0.1/22 interface=bridgeLAN network=172.16.0.0
add address=192.168.1.1/22 comment="subnet for ubiquiti m5 ap and clients" \
interface=bridgeLAN network=192.168.0.0

This was also done the the ISP. We have two nano-stations which support our Gym and our football field press box. I'm not sure why he put them on a separate subnet, but that's what's going on.

(4) Which brings me to the fact you are completely missing subnet structure, NO IP POOLS, NO dhcp server, NO dhcp server network ??????
My DHP server is behind the Mikrotik, on the LAN. Is this unusual? If the Mikrotik is not providing DHCP do I need IP Pools?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road Warrior Problems

Thu Jun 15, 2023 8:06 pm

Okay so whats not clear is what this device is used for.
A network diagram is required to start figuring out what you have and what you are doing
Please post configs of both routers as well.
/export file=anynameyouwish (minuse router serial # and any public WANIP information, keys etc. )

Who is online

Users browsing this forum: No registered users and 33 guests