Community discussions

MikroTik App
 
klinutzu
just joined
Topic Author
Posts: 2
Joined: Sun Oct 30, 2022 6:24 pm

wireguard between pfsense as server and mikrotik as client

Sun Jun 04, 2023 8:32 pm

hi all,

i need to setup the following scenario:
wireguard server - cloud, pfsense. public ip as wan and a private ip as local lan provided by other router.
wireguard client - mikrotik rb750 behind an other router; mikrotik wan ip from dhcp and 192.168.x.0/24 in lan - bridge interface

just setup wireguard with following rules:
a) mikrotik:
- new interface wg1 with public key used in peer with pfsense, port 51820, peer with endpoint - public ip of pfsense; allowed address > tried both wg tunnel + lan from pfsense and 0.0.0.0/0, works both
- wg1 ip in the same subnet as pfsense wg interface
- ip route pfsense lan ip's through wg ip from pfsense
- ping from m'tik terminal to pfsense lan and devices works, ping from m'tik internal devices to pfsense lan devices works.

b) pfsense:
- wg interface with public key used in peer with m'tik; allowed address - wg address from m'tik + lan subnet from m'tik
- routing: added gateway with ip from m'tik wg ip, added static route with dst network as m'tik lan through gateway defined eralier
- ping from pfsense diagnostic to m'tik lan and devices works, ping from internal devices to m'tik lan devices don't works.

right now i don't know what to do anymore. it's mikrotik issue, it's pfsense issue?

can somebody help me, please?

regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard between pfsense as server and mikrotik as client

Tue Jun 06, 2023 3:39 pm

No diagram and no mikrotik config................ Okay I will use my crystal ball.

Typically as a client device you need persistent keep alive set.
Typically as a client router you may wish to sourcenat wireguard traffic
a. mandatory for a third party service
b. optional to another router ( depends
--> if you can set allowed addresses and static routes on other router, not needed
-->if you cannot set allowed addresses or static routers on other router or are lazy, you can sourcenat everything to outgoing wireguard interface.

Typically on client device you need firewall rule allowing local LAN traffic to enter the tunnel.
Typically on client device on peer settings you need to state which allowed IPs ( lan subnet you are going to visit)
a. wireguardsubnet,SubnetA,SubnetB etc. OR
b. 0.0.0.0/0 ( to be able to access internet on other router and of course already includes everything in (a.)

GLuck

Who is online

Users browsing this forum: Bing [Bot], robertkjonesjr and 40 guests