Community discussions

MikroTik App
 
yhfung
Member Candidate
Member Candidate
Topic Author
Posts: 148
Joined: Tue Nov 20, 2012 6:58 pm

Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 6:02 am

There two sites can be accessed by Winbox without any problems. Two Mikrotik routers A (dt) and B (fs) are configured with Wireguard and tested without any problems using terminals.

With Wireguard ip address 10.20.200.0/30 are assigned to them. Router A is got 12.20.200.2/30 and 10.20.200.1/30 assigned to router B.

Site router A to ping router B
[admin@MikroTik] > ping 10.2.200.1
  SEQ HOST                                     SIZE TTL TIME       STATUS      
    0 10.2.200.1                                 56  64 26ms196us 
    1 10.2.200.1                                 56  64 25ms967us 
    2 10.2.200.1                                 56  64 26ms126us 
    sent=3 received=3 packet-loss=0% min-rtt=25ms967us avg-rtt=26ms96us 
   max-rtt=26ms196us 

Site router B to ping router A
[admin@MikroTik] > ping 10.2.200.2
  SEQ HOST                                     SIZE TTL TIME       STATUS             
    0 10.2.200.2                                 56  64 26ms322us 
    1 10.2.200.2                                 56  64 26ms117us 
    2 10.2.200.2                                 56  64 26ms407us 
    sent=3 received=3 packet-loss=0% min-rtt=26ms117us avg-rtt=26ms282us 
   max-rtt=26ms407us 
In site B router, the hostname network is 192.168.201.x/24 and 172.16.10.x/24 for site router A.


My objective is to access site B 192.168.201.1 on site A terminal.
Last edited by yhfung on Thu Oct 31, 2024 8:04 am, edited 1 time in total.
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 6:59 am

As you use different networks you‘ll have to create a NAT masquerading rule for the wireguard interface. And maybe put the wireguard interface into the LAN interface list.

I use to forget this myself sometimes… ;)
 
yhfung
Member Candidate
Member Candidate
Topic Author
Posts: 148
Joined: Tue Nov 20, 2012 6:58 pm

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 8:18 am

Perhaps my previous post is not clear. The router B is attached to Internet. The router A is not and connected to another router C connected to Internet. That means router A is a subnet of the router C.


Router B (NAT) --------- Internet------------Router C (NAT)-------Router A (NAT)
 
User avatar
TheCat12
Member
Member
Posts: 429
Joined: Fri Dec 31, 2021 9:13 pm

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 12:11 pm

Without config there's nothing we can tell...

export file=anynameyouwish (minus sensitive info)

My guess would be that you haven't configured allowed addresses and routes properly but that's just a guess
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21759
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 1:28 pm

Yes, please provide config for BOTH routers!!
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )

Not a problem that one router is behind another router.
First, which router is the peer SERVER for handshake?? ( the one with public IP address, or has an ISP router with public IP that can forward ports to the MT router ).

Very easy once we get the facts to ensure access from local subnet users to remote subnet users and vice versa.
What I dont understand is the /30. Why not at least /29 so that YOU as ADMIN can then access both router while working remotely to access the subnets AND to CONFIG both routers????
 
yhfung
Member Candidate
Member Candidate
Topic Author
Posts: 148
Joined: Tue Nov 20, 2012 6:58 pm

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 4:02 pm

Thanks for TheCat12 and anav.

The configuration of Router A
# 2024-10-31 20:51:53 by RouterOS 7.16.1
# software id = <code>
#
# model = RB5009UG+S+
# serial number = <code>
/interface bridge
add admin-mac=78:9A:18:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=11140 mtu=1420 name=wg-fs
/disk
set usb1 media-interface=bridge media-sharing=yes slot=usb1 smb-sharing=yes \
    smb-user=guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.10.10-172.16.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.2.200.2/30,192.168.201.1/32 endpoint-address=\
    <code> endpoint-port=59123 interface=wg-fs name=\
    fs persistent-keepalive=25s preshared-key=\
    "<code>" public-key=\
    "<code>"
/ip address
add address=172.16.10.1/24 comment=defconf interface=bridge network=\
    172.16.10.0
add address=192.168.55.28/24 interface=ether1 network=192.168.55.0
add address=10.2.200.2/30 interface=wg-fs network=10.2.200.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 comment=defconf dns-server=172.16.10.1 gateway=\
    172.16.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.55.1
/ip dns static
add address=172.16.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=wg-cc dst-port=59123 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=\
    tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.55.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.201.0/24 gateway=wg-fs \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/system clock
set time-zone-name=Asia/Shanghai
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The configuration of Router B
# 2024-10-31 21:09:04 by RouterOS 7.15.3
# software id = <code>
#
# model = RBD52G-5HacD2HnD
# serial number = <code>
/interface bridge
add admin-mac=74:4D:28:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=china disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MK-2.4G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=china disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MK-5G wireless-protocol=\
    802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=<code>
/interface wireguard
add listen-port=59123 mtu=1420 name=wg-cc
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.201.50-192.168.201.100
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=10.2.200.2/30,172.16.10.1/32 interface=wg-cc name=dangtu \
    preshared-key="<code>" public-key=\
    "<code>"
/ip address
add address=192.168.201.1/24 comment=defconf interface=bridge network=\
    192.168.201.0
add address=10.2.200.1/30 interface=wg-cc network=10.2.200.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip dhcp-server network
add address=192.168.201.0/24 comment=defconf dns-server=192.168.201.1 \
    gateway=192.168.201.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.201.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=wg-cc dst-port=59123 protocol=udp
add action=accept chain=input comment="Winbox remote access" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=172.16.10.0/24 gateway=wg-cc \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=Asia/Shanghai
/system note
set show-at-login=no
/system ntp server
set use-local-clock=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Now in Router A (connected under Router C), I am able to ping 192.168.201.1. Also in Router B (connected to Internet, Wireguard server) is the same, I am able to ping 172.16.10.1. In Router A, beside the original allowed address=10.2.200.0/30, by adding 192.168.201.1/32. In Router B, 172.16.10.1/32 is added to 10.2.200.0/30.

A new PC is added to Router A and PC terminal is not able to ping 192.168.201.1. My expectation on PC terminal will be the same as Router A's terminal.
 
User avatar
TheCat12
Member
Member
Posts: 429
Joined: Fri Dec 31, 2021 9:13 pm

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 7:53 pm

My suspicions were confirmed: you added on both sides in the allowed-address field a /32 instead of the whole subnet:

On Router A:

/interface wireguard peers
add allowed-address=10.2.200.2/30,192.168.201.1/32 endpoint-address=\ <code> endpoint-port=59123 interface=wg-fs name=\ fs persistent-keepalive=25s preshared-key=\ "<code>" public-key=\ "<code>"


to

/interface wireguard peers
add allowed-address=10.2.200.2/30,192.168.201.0/24 endpoint-address=\ <code> endpoint-port=59123 interface=wg-fs name=\ fs persistent-keepalive=25s preshared-key=\ "<code>" public-key=\ "<code>"


And on Router B an analogous change.

On a sidenote, please change the following rule from Router B immediately:
/ip firewall filter
add action=accept chain=input comment="Winbox remote access" dst-port=8291 \
    protocol=tcp
because, as the comment suggest, it allows remote access through Winbox but that doesn't mean it's secure. Configure for example another Wireguard server and peer and add to the fiewall rule in-interface="wireguard_server"

Also, it is advised to answer @anav's questions because there are things I'm probably missing and he could suggest additional improvements of the configuration
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21759
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Sites connected with Wireguard but not able to access other hosts

Thu Oct 31, 2024 8:27 pm

ROUTER A

1. Allowed IPs needs work ( the small change ensures that the remote admin can access this router from any location )
/interface wireguard peers
add allowed-address=10.2.200.0/24,192.168.201.1/32 endpoint-address=\
<code> endpoint-port=59123 interface=wg-fs name=\
fs persistent-keepalive=25s preshared-key=\
"<code>" public-key=\

Similarly HIGHLY recommend modify address:
/ip address
add address=10.2.200.2/29interface=wg-fs network=10.2.200.0

2. Why do you have an input chain rule for wireguard. This device is initiating the handshake on router B. There is nothing attempting to initiate handshake here!!!
Remove this rule from input chain!!
add action=accept chain=input comment=wg-cc dst-port=59123 protocol=udp

3. This is not a safe rule.......... and should be modified at least (limited to LAN).
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=tcp

minimum acceptable:
add action=accept chain=input in-interface-list=LAN comment="allow winbox" dst-port=8291 protocol=tcp

However you already have a default last rule in the input chain which already allows full LAN access anyway so in this context just remove the rule.

Access to winbox should only be allowed
a. from internal LAN
b. accessed via a VPN to the router. (wireguard is a good vehicle for this )

The way I would do this is by firewall address list -- a list of static dhcp leases for admin on Router A locally, any upstream private ADMIN IPs, and through wireguard any remote admin devices, AND through wireguard any admin static leases from subnets on Router B.
ONLY I repeat ONLY the admin requires access to config the router. In conjuction with the above in the input chain one needs to ensure the LAN interface has access to DNS and then simply drop all the rest of traffic.

4. According to the IP route information, it would appear that you want local users on RouterA, to be able to access the 192.168.201.0/24 subnet on Router B,
Therefore, one should have allowed IPs as:
add allowed-address=10.2.200.0/24,192.168.201.0/24 endpoint-address=\
<code> endpoint-port=59123 interface=wg-fs name=\
fs persistent-keepalive=25s preshared-key=\
"<code>" public-key=\

4. Lastly I would replace the vague and almost useless default rule once you change your setup......
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="local subnet to wg" in-interface-list=LAN src-address=172.16.10.0/24 out-interface=wg-fs
add action=accept chain=forward comment="inbound remote users" in-interface=-wg-fs dst-address=172.16.10.0/24
add action=drop chain=forward comment="drop all else"


+++++++++++++++++++++++++++++++++++++++++

ROUTER B

5. MODIFY Allowed IPs accordingly
/interface wireguard peers
add allowed-address=10.2.200.2/32,172.16.10.0/24 interface=wg-cc name=dangtu \
preshared-key="<code>" public-key=\
"<code>"


6. As per the other router, expand wireguard subnet slightly so that you can access both routers securely from any remote location!!
/ip address
add address=10.2.200.1/29 interface=wg-cc network=10.2.200.0


7. Same security comments regarding access to winbox port from external sources!

8. Forward Chain firewall rules modified as per below:

add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="local subnet to wg" in-interface-list=LAN src-address=192.168.201.0/24 out-interface=wg-cc
add action=accept chain=forward comment="inbound remote users" in-interface=-wg-cc dst-address=192.168.201.0/24
add action=drop chain=forward comment="drop all else"


9. Now if you want to have the ability, as remote admin, to reach both routers by remote location ( laptop, smartphone, ipad etc be it hotel, coffee shop etc..)
Then we do the following after changing IP address of wireguard to a slightly larger /29 subnet. Add a few peers.

/interface wireguard peers
add allowed-address=10.2.200.2/32,172.16.10.0/24 interface=wg-cc name=dangtu preshared-key="<code>" public-key="<code>"
add allowed-address=10.2.200.3/32, interface=wg-cc name=remote-laptop preshared-key="<code>" public-key="<code>"
add allowed-address=10.2.200.4/32, interface=wg-cc name=remote-smartphone preshared-key="<code>" public-key="<code>"


Now we have to add a relay forward chain rule, so that when you hit the router as the remote admin, you exit the tunnel and then are allowed to ren-enter the tunnel to reach the other router peer.
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="local subnet to wg" in-interface-list=LAN src-address=172.16.10.0/24 out-interface=wg-fs
add action=accept chain=forward comment="inbound remote users" in-interface=-wg-fs dst-address=172.16.10.0/24
add chain=forward action=accept comment=relay wg" in-interface=wg-cc out-interface=wg-cc
add action=drop chain=forward comment="drop all else"


10. For better security make the same firewall address list for both routers.

/ip firewall address-list { using static dhcp leases where applicable }
add address=172.16.10.X list=AUTHORIZED comment="admin PC Router B"
add address=192.168.201.Y list=AUTHORIZED comment="admin PC Router A"
add address=10.2.200.3 list=AUTHORIZED comment="admin remote laptop"
add address=10.2.200.4 list=AUTHORIZED comment="admin remote smartphone/ipad"


11. Then change the input rule on both routers
FROM:
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment=wg-cc dst-port=59123 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN


TO:
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1

add action=accept chain=input comment=wg-cc dst-port=59123 protocol=udp
<---- ONLY ON ROUTER B
add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else
" { add this last so you dont lock yourself out }
 
yhfung
Member Candidate
Member Candidate
Topic Author
Posts: 148
Joined: Tue Nov 20, 2012 6:58 pm

Re: Sites connected with Wireguard but not able to access other hosts

Sat Nov 02, 2024 5:17 am

Thanks for TheCat12 and anav against problem.

Using Wireguard connecting two routers using 10.2.200.0/30 is very easy. Site Router B denoted by 192.168.201.1 (ROS terminal) and site Router A denoted by 172.16.10.1 can use allowed addresses 172.16.10.1/32 and 192.168.201.1/32, separately connected. With this arrangement ROS A terminal (176.16.10.1) can ping 192.168.201.1. ROS B terminal (192.168.201.1) can ping 172.16.10.1.

When a PC terminal (172.16.10.253) attached to Router A, it fails ping 192.168.201.1. The failure is due to "no attached route" found. If the 172.16.10.1/32 is changed to 172.16.10.1/24, the PC terminal (172.16.10.253) can ping 192.168.201.1.

Who is online

Users browsing this forum: No registered users and 15 guests