It was provided in WG config, and i didnt find any other place to put it.
Well, you have actually put it to two places, that's what I was concerned about. In the
/ip dhcp-server network, it has to be the 10.255.255.3 because that's what the clients should use; in
/ip dns, it must be a public DNS server or one assigned by your ISP so that the router could use it to resolve the fqdn of the Wireguard server to its IP address. It is quite likely that your ISP sends you its DNS servers as part of the the DHCP lease - if so, the router simply tries with the statically configured 10.255.255.3, gets no response, and switches to one of the dynamically assigned ones. Which would explain why the Wireguard tunnel even starts.
OK, so put the 10.255.255.3 back to the
/ip dhcp-server network settings, disconnect and reconnect a test PC to make sure that it gets the updated DHCP lease, and then use
nslookup myip.wtf in the command line of that PC - what answer do you get? If you get a timeout, open a terminal (command line) window in Winbox (or use SSH), make it as wide as your screen allows, and run the following command:
/tool sniffer quick interface=wg1 port=53
The PCs should generate a lot of DNS requests on their own, but if they don't, try the
nslookup myip.wtf again. You should see in the sniff the requests from 100.72.7.16:someport to 10.255.255.3:53 and responses from 10.255.255.3:53 to 100.72.7.16:someport. Is that the case?
So i set up DNS as you stated above, and tried commands.
nslookup myip.wtf gave me
C:\Users\Ramazzan>nslookup myip.wtf
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.255.255.3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
Here is some results from
/tool sniffer quick interface=wg1 port=53. Do i understand right that i dont get any responses?
wg1 35.822 108 -> 100.72.7.16:5678 (discovery) 8.8.8.8:53 (dns) ip:udp 64 3
wg1 36.383 109 -> 100.72.7.16:5678 (discovery) 8.8.4.4:53 (dns) ip:udp 64 3
wg1 36.814 110 -> 100.72.7.16:5678 (discovery) 1.1.1.1:53 (dns) ip:udp 64 3
wg1 36.825 111 -> 100.72.7.16:5678 (discovery) 8.8.8.8:53 (dns) ip:udp 64 3
wg1 37.386 112 -> 100.72.7.16:5678 (discovery) 8.8.4.4:53 (dns) ip:udp 64 3
Interesting the OP stated that he is connecting to a private server.
I did ask what DNS the private server was using..........
No idea when the idea of using 10.255.255.3 popped into the head??????
Firstly set DETECT INTERNET TO NONE,,,,,,,,its known to cause issues.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Also IP DCHP server settings dont indicate that he is using PEER DNS ???
As long as the router sees
IP DNS
set server=1.1.1.1,8.8.8.8
Should not the router be able to (from its wireguard service) go out to one of these IPs and have the access needed to negotiate the handshake??
The Subnet does not need DNS access locally is what I am saying.
However it depends,
a. does the user want local subnet DNS to leak out local router, and then for traffic go out wireguard
OR
b. does the user want all traffic including DNS to go out wireguard ( to me this is preferential in most cases ).
So for subnet.
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=100.72.7.1 gateway=192.168.188.1
Should be all that is required.! ( the wireguard gateway )...........
To ensure this happens.
One could.
/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=100.72.7.1
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=100.72.7.1
New DNS (10.255.255.3) is coming from alternative server i got for test purposes, it provides DNS.
I've tried suggested firewall rules, but my DNS address is different. Are you sure i should use 100.72.7.1? It is not provided anywhere in config files.
Sadly, result is still the same. I can ping IPs from local machine, but cant visit web.
Here is my current config:
# 2024-11-19 22:24:32 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=58254 mtu=1420 name=wg1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wg1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.whiskergalaxy.com \
endpoint-port=123 interface=wg1 name=peer5 persistent-keepalive=25s \
preshared-key="key" public-key=\
"key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=100.72.7.16 interface=wg1 network=100.72.7.16
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.255.255.3 gateway=192.168.188.1
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
out-interface=wg1 src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=wg1 \
src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\
192.168.88.0/24 to-addresses=100.72.7.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
192.168.88.0/24 to-addresses=100.72.7.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 routing-table=\
rtab-wg scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 \
table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system identity
set name="WG tunnel "
/system note
set show-at-login=no
If something wrong with config, may be i should try reset with no default settings and only input minimalistic config that should work?
Based on what we discussed here.
What version should it be based on?