Community discussions

MikroTik App
 
stitch84ac
just joined
Topic Author
Posts: 6
Joined: Sun Dec 24, 2023 1:27 pm

Wireguard: Can' access VLANs

Fri Jan 03, 2025 12:50 am

Hi all,

after some very good posts here, I sucessfully reconfigured my whole network and started to try out Wireguard.
Connection is established and I can also access the internet with the VPN connection.
I can also access my Proxmox Web Interface (connected to ether3 and has VLAN #100), but I can't access containers running inside my Proxmox which does not make sense to me. Some containers are untagged in Proxmox and some have are tagged. Within my LAN and without Wireguard, access works fine.
I have tested pings from the command line (src 172.17.0.1 which is the Wireguard gateway) in RouterOs which confirms that the given IP addresses can't be reached.

Can someone explain to me why the Wireguard interface can't ping these addresses or what I am missing?
# 2025-01-02 21:55:15 by RouterOS 7.15.3
# software id = XBVQ-34SC
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=dedicated-mgmt-ether5
set [ find default-name=ether3 ] name=nuc-ether3
set [ find default-name=ether1 ] name=trunk-switch1-ether1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=CCTV vlan-id=21
add interface=bridge name=Clients vlan-id=10
add interface=bridge name=Home-Automation vlan-id=50
add interface=bridge name=Kids vlan-id=49
add interface=bridge name=Management vlan-id=53
add interface=bridge name=Servers vlan-id=100
add interface=ether2 name=pppoe-na10 vlan-id=10
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 comment=ISP disabled=no \
    interface=pppoe-na10 name=pppoe-na use-peer-dns=yes user=\
    notimportant
/interface list
add name=MGMT
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.10.20-10.0.10.254
add name=dhcp_pool1 ranges=10.0.21.20-10.0.21.254
add name=dhcp_pool2 ranges=10.0.50.20-10.0.50.254
add name=dhcp_pool3 ranges=10.0.53.20-10.0.53.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Clients name=dhcp1
add address-pool=dhcp_pool1 interface=CCTV name=dhcp2
add address-pool=dhcp_pool2 interface=Home-Automation name=dhcp3
add address-pool=dhcp_pool3 interface=Management name=dhcp4
/interface bridge port
add bridge=bridge interface=trunk-switch1-ether1
add bridge=bridge interface=nuc-ether3 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=53
/interface bridge vlan
add bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=10
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 untagged=\
    ether4 vlan-ids=53
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=21
add bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=49
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=50
add bridge=bridge tagged=trunk-switch1-ether1,bridge untagged=nuc-ether3 \
    vlan-ids=100
/interface list member
add interface=Management list=MGMT
add interface=dedicated-mgmt-ether5 list=MGMT
add comment=ISP interface=pppoe-na list=WAN
/interface wireguard peers
add allowed-address=172.17.0.2/32 client-address=172.17.0.2/32 client-dns=\
    8.8.8.8 client-endpoint=example.com client-keepalive=10s \
    interface=wireguard1 name=Home private-key=\
    "redacted" public-key=\
    "redacted"
/ip address
add address=10.0.53.1/24 interface=Management network=10.0.53.0
add address=10.0.10.1/24 interface=Clients network=10.0.10.0
add address=10.0.21.1/24 interface=CCTV network=10.0.21.0
add address=10.0.49.1/24 interface=KNX network=10.0.49.0
add address=10.0.50.1/24 interface=Home-Automation network=10.0.50.0
add address=10.0.100.1/24 interface=Servers network=10.0.100.0
add address=172.17.0.1/24 interface=wireguard1 network=172.17.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1
add address=10.0.21.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.21.1
add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1
add address=10.0.53.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.53.1
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface=\
    pppoe-na log=yes log-prefix=wg protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from MGMT" \
    in-interface-list=!MGMT
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/system note
set show-at-login=no

edit: Forgot to mention that I can see icmp in the connections tab of the firewall. But the state always stays with syn start and never changes.
 
User avatar
yccit
newbie
Posts: 35
Joined: Tue Jun 25, 2024 8:52 pm
Location: BsAs - Argentina

Re: Wireguard: Can' access VLANs

Fri Jan 03, 2025 8:11 am

Please forgive me for not reading your configuration. Try adding the allowed networks in the Peer of your Wireguard client, and add them in your own client within /ip routes pointing to your Wireguard interface. If the routes exist in the main table on your Wireguard server, you should have no problems.
 
stitch84ac
just joined
Topic Author
Posts: 6
Joined: Sun Dec 24, 2023 1:27 pm

Re: Wireguard: Can' access VLANs

Fri Jan 03, 2025 9:58 pm

Hi and thank you for your answer.

I have played around with Allowed Addresses without any success.
Maybe I need to create some routes by myself. Unfortunately I have no clue how such a route should look like. I am just using the routes, RouterOs has created for me after I have added IP addresses to RouterOs.

Can you give me a hint?
 
stitch84ac
just joined
Topic Author
Posts: 6
Joined: Sun Dec 24, 2023 1:27 pm

Re: Wireguard: Can' access VLANs

Fri Jan 03, 2025 10:32 pm

Ok, I got it working with renewing everything (new wireguard interface and new peer) and another IP address for the wireguard interface.
Everything works as expected.

Is 172.17.0.1/24 not a good choice for a wireguard interface? I am now using 192.168.17.1/24 and this settings is fine.
There are no other changes compared to the ones from my first post.
 
User avatar
yccit
newbie
Posts: 35
Joined: Tue Jun 25, 2024 8:52 pm
Location: BsAs - Argentina

Re: Wireguard: Can' access VLANs

Sat Jan 18, 2025 2:58 am

Ok, I got it working with renewing everything (new wireguard interface and new peer) and another IP address for the wireguard interface.
Everything works as expected.

Is 172.17.0.1/24 not a good choice for a wireguard interface? I am now using 192.168.17.1/24 and this settings is fine.
There are no other changes compared to the ones from my first post.
Maybe you should check if that ip segmentation is being used somewhere else readable by your mikrotik wireguard server. It should not cause any problems. You can try that segmentation again just by modifying the peers and the routing table.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22453
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard: Can' access VLANs

Sat Jan 18, 2025 3:49 am

1. slight mod
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=trunk-switch1-ether1
add bridge=bridge interface=nuc-ether3 pvid=100 comment="hybrid port"
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4 pvid=53


2. You have six vlans identified ( seven including the pppoe vlan ) and six vlans noted in /interface bridge vlan
WHY, are there only 4 pools, 4 dhcp servers etc.. ??????????

3. Missing........ interface list of LAN
add list=LAN add all (6) vlans to interface list of LAN (not the pppoe one )

4. slight mods.......
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input protocol=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=udp log=yes log-prefix=wg
add action=accept chain=input comment="allow management" in-interface-list=MGMT
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"
++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG to vlans" in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment="drop all else"


5. Missing:
/ip neighbor discovery-settings
set discover-interface-list=MGMT

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT


6. Missing: IP address for offbridge access on either 5!!

7. Missing: YOu want users to use 8.8.8.8 so need to add
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4