after some very good posts here, I sucessfully reconfigured my whole network and started to try out Wireguard.
Connection is established and I can also access the internet with the VPN connection.
I can also access my Proxmox Web Interface (connected to ether3 and has VLAN #100), but I can't access containers running inside my Proxmox which does not make sense to me. Some containers are untagged in Proxmox and some have are tagged. Within my LAN and without Wireguard, access works fine.
I have tested pings from the command line (src 172.17.0.1 which is the Wireguard gateway) in RouterOs which confirms that the given IP addresses can't be reached.
Can someone explain to me why the Wireguard interface can't ping these addresses or what I am missing?
Code: Select all
# 2025-01-02 21:55:15 by RouterOS 7.15.3
# software id = XBVQ-34SC
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=dedicated-mgmt-ether5
set [ find default-name=ether3 ] name=nuc-ether3
set [ find default-name=ether1 ] name=trunk-switch1-ether1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=CCTV vlan-id=21
add interface=bridge name=Clients vlan-id=10
add interface=bridge name=Home-Automation vlan-id=50
add interface=bridge name=Kids vlan-id=49
add interface=bridge name=Management vlan-id=53
add interface=bridge name=Servers vlan-id=100
add interface=ether2 name=pppoe-na10 vlan-id=10
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 comment=ISP disabled=no \
interface=pppoe-na10 name=pppoe-na use-peer-dns=yes user=\
notimportant
/interface list
add name=MGMT
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.10.20-10.0.10.254
add name=dhcp_pool1 ranges=10.0.21.20-10.0.21.254
add name=dhcp_pool2 ranges=10.0.50.20-10.0.50.254
add name=dhcp_pool3 ranges=10.0.53.20-10.0.53.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Clients name=dhcp1
add address-pool=dhcp_pool1 interface=CCTV name=dhcp2
add address-pool=dhcp_pool2 interface=Home-Automation name=dhcp3
add address-pool=dhcp_pool3 interface=Management name=dhcp4
/interface bridge port
add bridge=bridge interface=trunk-switch1-ether1
add bridge=bridge interface=nuc-ether3 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=53
/interface bridge vlan
add bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=10
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 untagged=\
ether4 vlan-ids=53
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=21
add bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=49
add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=50
add bridge=bridge tagged=trunk-switch1-ether1,bridge untagged=nuc-ether3 \
vlan-ids=100
/interface list member
add interface=Management list=MGMT
add interface=dedicated-mgmt-ether5 list=MGMT
add comment=ISP interface=pppoe-na list=WAN
/interface wireguard peers
add allowed-address=172.17.0.2/32 client-address=172.17.0.2/32 client-dns=\
8.8.8.8 client-endpoint=example.com client-keepalive=10s \
interface=wireguard1 name=Home private-key=\
"redacted" public-key=\
"redacted"
/ip address
add address=10.0.53.1/24 interface=Management network=10.0.53.0
add address=10.0.10.1/24 interface=Clients network=10.0.10.0
add address=10.0.21.1/24 interface=CCTV network=10.0.21.0
add address=10.0.49.1/24 interface=KNX network=10.0.49.0
add address=10.0.50.1/24 interface=Home-Automation network=10.0.50.0
add address=10.0.100.1/24 interface=Servers network=10.0.100.0
add address=172.17.0.1/24 interface=wireguard1 network=172.17.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1
add address=10.0.21.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.21.1
add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1
add address=10.0.53.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.53.1
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface=\
pppoe-na log=yes log-prefix=wg protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from MGMT" \
in-interface-list=!MGMT
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
/system note
set show-at-login=no
edit: Forgot to mention that I can see icmp in the connections tab of the firewall. But the state always stays with syn start and never changes.