Community discussions

MikroTik App
 
User avatar
Parking4754
just joined
Topic Author
Posts: 12
Joined: Tue Nov 07, 2023 11:23 pm

Wireguard connection only works once: Keepalive problem?

Sun Jan 26, 2025 5:13 pm

I setup Wireguard on a Hex S but ran into an odd problem that I didn't have on my AX2: Upon establishing a connection only a small amount of bytes would be forwarded through the tunnel. When I enabled client keepalive for a peer the problem was resolved but the connection would only work once, after a while I would run into the same problem. Opening the peer setup in WebFix and hitting apply made the Mikrotik reset the connection and then it works fine but this is not a practical solution. Anyone has an idea what could be wrong here? Config below:
# 2025-01-26 14:52:03 by RouterOS 7.17
# software id = xxx
#
# model = RB760iGS
# serial number = xxx
/interface bridge
add admin-mac=74:4D:28:C8:A7:B6 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1450 name=wireguard1
/interface vlan
add interface=ether1 name=vlan-internet vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan-internet list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
add mac-address=FE:5A:B8:55:54:D4 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.255.255.3/24 client-keepalive=20s \
    endpoint-port=13231 interface=wireguard1 name=peer1 public-key=\
    "xxx"
add allowed-address=10.255.255.5/24 client-keepalive=20s \
    endpoint-port=13231 interface=wireguard1 name=peer2 public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/24 comment=wg interface=wireguard1 network=\
    10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=odido interface=vlan-internet use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.51 client-id=1:0:a:95:ba:8b:0 mac-address=\
    00:0A:95:BA:8B:00 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=62.58.48.20,37.143.84.228
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.51 name=server type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=13231 in-interface=vlan-internet \
    protocol=udp to-ports=13231
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22369
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection only works once: Keepalive problem?

Sun Jan 26, 2025 5:31 pm

Only the client peers ON THEIR Devices, require keep alive settings.

You have some weird selections.....

1. Remove this dstnat rule, it is not required for standard wireguard usage.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=13231 in-interface=vlan-internet \
protocol=udp to-ports=13231


2. For peers, only really need the actual config parts, but I guess wireguard these days injects some client settings for some reason.,
add allowed-address=10.255.255.3/24 interface=wireguard1 name=peer1 public-key="xxx"
add allowed-address=10.255.255.5/24 interface=wireguard1 name=peer2 public-key="yyy"


3. Purpose of these DNS addresses, what are they??
/ip dns
set allow-remote-requests=yes servers=62.58.48.20,37.143.84.228 ??


4. Reason for static DNS settings?
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.51 name=server type=A
 
User avatar
Parking4754
just joined
Topic Author
Posts: 12
Joined: Tue Nov 07, 2023 11:23 pm

Re: Wireguard connection only works once: Keepalive problem?

Sun Jan 26, 2025 5:48 pm

Only the client peers ON THEIR Devices, require keep alive settings.

You have some weird selections.....

1. Remove this dstnat rule, it is not required for standard wireguard usage.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=13231 in-interface=vlan-internet \
protocol=udp to-ports=13231
I removed this rule and indeed still works
2. For peers, only really need the actual config parts, but I guess wireguard these days injects some client settings for some reason.,
add allowed-address=10.255.255.3/24 interface=wireguard1 name=peer1 public-key="xxx"
add allowed-address=10.255.255.5/24 interface=wireguard1 name=peer2 public-key="yyy"
Cleaned up, WG still works so that's good
3. Purpose of these DNS addresses, what are they??
/ip dns
set allow-remote-requests=yes servers=62.58.48.20,37.143.84.228 ??
This is for local DNS requests to be forwarded to the ISP DNS server
4. Reason for static DNS settings?
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.51 name=server type=A
This is for local servers, nothing fancy

Unfortunately the problem still persists, only the 1st session works and the 2nd session doesn't anymore. Why could this be?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22369
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection only works once: Keepalive problem?  [SOLVED]

Sun Jan 26, 2025 5:59 pm

Try changing wireguard MTU to 1420 ( that is the normal default), I also dont see anything else at the moment
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22369
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection only works once: Keepalive problem?

Sun Jan 26, 2025 6:16 pm

Okay I see one potential issue......
from:
/interface wireguard peers
add allowed-address=10.255.255.3/24 client-keepalive=20s \
endpoint-port=13231 interface=wireguard1 name=peer1 public-key=\
"xxx"
add allowed-address=10.255.255.5/24 client-keepalive=20s \
endpoint-port=13231 interface=wireguard1 name=peer2 public-key=\
"xxx
"

TO:
/interface wireguard peers
add allowed-address=10.255.255.3/32 client-keepalive=20s \
endpoint-port=13231 interface=wireguard1 name=peer1 public-key=\
"xxx"
add allowed-address=10.255.255.5/32 client-keepalive=20s \
endpoint-port=13231 interface=wireguard1 name=peer2 public-key=\
"xxx"
 
User avatar
Parking4754
just joined
Topic Author
Posts: 12
Joined: Tue Nov 07, 2023 11:23 pm

Re: Wireguard connection only works once: Keepalive problem?

Sun Jan 26, 2025 8:49 pm

Try changing wireguard MTU to 1420 ( that is the normal default), I also dont see anything else at the moment
I made both changes as you recommended and it works now. I think the MTU could've been the culprit as it explains the intermittent issues and the internet connection is DSL. Thanks a lot!