Community discussions

MikroTik App
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 3:41 pm

Hi Guys,

I'm struggling to wrap my head around this - I've read through several topics but I'm still not grasping the concept.
viewtopic.php?t=181205#
viewtopic.php?t=181488
https://help.mikrotik.com/docs/display/ROS/WireGuard

I have two Mikrotik routers:
Site A (Main site), RB2011UiAS directly connected to the internet via a pppoe-client with static IP.
Site B (Remote site), RB760iGS behind the ISP router. There is no static IP, so I use IP Cloud for DynDNS. My ISP router gives me 10.0.0.0/24, and I've configured my RB's eth1 to be on 10.0.0.1/24 I have port forward setup sending all UDP/TCP traffic from WAN:1-65535 to 10.0.0.1:1-65535.

Site A (Main)
# jan/22/2022 14:26:49 by RouterOS 7.1
# software id = 
#
# model = 2011UiAS
# serial number = 
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=remotesiteip(dyndns) \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "publickey"
/ip address
add address=10.0.0.1/24 comment=CLIENTS interface=bridge1 network=10.0.0.0
add address=172.16.0.1/30 comment="WG TUNNEL" interface=wireguard1 network=172.16.0.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no distance=1 dst-address=10.0.1.0/24 gateway=172.16.0.2 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
Site B (Remote)
# jan/22/2022 14:28:34 by RouterOS 7.1
# software id = 
#
# model = RB760iGS
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool2 ranges=10.0.1.100-10.0.1.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=sfp1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mainsiteip(static) endpoint-port=\
    13231 interface=wireguard1 public-key=\
    "publickey"
/ip address
add address=10.0.0.1/24 comment=ISP ROUTER interface=ether1 network=10.0.0.0
add address=10.0.1.1/24 comment=LAN interface=bridge1 network=10.0.1.0
add address=172.16.0.2/30 comment="WG TUNNEL" interface=wireguard1 network=\
    172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8 gateway=10.0.1.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.254 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
I've managed to connect the WG tunnel and I can ping each router on their respective tunnel IP - however I'm stumped as to how I can config my Site B router to basically be an extension of Site A's LAN and send all traffic through the VPN, out over Site A's WAN connection.

Any help will be gladly appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 4:25 pm

Read through this.......
viewtopic.php?t=182340

DO NOT DO THIS...............
I have port forward setup sending all UDP/TCP traffic from WAN:1-65535 to 10.0.0.1:1-65535.

Port forwarding from the ISP router to the MT router behind it is only required on a PER IP basis, if running a server behind the MT router.
In your case you are not running any servers that we know of. The MT device at the remote site you stated was acting as a client for establishing the initial connection.
Therefore no port forwarding is required if the interpretation is correct. But I hate guessing so............

What you need to state clearly is what is your intention(s) for the WG Tunnel
remote users to use local internet
local users to use remote internet
remote users to access local lan
local users to access remote lan
local admin to config remote MT
remote MT to config local MT
or any combination thereof, without clear requirements one might as well be pissing into the wind :-)

By the way, you need to post the entire config not snippets for support.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 6:40 pm

Hi Anav,

Thanks so much for the info - I read through the link provided and I'm sure I'm much closer now.

I have deleted the port forwards on the ISP router
Here are the full configs of the two routers - with this setup, I can ping 8.8.8.8 as well as google.com from my router and PC on the 10.0.1.0/24 network (remote site), but I am unable to browse the internet and my Winbox sessions to remote routers constantly reconnect and have no info displaying when they open.

Site A (Main)
# jan/22/2022 18:20:25 by RouterOS 7.1
# software id = xxx
#
# model = 2011UiAS
# serial number = xxx
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/queue simple
add name="ALL BANDWIDTH" target=bridge1
add limit-at=50M/50M max-limit=50M/50M name=xxx parent="ALL BANDWIDTH" \
    target=192.168.100.0/24
add limit-at=25M/25M max-limit=25M/25M name=xxx parent=\
    "ALL BANDWIDTH" target=102.x.x.x/32
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether10
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=dyndns \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "xxx"
/ip address
add address=102.x.x.x/29 comment="GATEWAY IP FOR CLIENTS" interface=\
    bridge1 network=102.x.x.x
add address=172.16.0.1/30 comment="WIREGUARD TUNNEL" interface=wireguard1 \
    network=172.16.0.0
add address=192.168.50.1/24 comment=CLIENTS interface=bridge1 network=\
    192.168.50.0
/ip dhcp-server lease
add address=192.168.50.254 client-id=xxx comment=xxx \
    mac-address=xxx server=dhcp1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall service-port
set sip disabled=yes
/ip route
add comment="xxx" disabled=no distance=1 dst-address=192.168.100.0/24 \
    gateway=192.168.50.254 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="REMOTE LAN" disabled=no distance=1 dst-address=10.0.1.0/24 \
    gateway=wireguard1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="xxx"


Site B (Remote)
# jan/22/2022 18:27:12 by RouterOS 7.1
# software id = xxx
#
# model = RB760iGS
# serial number = xxx
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool2 ranges=10.0.1.100-10.0.1.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=useWG
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=sfp1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=102.xxx.xxx.xxx endpoint-port=\
    13231 interface=wireguard1 public-key=\
    "xxx"
/ip address
add address=10.0.0.1/24 comment=ISP interface=ether1 network=10.0.0.0
add address=10.0.1.1/24 comment=LAN interface=bridge1 network=10.0.1.0
add address=172.16.0.2/30 comment="WG TUNNEL" interface=wireguard1 network=\
    172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8 gateway=10.0.1.1
/ip dns
set servers=8.8.8.8
/ip dns static
add address=10.0.1.4 name=xxx
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 protocol=tcp \
    to-addresses=10.0.1.22 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
    to-addresses=10.0.1.22 to-ports=8080
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.254 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
    pref-src=0.0.0.0 routing-table=useWG scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxx
set api disabled=yes
set winbox port=xxx
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table disabled=yes src-address=10.0.1.0/24 table=\
    useWG
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="xxx"
/system package update
set channel=testing 
Do you see anything wrong here?
Thanks.
Last edited by Kruger99 on Sat Jan 22, 2022 9:01 pm, edited 1 time in total.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 6:57 pm

You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 7:08 pm

Hi there, me thinks you didnt quite understand at all LOL.
Take a careful look at your allowed addresses on both ends, read the article and the come back and tell me the error, so that I will know you understand.
For me I couldnt care less about stumbling upon the right confit, but more so to Understand the config, so that the right config falls out naturally.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Sat Jan 22, 2022 10:05 pm

I'm gonna sleep on it! Hopefully a fresh pair of eyes will figure it out tomorrow.

Thanks for the advice and help so far.
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 10:31 am

I'm sorry Anav, but I'm not getting any further.

I've changed my allowed addresses as follows however I still get the same result.

At site A I changed from 0.0.0.0/0 to only 172.16.0.2/30 (remote site WG IP) and 10.0.1.0/24 (remote LAN subnet)
[xxx@xxx] /interface/wireguard/peers> print detail
Flags: X - disabled 
 0   interface=wireguard1 
     public-key="xxx" 
     endpoint-address=xxx-port=13231 
     current-endpoint-address=xxx current-endpoint-port=xxx 
     allowed-address=172.16.0.2/30,10.0.1.0/24 rx=5.8KiB tx=4924 
     last-handshake=2m18s 

At site B I've left the config the same with 0.0.0.0/0
[xxx@xxx] /interface/wireguard/peers> print detail
Flags: X - disabled 
 0   interface=wireguard1 
     public-key="xxx" 
     endpoint-address=xxx endpoint-port=xxx 
     current-endpoint-address=xxx current-endpoint-port=xxx
     allowed-address=0.0.0.0/0 rx=4696 tx=6.5KiB last-handshake=51s 
As soon as I enable the static route & route rule on site B my connection gets whack.

I've read through your article a few times now - I'm not gonna lie, this is simple setup is making me doubt my career in network administration... :?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 4:09 pm

Well dont get discouraged, we are dealing with an implementation of a new type of VPN, on a very new RoS.
Things will take time to get sorted meantime I will have a look at your configs again.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 5:46 pm

You still have not articulated what it is exactly you are trying to accomplish.
This is me just guessing.
A. You want to be able to remotely configure via winbox, the remote site Router.
B. You want the remote site router to use the internet provided by the main Router.
C. Lets review TWO facts about wireguard I had to re-learn today.

-IP addresses are not interfaces
-Wireguard Interface acts like an ethernet interface
Both of these come into play for how we setup our firewall rules and Routes on the router.

Lets look at WG for this.
MAIN SITE
name=wireguard1
listening port - 13321
(public key generated for use in remote routers peer settings)

MAIN peer settings
name: wireguard1
endpoint address who cares, same with end point port
Public key from the remote site router.
allowed addresses= 172.16.0.2/30, 10.0.1.0/24 { incoming users from remote site from remote site lanips (two IPs, and a subnet respectively)

Note1: So what I do is look at the local lan of the Main Site and I notice that there is a local subnet of 192.168.50.0/24 and since none of the addresses above
matches anything on the local router I can conclude, those are bonafide addresses that exist on the other end of the tunnel that will be coming to the MAIN router, and thus, these source addresses will be allowed to exit the tunnel into the MAIN router. In other words, traffic will be only flowing one way.

However we know you want to be able to access and control the remote router the other way. Thus suggesting you take your admin IP from your PC and add it to the allowed addresses.
Such as 192.168.50.23. In this case you want to allow this IP to enter the Tunnel and head towards the Remote Site.

Note2: The other thing to note is that your allowing an entire subnet to reach the main router, probably for internet access and as you state also for local Main subnet access.
Therefore it makes sense to setup a WIREGUARD interface address,
add address=10.0.1.0/24 comment="WIREGUARD TUNNEL" interface=wireguard1 \
network=10.0.1.0

DONT WORRY about the the two IPs also coming across the tunnel from the remote site of 172.16.0.2/30, they will be allowed in through the interface but have to be handled separately via the commensurate rules.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MAIN ROUTER settings............. lets deal with the rest of the Main router whilst there.
1. clearly the listening port has to be setup on the input chain.

Wireguard Incoming Subnet:
2. The fact that we have an address for most of the incoming wireguard traffic means that we should have no need for any IP routes for the associated IP address as the router will handle those dynamically. If we have more peers, we have to handle those, what are basically return routes (from either queries to the internet or queries to the local subnets) back through the tunnel.

3. Firewall Rules have to be reviewed to see what must be done. However much to my dismay you have never provided the ???
So I am going to have to guess.
I am going to assume two things off the bat. You have read this article and have similar rule structure - viewtopic.php?t=180838

add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
AND
/Interface list
WAN
LAN
etc..
/Interface list members
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
etc.

So we have a forward chain where we DROP all the traffic period and just above that allow the traffic we want to have such as LAN to WAN traffic.
In addition by adding the wireguard interface to the LAN interface this will ALL wireguard traffic (all peers) to the internet, based on the above forward chain rules.

Now if you also want the remote SUBNET to be able to access the local subnet of the Main router you will need to add the forward chain rule.
add chain=forward action=accept src-address=10.0.1.0/24 dst-address=192.168.50.0/24
if you wanted to only have the TWO IPs connect to the subnet it would be
add chain=forward action=accept src-address=172.16.1.0/30 dst-address=192.168.50.0/24
finally if you wanted both...
add chain=forward action=accept in-interface=wireguard1 dst-address=192.168.50.0/24

As stated because we have identified an address for the wireguard interface, we dont need any routes for the 10.0.1.0/24 users.
However we do need it for the group of two......
dst-address=172.16.1.0/30 gwy=wireguard1 table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Lots to chew on their for sure................. So we have satisfied the remote router to main router traffic flow.

Lets look at the REMOTE Router Settings
Wireguard Interface
not much here needed except the public key generated that goes into the Peer settings of the Main router.

Peer Settings: Here we are setting what DESTINATION addresses are allowed to exit the router.
Thus we can put 0.0.0.0/0 (as that describes both internet which is desired as well as the subnet 192.168.50.0/24 at the other end).
If for example it was only to be to a subnet, that was going to be accessed by client users, then 192.168.50.0/24 would be the only entry.
(remember what is actually allowed at the MAIN site is controlled by allowed entries at the Main wireguard interface and of course after that by firewall rules).

But lets remember, that there is incoming traffic to the Remote Router as well (admin to config the remote router) and thus we have to tell the router what IP address is allowed to exit the tunnel at the remote site and thus we need to add 192.168.50.23/32

Since the remote client router initiates the connection we also should set its PEER keep alive at lets say 40 seconds........

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Not what about ROUTER settings at the Remote Site.
(1) Well lets deal with the incoming traffic from the Admin on the MAIn router.
Admin needs access ONLY to the ROUTER itself. aka input chain

Looking at a standard configuration there are two options.
ADD the wg interface to an allowed interface list that already has access to the ROUTER (could be LAN, could be Management etc........)
OR
SImply make an individual rule, before the last drop rule.
add chain=input action=accept in-interface=wireguard1 src-address=192.168.50.23 (you could probably do without source address but its clear non-ambiguous when reading it

(2) NO NEED for any address for the WG interface on this router!!

()3) Last step is to add a route so that return traffic from the admin queries to the router goes back out the interface.
dst=192.168.50.23 gwy=wireguard1 table=main.

++++++++++++++++++++\

Now we have to ensure that the outgoing traffic from users on the Remote Router, is handled appropriately and that is for both the two users and the entire subnet. We want to ensure they use the tunnel and not the Remote router routing!! Thus we have to FORCE that traffic through the tunnel and not out the remote site wan ....
Create two tables
/routing table name=subnetForce fib
/routing table name=TWOuserForce fib

Two IP routes
dst-address=0.0.0.0/0 gwy=wireguard1 table=subnetForce
dst-address=0.0.0.0/0 gwy=wireguard1 table=TWOuserForce

Two Route rules to match
src-address=10.0.1.0/24
Action: lookup-only-in-table
Table: subnetForce

src-address=172.16.1.0/30
Action: lookup-only-in-table
Table: TWOuserForce

DONE.........
now all traffic for both the subnet and two users will go out the tunnel.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
hope this helps!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 8:33 pm

Hi Anav,

I'm gonna hit this hard and let you know as soon as I've properly read through everything and played with my configs.

Thanks for the detailed response and effort in assisting with the problem, I really appreciate it!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 9:05 pm

If I can compartmentalize this.

1. PLAN traffic flows - from where to where for all use cases! (Dont forget Admin to Router for configuration if required)
2. PLAN Originating the tunnel - which site will start the tunnel request (client).
3. PLAN how to get the traffic exiting from wg interface to where it needs to go (firewall rules)
4. PLAN how to get the traffic routed properly (IP routes predominantly, and possibly dynamically accomplished by IP address if assigned to WG interface)
5. CONFIGURE Wireguard interfaces iaw the above. ( Don't forget allowed addresses address both directions of traffic).
6. CONFIGURE Router settings.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 777
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Sun Jan 23, 2022 11:02 pm

@Kruger99
You may find the following Free version of a network diagram tool helpful .. I know that @anav would certainly appreciate a clear traffic flow :D
https://online.visual-paradigm.com/diag ... -software/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Mon Jan 24, 2022 5:10 pm

Nice find, I just used it on my Wireguard Article!! Its a start LOL.

At OP.
Trying to understand what you are trying to accomplish??
What do you want?

1. have remote site use main site WAN connection for internet! YES!
2. have remote site users be able to access main site subnets?? (unk) so will ignore for now
or
3. have main site users access remote site subnets? (unk) so will ignore for now
4. have admin located on main site, be able to config remote site router? YES!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MAIN SITE CHANGES
/interface wireguard
add listen-port=16161 mtu=1420 name=wireguard1 { I prefer not to use known default ports }
public key="xxx"

/interface wireguard peers
add allowed-address=10.0.1.0/24 { this is the source IPs of the incoming subnet. It happens also to describe the destination IP for the router to match/select when admin uses winbox to config remote router }
interface=wireguard1
public-key="yyy"
/ip address
add address= for wireguard tunnel - { remove not required }
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip route
add dst-address=10.0.1.0/24 gatewaywireguard1 table=main { for traffic to get returned back to users through the tunnel and allows admin PC to access Remote Router }
/IP FIREWALL
add chain=input action=accept dst-port=16161 protocol=udp
add chain=forward action=accept in-interface=wireguard1 out-interface=pppoe-1 { you can add src-address-list=10.0.1.0/24 but not required, however would be a good approach if you had multiple peers and some didnt get internet access)
OR
if you had added the wg interface as a list member of LAN and you have the existing rule allowing LAN interface to the internet you are good to go!

REMOTE SITE CHANGES
# model = RB760iGS
/interface wireguard
add listen-port=16161 mtu=1420 name=wireguard1
public key="yyy"
/routing table
add fib name=useWG
/interface wireguard peers
add allowed-address=0.0.0.0/0, 192.168.50.X { whatever Ip address your admin PC has }
endpoint-address=mynetnameMainRouter
endpoint-port=16161
interface=wireguard1
public-key="xxx"
/ip address { no IP address required for WG tunnel not needed }
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 table=useWG
/routing rule
add action=lookup-only-in-table disabled=yes src-address=10.0.1.0/24 table=useWG
/IP FIREWALL
add chain=input action=accept in-interface=wireguard1 src-address=192.168.50.X
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Tue Jan 25, 2022 10:26 am

Hi Anav,

Apologies for not clarify what I exactly want. Here is a brief description:
1. Remote site LAN route all traffic through Main site WAN
2. Main site access to remote LAN for port forwards (will be running servers at remote site, require coms both ways.)
3. Remote site access to Main Site router (access Main MT from PC on remote LAN)

I haven't yet been able to play with the configs again. I'm going to give it a go now with the new info you provided and revert back.

Regards.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Tue Jan 25, 2022 11:23 am

Wow that makes it way more complex, I had not thought of the possibility of port forwarding within the tunnel.
In this case wouldnt that simply be accessing a subnet server through the tunnel and NOT port forwarding??
Detail almost enough I think........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Tue Jan 25, 2022 2:53 pm

Okay I will pull the truth out of you eventually LOL

Requirements attempt #25.

1. The Remote Site subnet shall use the Local Site WAN for all internet traffic
2. The Main site subnet will require access to the Remote site subnet so users can access servers (NOT PORT FORWARDING)
Note: By directionality I mean which side is source of request and which side is recipient. There can only be one flow direction, traffic coming back is not originating traffic its REPLY traffic.
3. One IP address on the subnet on the remote site requires the ability to configure the Local MT.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
new and improved!!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MAIN SITE CHANGES
/interface wireguard
add listen-port=16161 mtu=1420 name=wireguard1 { I prefer not to use known default ports }
public key="xxx"

/interface wireguard peers
add allowed-address=10.0.1.0/24
{ this covers the the source IPs of the incoming subnet. }
{ It happens to also cover the single IP coming on a LAP TOP, within that subnet to configure the router lets say 10.0.1.55/32 }
{ It happens to describe the destination IPs for the Local Router to match/select when users attempt to reach the Remote Routers servers }
interface=wireguard1
public-key="yyy"
/ip address
add address= for wireguard tunnel - { remove not required }
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip route
add dst-address=10.0.1.0/24 gatewaywireguard1 table=main { covers all needs }
/IP FIREWALL
add chain=input action=accept dst-port=16161 protocol=udp
add chain=input action=accept dst-port=winboxport in-interface=wireguard1 src-address=10.0.1.55/32
add chain=forward action=accept in-interface=wireguard1 out-interface=pppoe-1 { you can add src-address-list=10.0.1.0/24 but not required, however would be a good approach if you had multiple peers and some didnt get internet access)
OR
if you had added the wg interface as a list member of LAN and you have the existing rule allowing LAN interface to the internet you are good to go!
add

Note: ensure you add 10.0.1.55/32 and wireguard interface if necessary to other settings that you may have used to limit winbox access.

REMOTE SITE CHANGES
# model = RB760iGS
/interface wireguard
add listen-port=16161 mtu=1420 name=wireguard1
public key="yyy"
/routing table
add fib name=useWG
/interface wireguard peers
add allowed-address=0.0.0.0/0, 192.168.50.0/24
endpoint-address=mynetnameMainRouter
endpoint-port=16161
interface=wireguard1
public-key="xxx"
/ip address { no IP address required for WG tunnel not needed }
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 table=useWG
add dst-address=192.168.50.0/24 gateway=wireguard1 table=main
/routing rule
add action=lookup-only-in-table disabled=yes src-address=10.0.1.0/24 table=useWG
/IP FIREWALL
add forward chain action=accept in-interface=wireguard1 src-address=192.168.50.0/24 dst-address-list=remoteServ

where IP firewall address is thus.
add address=IPof Server1 list=remoteServ
add address=IPof Server2 list=remoteServ
add address=IPof Server3 list=remoteServ
etc.....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 777
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Tue Jan 25, 2022 3:02 pm

@Kruger99
@anav is making herculean efforts to help you .... perhaps you could make it far easier for anav if you took up my suggestion following viewtopic.php?p=908075#p907682 ... its a well know fact that a diagram showing the traffic flow is worth its weight in GOLD. :D
 
Kruger99
just joined
Topic Author
Posts: 11
Joined: Sat Apr 10, 2021 1:28 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Wed Jan 26, 2022 6:57 pm

Hi @mozerd, @anav,

Apologies for the lack of communication and info from my side. I really appreciate your feedback and support.

Hopefully this diagram helps.
To clarify:
- Site A's LAN does not have to be able to communicate with Site B's LAN (I work from neither sites and access the routers remotely)
- A server will be hosted at Site B and I would like to access that server over Site A's WAN (as if the server was an extension of Router A on its own subnet)
- I disable all filter rules on both firewalls during testing.
- Both routers are now running 7.1.1

Also - when I remove my 172.16.0.0/30 IP's from either side - I am unable to ping opposite side subnets from the routers, even with static routes in place.

I've updated my router configs as shown below... However when I activate the WG routing:
1. I am unable to access my Site B router remotely and have to use Winbox to connect to the MAC address when on site
2. I can ping google.com as well as traceroute to google.com from the router as well as from Site B LAN (correctly routes through Site A router) but I do not have internet access

Site A:
# jan/26/2022 18:49:43 by RouterOS 7.1.1
# software id = xxx
#
# model = 2011UiAS
# serial number = xxx
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool1 ranges=10.0.1.100-10.0.1.200
add name=dhcp_pool2 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/queue simple
add name="ALL BANDWIDTH" target=bridge1
add limit-at=50M/50M max-limit=50M/50M name=xxx parent="ALL BANDWIDTH" \
    target=192.168.100.0/24
add limit-at=25M/25M max-limit=25M/25M name="xxx" parent=\
    "ALL BANDWIDTH" target=xxx/32
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether10
/interface wireguard peers
add allowed-address=10.0.1.0/24,172.16.0.0/30 endpoint-address=\
    xxx endpoint-port=13231 interface=wireguard1 \
    public-key="xxx"
/ip address
add address=x.x.x.x/29 comment="GATEWAY IP FOR CLIENTS" interface=\
    bridge1 network=x.x.x.x
add address=192.168.50.1/24 comment=CLIENTS interface=bridge1 network=\
    192.168.50.0
add address=172.16.0.1/30 comment="WG TUNNEL" interface=wireguard1 network=\
    172.16.0.0
/ip dhcp-server lease
add address=192.168.50.254 client-id=1:2c:c8:1b:9c:fd:b comment=xxx \
    mac-address=xxx server=dhcp1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="xxx" disabled=no distance=1 dst-address=192.168.100.0/24 \
    gateway=192.168.50.254 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.1.0/24 gateway=wireguard1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="xxx"

Site B:
# jan/26/2022 18:48:32 by RouterOS 7.1.1
# software id = xxx
#
# model = RB760iGS
# serial number = xxx
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=10.0.1.100-10.0.1.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=WGTunnel
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=sfp1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx endpoint-port=\
    13231 interface=wireguard1 persistent-keepalive=40s public-key=\
    "xxx"
/ip address
add address=10.0.0.1/24 comment=ISP interface=ether1 network=10.0.0.0
add address=10.0.1.1/24 comment=LAN interface=bridge1 network=10.0.1.0
add address=172.16.0.2/30 comment="WG TUNNEL" interface=wireguard1 network=\
    172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8 gateway=10.0.1.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 protocol=tcp \
    to-addresses=10.0.1.22 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
    to-addresses=10.0.1.22 to-ports=8080
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.254 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=wireguard1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=\
    WGTunnel suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxx
set api disabled=yes
set winbox port=xxx
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table src-address=10.0.1.0/24 table=\
    WGTunnel
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="xxx"
I would really understand if you'd rather kill this thread - I'm thinking of using a plain old VPN site to site setup with L2TP/IPsec...
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Wed Jan 26, 2022 7:30 pm

Kewl, nice diagram.
Requirements and Questions!

(1) LAN B users, all go out Router at LAN A for internet.
(2) Admin requires access to Server on LAN B, but through the Router at LAN A and specifically through the wireguard tunnel.

Q1, How do you configure the Routers via winbox if not through WireGuard ???

Q2. WHY?
Why not just wireguard from your PC/laptop directly to LAN B to reach the server?

From my vantage point, the only reason you need a wireguard connection between both routers is requirement 1.
Since Router Lan A, has a public IP and Router Lan B can port forward ports to our MT device, there is no reason to use the long twisted route you desire.


To me the requirements are
a. lan b users to go out Router lan a internet { a tunnel between sites/devices }
b. remote user access to Router lan a [for config purposes] { a tunnel from remote user to Router Lan A / laptop to router)
c. remote user access to Router lan b [for config purposes and to access server] { a tunnel from remote user to Router Lan B / laptop to router )

Solutions can be variable.
1. One wg interface Router Lan a, with two peers and One wg interface Lan b with two peers. to address the requirements.
2. Same but ADD
a. the ability for the admin to wireguard to either Router Lan A OR Router Lan B, AND THEN use the other tunnel to configure the far router (another layer of complexity)
b. the ability for the admin to wireguard to Router Lan A and reach the server on Router Lan B.

Consider using zerotier Switch/Network, at least for the server access!!
Node 1 - Router Lan B
Node 2 - Admin laptop
Its like your on a switch anytime day or night if you turn it on at the laptop
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
t4thfavor
just joined
Posts: 5
Joined: Tue Apr 13, 2021 4:40 pm

Re: WireGuard - Send all remote site traffic over main site WAN?

Tue Feb 15, 2022 10:21 pm

I do something similar to send all the traffic for a certain host out the other end of a WG tunnel.

Literally all I did was create a pre-routing mangle rule to mark the routing with the "Spectrum" routing table, and mark it not pass through because I want that traffic to skip the rest of the mangler.

chain=prerouting action=mark-routing new-routing-mark=Spectrum
passthrough=no src-address=192.168.107.27 log=no log-prefix=""

Then in routing I have a default gateway defined as such.

dst-address=0.0.0.0/0 routing-table=Spectrum pref-src= gateway=10.10.38.1 i
mmediate-gw=ReidWG check-gateway=ping distance=150 scope=30 target-scope=10 suppre
ss-hw-offload=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Wed Feb 16, 2022 1:26 am

Okay, Got it and I Finally HAVE GRASPED What you are asking. This is EASY PEASY!!
Also a very cool example of PEER TO PEER TRAFFIC!!

Admin Requirements:
You need access to site A (which has a public IP and is thus reachable). Thus you will be able to config Router A!
You also need to access site B (which is not reachable, not a public IP and you have no control/access to ISP router)
Hence you need to get to Site A but then also reach Site B and specifically a Server on Site B. I will set it up that you can also config Router B.

User Requirements:
User at site B must use Site A for all internet.
?? Did you want any other users on Main Router subnet to access server ?? Assuming NO for now!
?? Did you want INTERNET users to be able to access B server through Site A normal internet??? Assuming NO for now!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SOLUTION.

Site A. Showing changes ONLY

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 { dont need endpoint info as this is a server only site }
/ip pool { no other pools required based on your diagram }
add name=dhcp_pool2 ranges=192.168.50.2-192.168.50.254
/interface wireguard peers
add allowed-address=10.0.1.0/24,172.16.0.0/30 interface=wireguard1 \ { good cover all incoming source IPs and also destination IPs on the Remote Router }
public-key="xxx"
/ip address { need to cover roadwarriors and Site B subnet for Wireguard interface IP addresses)
add address=x.x.x.x/29 comment="GATEWAY IP FOR CLIENTS" interface=\ { Where did this come from? remove if not needed }
bridge1 network=x.x.x.x

add address=192.168.50.1/24 comment=CLIENTS interface=bridge1 network=\
192.168.50.0
add address=10.0.1.254/24 network=10.0.1.0
add address=172.16.0.1/30 comment="WG TUNNEL" interface=wireguard1 network=\
172.16.0.0

WILL ADDRESS FILTER RULES separately these are woefully incomplete and if using wireguard no need for SSH...... In fact, use SSTP free from Remote Winbox instead.........

What you will need as a minimum.
add chain=input action=accept dst-port=13321 protocol=udp { allows the peers to reach the main router and wg interface }
add chain=input action=accept dst-port=WINBOXPORT in-interface=wireguard1 src-address=172.16.0.0/30 { allows the admin to reach the router for config purposes }
+++++++++++++++++
add chain=forward action=accept in-interface=wireguard1 out-interface-list=WAN src-address=10.0.1.0/24 { allows remote site users to access internet through main router }
add chain=forward action=accept src-address=172.16.0.0/30 dst-address=10.0.1.0/24 { allows admin to access both Remote router for config and any device on subnet including server! }

/ip route nil required! { assuming default route selected as yes, under pppoe-client settings so no IP route will show under this setting }
Note: Since you have IP addresses covering both the site B subnet and Road warriors, the router will automatically route any LAN traffic traffic or internet traffic automatically back through the wireguard interface and peers as required.

Site B. Showing changes ONLY

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguardR { listen port not really required and I would use a different name for interface so never can confuse the two devices }
/routing table
add fib name=WGTunnel { good }
/interface wireguard peers { the allowed address setting is good allows outgoing internet requests and all the expected incoming traffic as well from the admin }
add allowed-address=0.0.0.0/0 endpoint-address=xxx endpoint-port=\
13231 interface=wireguardR persistent-keepalive=40s public-key=\
"xxx"
/ip address
add address=10.0.0.1/24 comment=ISP interface=ether1 network=10.0.0.0
add address=10.0.1.1/24 comment=LAN interface=bridge1 network=10.0.1.0
add address=172.16.0.254/24 comment="WG TUNNEL" interface=wireguardR network=\
172.16.0.0

OKAY what is confusing is why do you have Destination NAT rules? If you cannot port forward from the ISP router
then you cannot host any servers behind this device???

/ip firewall nat
add action=masquerade chain=srcnat in-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 protocol=tcp \
to-addresses=10.0.1.22 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 protocol=tcp \
to-addresses=10.0.1.22 to-ports=8080


Also confusing is your IP route setup.
The first route is required! which sends normal traffic out to the ISP router. Default type route!
The second route is NOT REQUIRED, you have no traffic headed towards the LAN subnet of the Main Site A Router (you stated internet only!!)

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.254 pref-src=\
0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
10
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=wireguard1\
routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

add disabled=no dst-address=0.0.0.0/0 gateway=wireguardR routing-table=\
WGTunnel suppress-hw-offload=no

/routing rule { good }
add action=lookup-only-in-table src-address=10.0.1.0/24 table=\
WGTunnel

Finally again NO firewall rules??
Minimum would be
add chain=input action=accept in-interface=wireguardR src-address=172.16.0.0/30 dst-port=winboxport { so you can configure router B }
++++++++++++++++
add chain=forward action=accept in-interface=wireguardR src-address=172.168.0.0/30 dst-address=IPofServer
(if you wanted access to the whole LAN subnet dst-address=10.0.1.0/24)
Last edited by anav on Wed Feb 16, 2022 1:33 am, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11773
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - Send all remote site traffic over main site WAN?

Wed Feb 16, 2022 1:32 am

FIREWALL RULES TO PUT ON BOTH ROUTERS.

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
{ PUT WIREGUARD INPUT CHAIN RULES HERE }
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
{ PUT WIREGUARD FORWARD CHAIN RULES HERE }
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 6 guests