Community discussions

MikroTik App
 
siwatsirichai
just joined
Topic Author
Posts: 2
Joined: Fri May 20, 2022 8:53 am

Wireguard Site-to-Site can't connect from bridge

Fri May 20, 2022 8:59 am

The situation is that I have a Site-to-Site Wireguard VPN between pfSense and hap ac3
I can ping the device at home if I set "interface=homevpnclient" but when I use "interface=bridge", it timed out
[admin@MikroTik] /tool> ping 192.168.0.134 interface=bridge
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.0.134                                                timeout       
    1 192.168.0.134                                                timeout       
    2 192.168.0.134                                                timeout       
    3 10.100.2.1                                 84  64 127ms188us host unreac...
    4 192.168.0.134                                                timeout       
    sent=5 received=0 packet-loss=100% 

[admin@MikroTik] /tool> ping 192.168.0.134 interface=homevpnclient 
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.0.134                              56  63 161ms362us
    1 192.168.0.134                              56  63 286ms419us
    sent=2 received=2 packet-loss=0% min-rtt=161ms362us avg-rtt=223ms890us 
   max-rtt=286ms419us 

[admin@MikroTik] /tool> 
Home Network: 192.168.0.0/16
Mikrotik Network: 10.100.2.0/24

Configuration:
# may/20/2022 12:57:00 by RouterOS 7.2.3
# software id = Q9US-L2X7
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F51C32B
/interface bridge
add admin-mac=DC:2C:6E:13:64:D8 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-1364DC wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-1364DD wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=homevpnclient
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.100.2.100-10.100.2.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.0.0/16,10.15.210.1/32,::/0 endpoint-address=\
    siwatsystem.com endpoint-port=51820 interface=homevpnclient \
    persistent-keepalive=10s public-key=\
    "  :(  "
/ip address
add address=10.100.2.1/24 interface=bridge network=10.100.2.0
add address=10.15.210.3/24 interface=homevpnclient network=10.15.210.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.100.2.0/24 comment=defconf dns-server=10.100.2.1 gateway=\
    10.100.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.0.0/16 src-address=\
    10.100.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=192.168.0.0/16 \
    gateway=10.15.210.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Bangkok
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
siwatsirichai
just joined
Topic Author
Posts: 2
Joined: Fri May 20, 2022 8:53 am

Re: Wireguard Site-to-Site can't connect from bridge

Fri May 20, 2022 11:07 am

I tried to ping the address from a LAN computer, it got through
now, the problem is that I can't access access a HTTP server in the home network, with I curl in the client computer, it timed out
but when I use fetch in mikrotik, it works fine.
SSH to the home server does work, however.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site-to-Site can't connect from bridge

Fri May 20, 2022 6:25 pm

There are not that many things to check.
1. wireguard settings, usually an issue with allowed IPs.
2. firewall rules, which allow wg traffic to enter the tunnel outbound, OR which allow external users incoming out of the wireguard tunnel to the local LAN, or to the router for config, or to the internet (localWAN).
3. IP routes, to direct traffic to the tunnel (outbound traffic or return traffic for external users).

viewtopic.php?p=906311

Who is online

Users browsing this forum: Ahrefs [Bot], elvtechnology and 76 guests