I need your help=)
I purchased Mikrotik hAP ac and by inspiration from hex as Wireguard client topic I decided to fully move VPN stuff to the router.
This is my sketch of how it all looks: I have TWO Wireguard servers in different places with IP 111.111.111.111 and 222.222.222.222
Each WG server has the same configuration. It means that the address ranges are the same: 10.66.66.2-10.66.66.255 with 10.66.66.1 as a gateway in the tunnel.
I have two PC (PC 1 connected to ether5 and PC 2 connected to ether4 of Mikrotik hAP ac).
I want to configure WG clients on Mikrotik in such a way that PC 1 connected to the ether5 port (and wifi in the bridge with it) will send all traffic through WG tunnel to the WG server 1 and PC 2 connected to the ether4 port (and bridge) will send it to the WG server 2.
The problem is that both WG servers have the same configuration and the same IP address range in the tunnels.
I started from the first WG Server configuration and ether5 (PC 1):
- configured interface and peer wg configuration: wireguard_1
- created IP address 10.66.66.23 (IP of WG 1 client)
- created a separated bridge-wg for ether5
- configured DHCP server for bridge-wg
- created NAT and routing to send all traffic from bridge-wg to the tunnel wireguarf_1
- for testing purposes i created additional IP 192.168.90.123 to ping
All worked as I wonted and ping reached the destinations form Mikrotik terminal and in reality:
Code: Select all
[admin@MikroTik] > ping 10.66.66.1 src-address=10.66.66.23
[admin@MikroTik] > ping 1.1.1.1 src-address=10.66.66.23
[admin@MikroTik] > ping 10.66.66.1 src-address=192.168.90.123
[admin@MikroTik] > ping 1.1.1.1 src-address=192.168.90.123
The previous set of pings for 10.66.66.23 started to lose packets and new pings - also not work:
Code: Select all
[admin@MikroTik] > ping 10.66.66.1 src-address=10.66.66.60
Code: Select all
/ip address
add address=10.66.66.23/24 interface=wireguard_1 network=10.66.66.0
add address=10.66.66.60/24 interface=wireguard_2 network=10.66.66.0
Maybe the problem in another, please.
Help me please=)
This is Client config for WG server 1:
Code: Select all
[Interface]
Address = 10.66.66.23/32
[Peer]
Endpoint = 111.111.111.111:11111
Code: Select all
[Interface]
Address = 10.66.66.60/32
[Peer]
Endpoint = 222.222.222.222:22222
Code: Select all
# jun/11/2022 21:45:30 by RouterOS 7.3.1
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge-wg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=PK-2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=PK-5 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:39:E8:39 master-interface=wlan2 mode=bridge multicast-buffering=disabled \
name=wlan3 ssid=PK-5-W wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard_2
add listen-port=11111 mtu=1420 name=wireguard_1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-wg name=dhcp1
/routing table
add disabled=no fib name=wg-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-wg comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-wg interface=wlan3
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=111.111.111.111 endpoint-port=11111 interface=wireguard_1 persistent-keepalive=23s \
public-key="xxx="
add allowed-address=0.0.0.0/0 endpoint-address=222.222.222.222 endpoint-port=22222 interface=wireguard_2 persistent-keepalive=23s \
public-key="xxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.23/24 interface=wireguard_1 network=10.66.66.0
add address=192.168.90.1/24 interface=bridge-wg network=192.168.90.0
add address=192.168.88.123/24 comment="Test from bridge" interface=bridge network=192.168.88.0
add address=192.168.90.123/24 comment="test form wg wifi" interface=bridge-wg network=192.168.90.0
add address=10.66.66.60/24 interface=wireguard_2 network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 pref-src=0.0.0.0 routing-table=wg-table scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table
add action=lookup-only-in-table disabled=no src-address=192.168.90.0/24 table=wg-table
/system clock
set time-zone-name=Europe/Berlin