Community discussions

MikroTik App
 
User avatar
PKSpeleo
newbie
Topic Author
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

hAP ac as TWO Wireguard clients (IP collision)

Sun Jun 12, 2022 12:34 am

Hello, everyone!
I need your help=)
I purchased Mikrotik hAP ac and by inspiration from hex as Wireguard client topic I decided to fully move VPN stuff to the router.
This is my sketch of how it all looks:
CleanShot 2022-06-11 at 22.48.58@2x.png
I have TWO Wireguard servers in different places with IP 111.111.111.111 and 222.222.222.222
Each WG server has the same configuration. It means that the address ranges are the same: 10.66.66.2-10.66.66.255 with 10.66.66.1 as a gateway in the tunnel.

I have two PC (PC 1 connected to ether5 and PC 2 connected to ether4 of Mikrotik hAP ac).

I want to configure WG clients on Mikrotik in such a way that PC 1 connected to the ether5 port (and wifi in the bridge with it) will send all traffic through WG tunnel to the WG server 1 and PC 2 connected to the ether4 port (and bridge) will send it to the WG server 2.

The problem is that both WG servers have the same configuration and the same IP address range in the tunnels.

I started from the first WG Server configuration and ether5 (PC 1):
- configured interface and peer wg configuration: wireguard_1
- created IP address 10.66.66.23 (IP of WG 1 client)
- created a separated bridge-wg for ether5
- configured DHCP server for bridge-wg
- created NAT and routing to send all traffic from bridge-wg to the tunnel wireguarf_1
- for testing purposes i created additional IP 192.168.90.123 to ping
All worked as I wonted and ping reached the destinations form Mikrotik terminal and in reality:
[admin@MikroTik] > ping 10.66.66.1 src-address=10.66.66.23
[admin@MikroTik] > ping 1.1.1.1 src-address=10.66.66.23
[admin@MikroTik] > ping 10.66.66.1 src-address=192.168.90.123
[admin@MikroTik] > ping 1.1.1.1 src-address=192.168.90.123
Then I started to configure the second WG client wireguard_2 (wg tunnel established successfully) and at the point when I added IP 10.66.66.60/24 with net 10.66.66.0 - all stops to works.
The previous set of pings for 10.66.66.23 started to lose packets and new pings - also not work:
[admin@MikroTik] > ping 10.66.66.1 src-address=10.66.66.60
As I understand - the problem is that I am trying to add two IP with the same net and it produces conflict.
/ip address
add address=10.66.66.23/24 interface=wireguard_1 network=10.66.66.0
add address=10.66.66.60/24 interface=wireguard_2 network=10.66.66.0
But I can't understand how to solve it.
Maybe the problem in another, please.

Help me please=)

This is Client config for WG server 1:
[Interface]
Address = 10.66.66.23/32

[Peer]
Endpoint = 111.111.111.111:11111
This is Client config for WG server 2:
[Interface]
Address = 10.66.66.60/32

[Peer]
Endpoint = 222.222.222.222:22222
My Mikrotik configuration:
# jun/11/2022 21:45:30 by RouterOS 7.3.1
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge-wg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=PK-2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=PK-5 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:39:E8:39 master-interface=wlan2 mode=bridge multicast-buffering=disabled \
    name=wlan3 ssid=PK-5-W wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard_2
add listen-port=11111 mtu=1420 name=wireguard_1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-wg name=dhcp1
/routing table
add disabled=no fib name=wg-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-wg comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-wg interface=wlan3
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=111.111.111.111 endpoint-port=11111 interface=wireguard_1 persistent-keepalive=23s \
    public-key="xxx="
add allowed-address=0.0.0.0/0 endpoint-address=222.222.222.222 endpoint-port=22222 interface=wireguard_2 persistent-keepalive=23s \
    public-key="xxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.23/24 interface=wireguard_1 network=10.66.66.0
add address=192.168.90.1/24 interface=bridge-wg network=192.168.90.0
add address=192.168.88.123/24 comment="Test from bridge" interface=bridge network=192.168.88.0
add address=192.168.90.123/24 comment="test form wg wifi" interface=bridge-wg network=192.168.90.0
add address=10.66.66.60/24 interface=wireguard_2 network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 pref-src=0.0.0.0 routing-table=wg-table scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table
add action=lookup-only-in-table disabled=no src-address=192.168.90.0/24 table=wg-table
/system clock
set time-zone-name=Europe/Berlin
You do not have the required permissions to view the files attached to this post.
 
JokeRBY
just joined
Posts: 8
Joined: Fri Apr 27, 2018 1:54 pm
Location: Wroclaw
Contact:

Re: hAP ac as TWO Wireguard clients (IP collision)

Sun Jun 12, 2022 2:21 am

IMHO, better solution is to separate tunnel addresation (between wg servers and client) from tunneled networks and change for smth else.
For example:
WG Server #1
[Interface]
Address = 10.77.1.1/30
...
WG Server #2
[Interface]
Address = 10.77.2.1/30
...
And hAp ac
/ip/address
add address=10.77.1.2/30 interface=wireguard_1
add address=10.77.2.2/30 interface=wireguard_2
In this scenario, it will be easy to use mangle and routing "per eth interface". Remember about blackhole for main table.

In addition to the above, you can use, let's call it, "subnet hiding" - NAT on the WG Servers' side - then the problem of collision will disappear:
For example, 10.66.67.0/24 -> 10.66.66.0/24 (wg_1) and 10.66.68.0/24 -> 10.66.66.0/24 (wg_2).

P.S. Strange things with BB...
 
User avatar
PKSpeleo
newbie
Topic Author
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

Re: hAP ac as TWO Wireguard clients (IP collision)

Sun Jun 12, 2022 10:53 am

Hello JokeRBY!
Thanks a lot for your answers!

IMHO, better solution is to separate tunnel addresation (between wg servers and client) from tunneled networks and change for smth else.

Yes, I know.
Unfortunately, I can't change the WG Servers settings - it will affect too many other clients.
I hoped that on Mikrotik I can solve this problem by binding to interfaces (wireguard_1 and wireguard_2).

In this scenario, it will be easy to use mangle and routing "per eth interface". Remember about blackhole for main table.

Hm, can I make the main table as a blackhole per specific interface?

In addition to the above, you can use, let's call it, "subnet hiding" - NAT on the WG Servers' side - then the problem of collision will disappear:
For example, 10.66.67.0/24 -> 10.66.66.0/24 (wg_1) and 10.66.68.0/24 -> 10.66.66.0/24 (wg_2).

What is it?
Can you describe it in more detail?

P.S. Strange things with BB...

What is BB and what is wrong with it?
 
User avatar
PKSpeleo
newbie
Topic Author
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

Re: hAP ac as TWO Wireguard clients (IP collision)

Mon Jun 13, 2022 9:56 pm

I have another idea - to use Mangle.
Maybe I can mark packages based on the interface and route them accordingly?
 
User avatar
PKSpeleo
newbie
Topic Author
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

Re: hAP ac as TWO Wireguard clients (IP collision)  [SOLVED]

Mon Jun 20, 2022 5:04 pm

I was finally able to achieve the result I was looking for!
To resolve the conflict I also had to specify the interface for the gateway IP address in the IP Routes (gateway=10.66.66.1%wireguard_1):

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1%wireguard_1 pref-src=0.0.0.0 routing-table=wg-table-1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1%wireguard_2 pref-src=0.0.0.0 routing-table=wg-table-2 scope=30 suppress-hw-offload=no target-scope=10

Full config with two WG clients and two separated WiFi networks for each VPN:

[admin@MikroTik] > export
# jun/20/2022 15:47:14 by RouterOS 7.3.1
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
add name=bridge-wg-1
add name=bridge-wg-2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-5 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=11:11:11:11 master-interface=wlan2 mode=bridge multicast-buffering=disabled name=wlan3 ssid=PK-5-W-1 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=22:22:22:22 master-interface=wlan2 mode=bridge multicast-buffering=disabled name=wlan4 ssid=PK-5-W-2 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireguard
add listen-port=11111 mtu=1420 name=wireguard_1
add listen-port=22222 mtu=1420 name=wireguard_2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-wg-1 name=dhcp1
add address-pool=dhcp_pool2 interface=bridge-wg-2 name=dhcp2
/routing table
add disabled=no fib name=wg-table-1
add disabled=no fib name=wg-table-2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge-wg-2 comment=defconf interface=ether4
add bridge=bridge-wg-1 comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-wg-1 interface=wlan3
add bridge=bridge-wg-2 interface=wlan4
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=111.111.111.111 endpoint-port=11111 interface=wireguard_1 persistent-keepalive=23s public-key="xxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=222.222.222.222 endpoint-port=22222 interface=wireguard_2 persistent-keepalive=23s public-key="xxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.23/24 interface=wireguard_1 network=10.66.66.0
add address=192.168.90.1/24 interface=bridge-wg-1 network=192.168.90.0
add address=192.168.88.123/24 comment="Test from bridge" interface=bridge network=192.168.88.0
add address=192.168.90.123/24 comment="test for wg 1 wifi" interface=bridge-wg-1 network=192.168.90.0
add address=10.66.66.60/24 interface=wireguard_2 network=10.66.66.0
add address=192.168.100.1/24 interface=bridge-wg-2 network=192.168.100.0
add address=192.168.100.123/24 comment="Test for wg 1" interface=bridge-wg-2 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_1
add action=masquerade chain=srcnat out-interface=wireguard_2
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1%wireguard_1 pref-src=0.0.0.0 routing-table=wg-table-1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1%wireguard_2 pref-src=0.0.0.0 routing-table=wg-table-2 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table-1
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table-2
add action=lookup-only-in-table disabled=no src-address=192.168.90.0/24 table=wg-table-1
add action=lookup-only-in-table disabled=no src-address=192.168.100.0/24 table=wg-table-2
/system clock
set time-zone-name=Europe/Berlin

Thanks for the support;)
Resolved!

Who is online

Users browsing this forum: kevinlukas, mkx and 40 guests