Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

MikroTik hEX as wireguard hub for both: WAN and LAN  [SOLVED]

Post Reply
 
drZ
just joined
Topic Author
Posts: 4
Joined: Thu Jun 16, 2022 10:12 pm

MikroTik hEX as wireguard hub for both: WAN and LAN

Thu Jun 16, 2022 11:46 pm

Hi,
I would like to configure hEX to serve as a hub in a hub-spoke wireguard configuration. The spokes being computers connected to the LAN side and computers on the WAN side of the router.
The problem is that for some reason I can get hub-spoke wireguard connection only from either WAN computer or from the LAN computer and never both of them at the same time.

My intended topology is 192.168.2.4 (10.0.1.4) <---> [LAN 192.168.2.1 - hEX - 192.168.1.3 WAN] <---> 192.168.1.148 (10.0.1.148)
Where IPs in the brackets are for wireguard interfaces. hEX has 7.1 routerOS installed. Both LAN and WAN computers run linux.

The computer on the LAN side:
Code: Select all
[Interface]
#LAN side
PrivateKey = LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL=
Address = 10.0.1.4/32

[Peer]
#hEX
PublicKey = HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=
Endpoint =  192.168.1.3:13232
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 25
Configuration of the computer on WAN side:
Code: Select all
[Interface]
#WAN side
PrivateKey = WWWWWWWWWWWWWWWWWWWWWWWWWW=
Address = 10.0.1.148/32

[Peer]
#hEX
PublicKey = HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=
Endpoint = 192.168.1.3:13232
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 25
Configuration of hEX router:
Code: Select all
/interface/wireguard/ print
0  R ;;; Router3
      name="wg0" mtu=1420 listen-port=13232 
      private-key="ppppppppppppppppppppppppppppppppppppppppppppp=" 
      public-key="HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH="
peers:
Code: Select all
/inteface/wireguard/peers/ print
 Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE  PUBLIC-KEY                                    ENDPOINT-PORT  ALLOWED-ADDRESS
0 wg0        llllllllllllllllllllllllllllll=              0  10.0.1.0/24    
1 wg0        wwwwwwwwwwwwwwwwwwwwwwwwwwwwww=              0  10.0.1.0/24
address:
Code: Select all
/ip/address/ print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS         NETWORK      INTERFACE
;;; defconf
0   192.168.2.1/24  192.168.2.0  bridge   
1   10.0.1.3/24     10.0.1.0     wg0      
2 D 192.168.1.3/24  192.168.1.0  ether1
route:
Code: Select all
/ip/route/ print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS     GATEWAY      DISTANCE
DAd 0.0.0.0/0       192.168.1.1         1
DAc 10.0.1.0/24     wg0                 0
DAc 192.168.1.0/24  ether1              0
DAc 192.168.2.0/24  bridge              0
and firewall:
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 
 5    chain=input action=accept protocol=udp src-address=10.0.1.0/24 in-interface=wg0 dst-port=13232 
      log=no 
 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 
10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 
11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN 
13    chain=input action=accept protocol=tcp dst-address=192.168.1.3 dst-port=443 log=no 
      log-prefix=""
With that configuration I can ping from LAN to hEX
Code: Select all
ping 192.168.1.3
and
Code: Select all
ping 10.0.1.3
Can ping from WAN to hEX:
Code: Select all
ping 192.168.1.3
But cannot ping from WAN to wg0 on hEX
Code: Select all
ping 10.0.1.3
And, of course, cannot ping from WAN to LAN
Code: Select all
ping 10.0.1.4
To make matters worse, sometimes wireguard WAN <-> hEX works for no obvious reason but LAN <-> hEX doesn't with the same configuration.
Or neither of them works.

To switch between those scenarios it is enough to edit on hEX an endpoint-port of one of the peers in /interface/wireguard/peers/ and remove the change.

Any idea what's wrong?
Thanks!
Top
 
drZ
just joined
Topic Author
Posts: 4
Joined: Thu Jun 16, 2022 10:12 pm

Re: MikroTik hEX as wireguard hub for both: WAN and LAN

Mon Jun 20, 2022 3:39 pm

I have reported that as a bug in MT hEX.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5457
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik hEX as wireguard hub for both: WAN and LAN

Mon Jun 20, 2022 9:22 pm

I had a similar problem with 7.1 and wireguard.
Wasn't able to access LAN behind wireguard.

Export config ( make sure to use show-sensitive)
Clean reset device.
Import previous config manually making sure not to overwrite anything already present.
And then it worked for me.

You got confirmation from support this is a bug??
Have you tried more recent versions of ROS7 ?
Top
 
drZ
just joined
Topic Author
Posts: 4
Joined: Thu Jun 16, 2022 10:12 pm

Re: MikroTik hEX as wireguard hub for both: WAN and LAN

Tue Jun 21, 2022 1:46 am

I had a similar problem with 7.1 and wireguard.
Wasn't able to access LAN behind wireguard.

Export config ( make sure to use show-sensitive)
Clean reset device.
Import previous config manually making sure not to overwrite anything already present.
And then it worked for me.

You got confirmation from support this is a bug??
Have you tried more recent versions of ROS7 ?
Thanks for the advice!
I have tried the factory reset and manual reconfiguration of the router but without results.
Upgrading to stable ROS 7.3.1 didn't solve the problem either.

Still waiting for the answer regarding the bug report ...

Edit: One observation: both clients (spokes) maintain successful wireguard handshakes with the server.
Top
 
drZ
just joined
Topic Author
Posts: 4
Joined: Thu Jun 16, 2022 10:12 pm

Re: MikroTik hEX as wireguard hub for both: WAN and LAN  [SOLVED]

Sat Jul 09, 2022 7:28 pm

I have gotten a replay from the mikrotik service
You are most likely incorrectly NATting the LAN side connection - the issue is often resolved by installing what is called "Hairpin NAT", however I have not tested such case with WireGuard traffic. Please take a look at Hairpin NAT:
https://help.mikrotik.com/docs/display/ ... HairpinNAT
It very well might be, but we have solved the problem in a different way. Both peers and firewall rules on MT hEX need to be corrected:
peers with address /32 mask:
Code: Select all
/inteface/wireguard/peers/ print
 Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE  PUBLIC-KEY                                    ENDPOINT-PORT  ALLOWED-ADDRESS
0 wg0        llllllllllllllllllllllllllllll=              0  10.0.1.4/32    
1 wg0        wwwwwwwwwwwwwwwwwwwwwwwwwwwwww=              0  10.0.1.148/32
and firewall with old rule number 5 split into new 5 and new 6:
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1
 5    chain=input action=accept protocol=udp dst-port=13232 log=no log-prefix=""
 
 6    chain=forward action=accept in-interface=wg0 log=no log-prefix=""
 
 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
 10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 
11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 
12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN 
14    chain=input action=accept protocol=tcp dst-address=192.168.1.3 dst-port=443 log=no 
      log-prefix=""
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: MikroTik hEX as wireguard hub for both: WAN and LAN

Sat Jul 09, 2022 10:58 pm

Yeah makes more sense that it was a problem in your wireguard configuration.
Hairpin nat has little to do with wireguard. I couldnt understand what the heck your network looks like but glad you got it fixed.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], kolt and 32 guests
  4. RouterOS
  5. Beginner Basics