I have two locations which are connected by wireguard. Simplified is:
Laptop in network 192.168.2.0/24
|
|
Wireguard server A (RouterBoard)
(10.1.101.0/24, IP 10.1.101.254)
|
|
Wireguard server B
(10.1.102.0/24. IP 10.1.102.254)
+
local DHCP server B
(192.168.10.0/24, IP 192.168.10.254)
I can ping and ssh from my laptop to Wireguard server B, indicating that effectively there is a 2-way communication.
The DHCP server B has some devices connected, one of which has IP 192.168.10.116. I would like to be able to directly access this device through its IP address. So I thought to add a static route to the RouterBoard server like:
Code: Select all
add dst-address=192.168.10.0/24 gateway=10.1.102.254 routing-table=main
What am I missing? Why can't I set that all trafic with dst-ip 192.168.10.0/24 is forwarded by the routerboard A to the wireguard net of server B, where it is forwarded by the local routing table to the connected device?
The RB export is:
Code: Select all
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=sorby_net
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp2 ranges=192.168.2.30-192.168.2.90
add name=dhcp next-pool=dhcp2 ranges=192.168.2.150-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="DNS_testscript\r\
\n" lease-time=16h name=defconf
/port
set 0 name=serial0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.1.103.0/24,192.168.2.0/24 comment="WG on 192.168.2.5" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."
add allowed-address=10.1.102.0/24 comment="WG Sorby" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="g9Dv..."
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=192.168.2.0
add address=10.1.101.254/24 interface=sorby_net network=10.1.101.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
...
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
...
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=accept chain=input comment="Winbox (8291)" dst-port=13231 protocol=tcp
add action=accept chain=input comment="Wireguard accept port 13231" dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 out-interface-list=WAN protocol=udp to-ports=12300-12390
...
ip route
add disabled=no distance=1 dst-address=10.1.103.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.1.102.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=10.1.102.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0 certificate=SystemCertificate disabled=no
set api disabled=yes
set winbox port=13231
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/lcd pin
set pin-number=xxxx
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=MT3011RB
/system logging
add disabled=yes prefix=TMP topics=debug
add disabled=yes prefix=NTP topics=ntp
add prefix=FRW topics=firewall
add prefix=EVT topics=event
add prefix=WRG topics=wireguard
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
/system script
/tool bandwidth-server
set enabled=no
/tool graphing interface
/tool graphing resource
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The wireguard config on server B is:
Code: Select all
[Interface]
Address = 10.1.102.254
ListenPort = 13231
PrivateKey = ...
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
[Peer]
PublicKey = ...
AllowedIPs = 10.1.101.0/24,10.1.102.0/24,10.1.103.0/24,192.168.2.0/24
Endpoint = a.b.c.d:13231
The route table on the DHCP server B is:
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.1 0.0.0.0 UG 100 0 0 eth1
10.1.101.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.1.102.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.1.103.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.8.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 hotspot0