Community discussions

MikroTik App
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Wireguard routing

Tue Aug 16, 2022 1:03 am

Then I thought it would be easy, but...

I have two locations which are connected by wireguard. Simplified is:

Laptop in network 192.168.2.0/24
|
|
Wireguard server A (RouterBoard)
(10.1.101.0/24, IP 10.1.101.254)
|
|
Wireguard server B
(10.1.102.0/24. IP 10.1.102.254)
+
local DHCP server B
(192.168.10.0/24, IP 192.168.10.254)

I can ping and ssh from my laptop to Wireguard server B, indicating that effectively there is a 2-way communication.

The DHCP server B has some devices connected, one of which has IP 192.168.10.116. I would like to be able to directly access this device through its IP address. So I thought to add a static route to the RouterBoard server like:
add dst-address=192.168.10.0/24 gateway=10.1.102.254 routing-table=main 
But this gives an invalid/unreachable route.
What am I missing? Why can't I set that all trafic with dst-ip 192.168.10.0/24 is forwarded by the routerboard A to the wireguard net of server B, where it is forwarded by the local routing table to the connected device?

The RB export is:
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=sorby_net
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp2 ranges=192.168.2.30-192.168.2.90
add name=dhcp next-pool=dhcp2 ranges=192.168.2.150-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="DNS_testscript\r\
    \n" lease-time=16h name=defconf
/port
set 0 name=serial0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.1.103.0/24,192.168.2.0/24 comment="WG on 192.168.2.5" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."
add allowed-address=10.1.102.0/24 comment="WG Sorby" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="g9Dv..."
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=192.168.2.0
add address=10.1.101.254/24 interface=sorby_net network=10.1.101.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
...
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
...
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=accept chain=input comment="Winbox (8291)" dst-port=13231 protocol=tcp
add action=accept chain=input comment="Wireguard accept port 13231" dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 out-interface-list=WAN protocol=udp to-ports=12300-12390
...
ip route
add disabled=no distance=1 dst-address=10.1.103.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.1.102.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=10.1.102.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0 certificate=SystemCertificate disabled=no
set api disabled=yes
set winbox port=13231
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/lcd pin
set pin-number=xxxx
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=MT3011RB
/system logging
add disabled=yes prefix=TMP topics=debug
add disabled=yes prefix=NTP topics=ntp
add prefix=FRW topics=firewall
add prefix=EVT topics=event
add prefix=WRG topics=wireguard
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
/system script
/tool bandwidth-server
set enabled=no
/tool graphing interface
/tool graphing resource
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


The wireguard config on server B is:
[Interface]
Address = 10.1.102.254
ListenPort = 13231
PrivateKey = ...
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
 
[Peer]
PublicKey = ...
AllowedIPs = 10.1.101.0/24,10.1.102.0/24,10.1.103.0/24,192.168.2.0/24
Endpoint = a.b.c.d:13231


The route table on the DHCP server B is:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.8.1     0.0.0.0         UG    100    0        0 eth1
10.1.101.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.1.102.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.1.103.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.8.0     0.0.0.0         255.255.255.0   U     100    0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 hotspot0

 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard routing

Tue Aug 16, 2022 2:16 am

Is there a reason why A has one subnet on WG interface and B has different one? It's not strictly necessary, but usual way is to use common one. Then any address in that subnet is understood as reachable and you can use it as gateway. You can make it work like this using recursive routing, if you play with scope and target-scope parameters. Or you can simply use WG interface as gateway (gateway=sorby_net).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Tue Aug 16, 2022 3:38 am

nm see next post
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Tue Aug 16, 2022 3:39 am

(1) This is not correct. The subnet in yellow is a local subnet on the RB, remove it.

add allowed-address=10.1.103.0/24,192.168.2.0/24 comment="WG on 192.168.2.5" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."
add allowed-address=10.1.102.0/24 comment="WG Sorby" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="g9Dv..."

(2) Why is there a second peer that you have not told us about................
/interface wireguard peers
add allowed-address=10.1.103.0/24,192.168.2.0/24 comment="WG on 192.168.2.5" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."
add allowed-address=10.1.102.0/24 comment="WG Sorby" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="g9Dv..."

(3) Sorry disagree with SOB, using different Ip address networks for connected peers is uneccesary and complicated unless there is a brilliant reason for it.................
They should all be on the same wireguard network,
the RB, for ex:
10.1.100.1/24 rb wireguard IP
10.1.100.2/24 server B wireguard IP
10.1.100.3/24 unknown wireguard peer IP.

(4) Why do you have an Input chain rule for wireguard for TCP ???? The protocol it uses is UDP.
add action=accept chain=input comment="Winbox (8291)" dst-port=13231 protocol=tcp
add action=accept chain=input comment="Wireguard accept port 13231" dst-port=13231 protocol=udp

(5) Not sure why you are nat masqueraging NTP traffic. There is s service on the Router for NTP??

(6) These routes are not required as they would created by the router anyway <DAC> routes and thus can be removed.
add disabled=no distance=1 dst-address=10.1.103.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.1.102.0/24 gateway=sorby_net pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10


(7) Allowed IPs on the RB fail to identify the remote subnet you want to reach you need to add it.
So something like
/interface wireguard peers
add allowed-address=10.1.100.2/32,192.168.10.0/24 endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."

(8) The one route you did add that makes sense is the path to server B subnet through the wireguard tunnel
Except its incorrect..............
From
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=10.1.102.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
TO:
add distance=1 dst-address=192.168.10.0/24 gateway=sorby_net table=main

(9) Why is the endpoint address of the RB first peer, the same address as the Wireguard IP address on the RB............... very very confusing config here.
/interface wireguard peers
add allowed-address=10.1.103.0/24,192.168.2.0/24 comment="WG on 192.168.2.5" endpoint-address=10.1.101.254 endpoint-port=13231 interface=sorby_net public-key="BQmI..."

AND
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=192.168.2.0
add address=10.1.101.254/24 interface=sorby_net network=10.1.101.0
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Thu Aug 18, 2022 9:04 am

OK, I'll have to study this. Making these changes the setup became completely unresponsive. Probably I still have some other flaws in my setup. So I consider starting from scratch again. I'll report back if I've found the error(s)
Thanks for you support so far....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Thu Aug 18, 2022 2:02 pm

A clear network diagram showing the routers, the internet connection, and where the computers sit on the diagram (and the IPs) etc will help.
Just use fake numbers for actual WANIP numbers.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Fri Aug 26, 2022 1:47 pm

OK, sorry for the delay, have been travelling and now I'm at the remote place where it is easier to do the complete management. I've also replaced some hardware so things may be a bit more straight forward, but still I'm not able to get all bits together. I've replaced the remote hardware by a MikroTik Chateau 5G.

The current diagram is:
Network_diagram_wireguard_20220826.jpeg
From within the Mikrotik routers I can ping and traceroute all devices on the 10.1.101.0/24 network, at least I can ping in two directions between 10.1.101.254 and 10.1.101.2. On both the wireguard stations I've added routes for the distant networks (192.168.2.0/24 and 192.168.3.0/24) pointing to the wg_home interface but still devices on these networks are not accessible. For instance I would expect to be able to ping from 192.168.3.102 to 192.168.2.103,

What I want to achieve is to be able to access services (ssh, smb, https, etc) from each side of the wireguard network to the other.

I guess I'm still doing something wrong in routing and the firewalls and hope some can help me out...

Config RB3011

# aug/26/2022 11:20:49 by RouterOS 7.3.1
# model = RB3011UiAS
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13232 name=wg_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.150-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=16h name=defconf
/port
set 0 name=serial0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.1.101.2/32 comment="WG-home 1" endpoint-port=13232 interface=wg_home public-key="xNkRh..."
add allowed-address=10.1.101.102/32 comment="WG-home 2" endpoint-port=13232 interface=wg_home public-key="3sUjq..."
add allowed-address=10.1.101.103/32 comment="WG-home 3" endpoint-port=13232 interface=wg_home public-key="1+Az+..."
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=192.168.2.0
add address=10.1.101.254/24 interface=wg_home network=10.1.101.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
...
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.254 comment=defconf name=router.lan
...
add address=192.168.1.1 comment="modem" name=....lan
/ip firewall filter
add action=log chain=output comment=NTP-test disabled=yes dst-port=123 log=yes log-prefix="NTP frw test" out-interface=ether1 protocol=udp src-port=123
add action=accept chain=input comment="Wireguard accept port 13232(UDP)" dst-port=13232 log=yes log-prefix=wg_home protocol=udp
add action=accept chain=input comment="Winbox (13231)" dst-port=13231 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
...
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0 certificate=SystemCertificate disabled=no
set api disabled=yes
set winbox port=13231
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/lcd pin
set pin-number=1234
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=MT3011RB
/system logging
add disabled=yes prefix=TMP topics=debug
add disabled=yes prefix=NTP topics=ntp
add disabled=yes prefix=FRW topics=firewall
add prefix=EVT topics=event
add prefix=WRG topics=wireguard
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
/system script
/tool bandwidth-server
set enabled=no
/tool graphing interface
/tool graphing resource
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Config Chateau 5G
# aug/26/2022 12:05:11 by RouterOS 7.2.1
# model = D53G-5HacD2HnD
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add name=bridge_guest # the guest network is in progress, currently not relevant 
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 nr-band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=.... wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=.... wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=13232 name=wg_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=... master-interface=wlan1 name=wlan4 security-profile=guest ssid=... wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.3.1-192.168.3.100
add name=dhcp_pool1 ranges=10.1.1.1-10.1.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge_guest name=dhcp_guest
/interface bridge filter
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge_guest interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=bridge_guest list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=....dyndns.org endpoint-port=13232 interface=wg_home persistent-keepalive=5s public-key="meVy..."
/ip address
add address=192.168.3.254/24 comment=defconf interface=bridge network=192.168.3.0
add address=10.1.1.254/24 interface=bridge_guest network=10.1.1.0
add address=10.1.101.2/24 interface=wg_home network=10.1.101.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server lease
....
/ip dhcp-server network
add address=10.1.1.0/24 comment="guest DHCP server" dns-server=10.1.1.254 gateway=10.1.1.254 netmask=24
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.254 gateway=192.168.3.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="WG-accept all from wg-home" dst-port=13232 log=yes log-prefix=wg_home protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input dst-address=192.168.0.0/16 in-interface=bridge_guest log=yes log-prefix=FTWtest-log
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Stockholm
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Fri Aug 26, 2022 4:33 pm

Your setup make no sense to me.
Firstly the R3011 has no public IP address it gets a private IP and thus you have a modem/router in front of it not a modem.
Can you forward a port on your Modem/Router?? Can you add routes??

Also you didnt read a thing I wrote, wireguard is not a TCP protocol and yet
you didnt remove the line from the RB3011........
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Fri Aug 26, 2022 7:05 pm

Firstly the R3011 has no public IP address it gets a private IP and thus you have a modem/router in front of it not a modem.

Also you didnt read a thing I wrote, wireguard is not a TCP protocol and yet
you didnt remove the line from the RB3011........
1. All required ports from the (publicly available) cable modem are forwarded to the RB3011 router. I have not chosen to create a DMZ but just to forward all ports I need from the modem to 192.168.1.2 (RB3011), like 80, 22, 443, etc. The public address of the router is fixed (or available anyway via my dyndns account).
2. The tcp protocol on 13231 port is, after advise of someone else on this forum, made available for winbox access (it's in the /ip service line of the RB3011). Actually I moved the wireguard port to 13232 (which is actually also forwarded by the modem to RB3011)so I guess for solving my wireguard problem this port/protocol is not interfering in this process

And of course, I fully agree, it will only make sense when it works, and that's exactly why I'm reaching out to the forum... :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Fri Aug 26, 2022 7:46 pm

Who in the forum stated you needed TCP port for wireguard settings?? Will look at the rest later.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Fri Aug 26, 2022 8:04 pm

The advise was not for wireguard but for winbox and in the context of wireguard (as being more safe). Sure, currently it makes no sense for wireguard but I still need it to be able to access my router. But is it in the way of my current wireguard setup?
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Sun Aug 28, 2022 10:40 pm

I've made some progress, where now I have full access from the right of the scheme to the left. Can access both the router (MT3011) and all devices behind the router using their local IP (in the rang of 192.168.2.0/24).
From left to right it still is not fully functional. I can access and fully control the CH5G router at the left sided using it's Wireguard IP address (10.1.101.2). But the network behind the router (192.168.3.0/24) is not accessible (by ping, or any other service). In the router at the left I've defined a route (192.168.3.0/24 to wg_home, which is the WG-interface) and I tried a route 192.168.3.0/4 to 1.1.101.2 (the WG ip address of the router at the right of the scheme). But neither of both options work.

Besides the Mikrotik modem at the right side, I also have another remote device behind a 4G network, which behaves the same (can access the left side of the scheme but cannot be accessed)
I must mis something in the routing or firewall but can't get any further.
Network_diagram_wireguard_20220826.jpeg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Sun Aug 28, 2022 10:48 pm

Full configs of both units minus any public WANIP info please.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Sun Aug 28, 2022 11:19 pm

Here the configs of the two MikroTik devices. Besides these there are some other WG clients (laptops, android phones, remote ARM-based device) which are now irrelevant. These have the IP ranges 192.168.8.0/24 and 192.168.10.0/24

Config LEFT router
# aug/28/2022 21:57:07 by RouterOS 7.3.1
# model = RB3011UiAS
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13232 mtu=1420 name=wg_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp2 ranges=192.168.2.30-192.168.2.90
add name=dhcp next-pool=dhcp2 ranges=192.168.2.150-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="DNS_testscript\r\
    \n" lease-time=16h name=defconf
/port
set 0 name=serial0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,\
    dude,rest-api"
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.1.101.2/32 comment="WG-home" endpoint-port=13232 interface=wg_home \
    public-key="xNkR..."
add allowed-address=10.1.101.102/32 comment="WG-home" endpoint-port=13232 interface=wg_home \
    public-key="3sUj...="
add allowed-address=10.1.101.103/32 comment="WG-home" endpoint-port=13232 interface=wg_home \
    public-key="1+Az+...."
add allowed-address=10.1.101.1/32 comment="WG-home" endpoint-port=13232 interface=wg_home \
    persistent-keepalive=20s public-key="g9Dv..."
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=192.168.2.0
add address=10.1.101.254/24 interface=wg_home network=10.1.101.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
...
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
...
/ip firewall filter
add action=accept chain=input comment="Wireguard accept port 13232(UDP)" dst-port=13232 log=yes log-prefix=\
    wg_home protocol=udp
add action=accept chain=input comment="Winbox (13231)" dst-port=13231 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 out-interface-list=WAN protocol=udp \
    to-ports=12300-12390
...
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment="..." disabled=no distance=1 dst-address=192.168.8.0/24 gateway=wg_home \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0 certificate=SystemCertificate disabled=no
set api disabled=yes
set winbox port=13231
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/lcd pin
set pin-number=1234
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=MT3011RB
/system logging
add disabled=yes prefix=FRW topics=firewall
add prefix=EVT topics=event
add prefix=WRG topics=wireguard
add prefix=RTE topics=route
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
...
/system script
add dont-require-permissions=no name="DNS static updater" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns static;\r\
    \n:foreach a in=[find] do={\r\
    \n#  :if ([get \$a ttl] = \$ttl) do={\r\
    \n    :put (\"Removing: \" . [get \$a name] . \" : \" . [get \$a address]);\r\
    \n#    remove \$a;\r\
    \n#  }\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.2.0/24 interface=bridge
add allow-address=192.168.2.0/24 interface=ether1
/tool graphing resource
add allow-address=192.168.2.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Config RIGHT side
# aug/28/2022 22:06:05 by RouterOS 7.2.1
# model = D53G-5HacD2HnD
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 nr-band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=.... wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=.... wireless-protocol=\
    802.11 wps-mode=disabled
/interface wireguard
add listen-port=13232 mtu=1420 name=wg_home
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
    MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=DE:2C:6E:C2:0E:EF master-interface=wlan1 name=wlan4 security-profile=guest \
    ssid=..._guest wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.3.1-192.168.3.100
add name=dhcp_pool1 ranges=10.1.1.1-10.1.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge_guest name=dhcp_guest
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge_guest interface=*A
add bridge=bridge_guest interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=bridge_guest list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=....ddns.org endpoint-port=13232 interface=\
    wg_home persistent-keepalive=20s public-key="meVy..."
/ip address
add address=192.168.3.254/24 comment=defconf interface=bridge network=192.168.3.0
add address=10.1.1.254/24 interface=bridge_guest network=10.1.1.0
add address=10.1.101.2/24 interface=wg_home network=10.1.101.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server lease
add address=192.168.3.102 client-id=1:90:78:41:30:ea:8  mac-address=90:78:41:30:EA:08 server=defconf
add address=192.168.3.109 client-id=ff:9a:d0:9b:4a:0:1:0:1:27:6e:76:44:30:1f:9a:d0:9b:4a mac-address=30:1F:9A:D0:9B:4A server=defconf
add address=192.168.3.202 client-id=1:88:b1:11:c3:4:74  mac-address=88:B1:11:C3:04:74 server=defconf
/ip dhcp-server network
add address=10.1.1.0/24 comment="guest DHCP server" dns-server=10.1.1.254 gateway=10.1.1.254 netmask=24
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.254 gateway=192.168.3.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="WG-accept all from wg-home" dst-port=13232 log=yes log-prefix=\
    wg_home protocol=udp
add action=drop chain=input comment="GUEST: Block all from guest to local network" dst-address=\
    192.168.0.0/16 in-interface=bridge_guest log=yes log-prefix=FTWtest-log
add action=drop chain=input comment="GUEST: Block all from guest to wg_home VPN" dst-address=\
    10.1.101.0/24 in-interface=bridge_guest log=yes log-prefix=FTWtest-log
add action=drop chain=input comment="GUEST: Block all from guest to router webinterface" \
    connection-state=invalid,established,related,new,untracked dst-address=10.1.1.254 dst-port=\
    21,22,23,80,443,8728,8729 in-interface=bridge_guest log=yes log-prefix=FTWtest-log protocol=tcp
add action=accept chain=input comment="WINBOX only from wg-home" dst-port=8291 in-interface=wg_home \
    log=yes log-prefix=wg_home protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.3.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.1/32 gateway=wg_home pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.8.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wg_home pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Stockholm
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Mon Aug 29, 2022 3:12 am

LEFT ROUTER
(1) One should not leave the WINBOX port exposed to the internet.
add action=accept chain=input comment="Winbox (13231)" dst-port=13231 protocol=tcp

Winbox needs only to be available to
a. specific LAN users
b. specific vpn users after the arrive in the router!

Since you dont have a block rule from LAN to WAN, you dont need any rule here so simply remove it.
LAN users by this rule will be able to access winbox.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

If you have vpn users that need access to winbox then make another input rule before the !LAN rule, where you specifically note an in-interface on the router or src-address valid within the router.
add action=accept chain=input in-interface=vpn-interface-name ( or src-address of VPN user) dst-address=winboxport protocol=tcp

(2) Your IP Route to the subnet at the remote router 192.168.3.0/24 is good, however go back to wireguard peer settings for this remote chateau......
/interface wireguard peers
add allowed-address=10.1.101.2/32,Missing comment="WG-home" endpoint-port=13232 interface=wg_home \
public-key="xNkR..."


needs to be
/interface wireguard peers
add allowed-address=10.1.101.2/32,192.168.3.0/24 comment="WG-home" endpoint-port=13232 interface=wg_home \
public-key="xNkR..."
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing

Mon Aug 29, 2022 3:26 am

RIGHT SIDE ROUTER
(1) This rule makes no sense on the input chain, if anything it would be forward chain rule..... Remember the wireguard interface is like parallel to the LAN in location.
add action=drop chain=input comment="GUEST: Block all from guest to wg_home VPN" dst-address=\
10.1.101.0/24 in-interface=bridge_guest log=yes log-prefix=FTWtest-log

(2) Same idea with this rule................
add action=drop chain=input comment="GUEST: Block all from guest to local network" dst-address=\
192.168.0.0/16 in-interface=bridge_guest log=yes log-prefix=FTWtest-log

(3) I have no clue what you are trying to do here........
add action=drop chain=input comment="GUEST: Block all from guest to router webinterface" \
connection-state=invalid,established,related,new,untracked dst-address=10.1.1.254 dst-port=\
21,22,23,80,443,8728,8729 in-interface=bridge_guest log=yes log-prefix=FTWtest-log protocol=tcp

(4) What is not clear is the discrepancy in routes and allowed peers to the left side router.
One would think that you wanted internet access by the use 0.0.0.0/0 which by the way will also include the subnet and the wg interface IP of the left side as well so three birds one rule..
However you have no routing to tell the Right Side subnet to go out the wireguard tunnel for internet.
So which is it.
a. bad allowed peers setting (should be wireguard IP of left side, and subnet of left side) OR
b. missing routing for internet to force users out tunnel.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Mon Aug 29, 2022 8:57 pm

OK, @anav, this did the trick. I had, as you suggested, to add the subnets of the local subnets of the various routers to the AllowedIPs-section. This was not clear to me from the manuals of Wireguard and Mikrotik.

The setup is:
Router A is connected to the wireguard subnet with a fixed IP (A.wg) and has 1 other subnet (A.s1)
Router B is connected to the wireguard subnet with a fixed ip (B.wg) and has 2 other subnets (B.s1 and B.s2)
Router C is connected to the wireguard subnet with a fixed ip (C.wg) and has 1 other subnet (C.s1)

So what I did finally is the following:
In A the AllowedIPs are set for the A.wg/32 AND for A.s1/24
In B the AllowedIPs are set for the B.wg/32 AND for B.s1/24 abd B.s2/24
In C the AllowedIPs are set for the C.wg/32 AND for C.s1/24

In A the routes are defined to B.s1/24->B.wg, B.s2/24->B.wg and C.s1/24->C.wg
In B the routes are defiend to A.s1/24->A.wg and C.s1/24->C.wg
In C the routes are defined to B.s1/24->B.wg, B.s2/24->B.wg and A.s1/24->A.wg

I'll let the discussion about the other wg-principals and firewall settings alone here, they were work in progress and not part of my question.
Thanks for the help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard routing  [SOLVED]

Mon Aug 29, 2022 10:36 pm

Sorry mike, I should have given you the link to the New Testament - viewtopic.php?t=182340

Remember if you remember anything, is that Allowed IPs you put on the local router always concern the remote device.

a. local users originating traffic on the local router need to reach a remote subnet ( that remote subnet is the subnet you put in allowed IPs).
The local router when seeing a destination address checks if such a subnet is identified in all peer addresses and then matches the right subnet to the first peer in the order that contains that subnet (and thus the correct routing will be determined. (Matching/ Selection process)

b. remote users originating traffic on the remote device are reaching the local router and wish to exit the tunnel. (The remote users subnet is the subnet you need to put in allowed IPs)
The local router will see remote traffic attempting to exit the tunnel, the router will consult the peer lists to ensure those source addresses are allowed to exit the tunnel and enter the router ( sorta parallel to the LAN).

c. You always should put the wireguard IP address of the remote peer as an allowed IP, especially the hub, the spokes ( such as road warriors or other mt routers that are not like a hub, )normally put the subnet of the wireguard network which allows them to easily ping the other spokes of the wheel so to speak.

d. If a local subnet on the local router needs access at a peer, then the remote address is 0.0.0.0/0 and this will include any remote subnets they may need to visit as well as the peer wg address.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: Wireguard routing

Tue Aug 30, 2022 8:44 pm

Thanks @anav for your patience and explanations. Especially the link to your New Testament explained a lot of the background. I have now exactly what I what: a public accessible router (Mikrotik on which only the udp port for the wireguard port is open) and two routers (one Mikrotik, one Olimex-lime2-based router) behind natted networks. All registered clients (laptops, android devices, etc) can communicate to all devices behind the various subnets and all guest clients they can only access internet (all routes to local subnet, wireguard and router interfaces are blocked). Also all Mikrotik management is done through the wireguard network.

My confusion was about the AllowedIPs, which indeed, as you have pointed out, are only the REMOTE subnet-IP's (or ranges) from and to which trafic can be initiated. And they need to be defined at both ends of the wireguard network (meaning the routers). And also important, for each trafic route at both sided a route should be defined to the subnets at both ends of the WG-net, just adding a subnet to the AllowedIP's is not sufficient.

Who is online

Users browsing this forum: bananaboy1101, dido1236, jamesperks, Michiganbroadband, tinodj, xristostsilis and 79 guests