Community discussions

MikroTik App
 
invadersMustDie
just joined
Topic Author
Posts: 3
Joined: Sun Mar 27, 2022 1:01 am

WireGuard can't reach LAN

Tue Mar 29, 2022 7:47 pm

I've been trying to solve it for few days without any success.
So here is my config.
/interface bridge
add admin-mac=08:55:31:3E:74:1B auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
    persistent-keepalive=10s public-key=\
    "XXXXXXX"
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
    persistent-keepalive=10s public-key=\
    "XXXXXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.77.1/24 interface=wireguard network=192.168.77.0
/ip arp
add address=192.168.88.254 comment=broadcast interface=bridge mac-address=\
    FF:FF:FF:FF:FF:FF
add address=192.168.88.222 interface=bridge mac-address=D0:50:99:4D:FC:2D
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
    "accept established,related,untracked DEFAULT!" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1
WG Client-site from laptop
[Interface]
PrivateKey = XXXXX
Address = 192.168.77.2/32

[Peer]
PublicKey = XXXXX
AllowedIPs = 192.168.77.0/24, 192.168.88.0/24
Endpoint = XXXXX:13231
PersistentKeepalive = 10

Connection is established but I can ping only 192.168.77.1 and 192.168.88.1 from laptop. What is a problem? I've made a static route for 192.168.88.0/24 with 192.168.77.1 as gateway - no result. And tried to forward 88.0/24 to 77.0/24 and backward through firewall filter.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Wed Mar 30, 2022 6:17 pm

So the conclusion is you wish to be able to connect to your MT router (Server) from a mobile device (laptop) for the purposes of accessing devices on the LAN of the mikrotik??

Why two peer settings identical on Mikrotik?? Why keep alive ??? Why do you have the subnet on the MT LAN as an allowed IP ?????
/interface wireguard peers
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
persistent-keepalive=10s public-key=\
"XXXXXXX"
add allowed-address=192.168.77.0/24,192.168.88.0/24 interface=wireguard \
persistent-keepalive=10s public-key=\
"XXXXXXX"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Wed Mar 30, 2022 6:23 pm

Not sure what you mean by static routes, but NOT required.

(1) Allowed IPs
This needs fixing
For allowed IPs at MT device,
all you need is 192.168.77.2/32

THis is already correct!!
At mobile laptop all you need for allowed IPs is
192.168.88.0/24, 192.168.77.0/24

(2) IP Routes
NO need to add any routes as the IP address for the wireguard interface ensures there is a route back to the mobile laptop dynamically
(DAC) dst-address=192.168.77.0/24 gwy=wireguard

(3) IP address structure............ looks fine.

(4) Firewall rules. ..............look fine, or more accurately nothing I see that will prevent laptop to lan subnet traffic?
Last edited by anav on Wed Mar 30, 2022 6:56 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Wed Mar 30, 2022 6:31 pm

I think this is not required as your dhcp client settings are all done in pppoe???
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Wed Mar 30, 2022 6:34 pm

If you want to be able to configure the router through the wireguard tunnel this is preventing such traffic.
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN

Two options, add another input chain rule from in-interface=wireguard dst-port=winbox src-address=192.168.77.2

OR

add interface=wireguard list=LAN
 
invadersMustDie
just joined
Topic Author
Posts: 3
Joined: Sun Mar 27, 2022 1:01 am

Re: WireGuard can't reach LAN

Thu Mar 31, 2022 1:44 pm

If you want to be able to configure the router through the wireguard tunnel this is preventing such traffic.
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN

Two options, add another input chain rule from in-interface=wireguard dst-port=winbox src-address=192.168.77.2

OR

add interface=wireguard list=LAN
The purpose is to reach media server via samba on MT side. I can reach it through LAN. So I added even two of these options 1. wireguard interface to LAN interface list and 2. input chain rule but without dst-port
And I still can't even ping anything in LAN except 88.1 (MT)
DHCP-client was disabled it was for other stuff
Allowed IPs I've fixed too
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Thu Mar 31, 2022 2:04 pm

Not quite sure what you mean by via samba?
In any case there is nothing blocking in the firewall, no rules needed to be added.
If you cannot ping the server its because you have windows firewall or some software firewall or even the samba server software itself blocking the pinging.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard can't reach LAN

Thu Mar 31, 2022 5:27 pm

Not quite sure what you mean by via samba?
SMB protocol, with freeware port known as samba
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: WireGuard can't reach LAN

Thu Mar 31, 2022 5:52 pm

Make sure your target responds to pings from another subnet.
If you test from the same LAN-space as the target machine it might reply while pinging remotely it might not.
What is this target machine ? Windows ? Linux+Samba ? Use tcpdump on the target to see if anything arrives etc,etc,etc
 
invadersMustDie
just joined
Topic Author
Posts: 3
Joined: Sun Mar 27, 2022 1:01 am

Re: WireGuard can't reach LAN

Thu Mar 31, 2022 10:29 pm

Make sure your target responds to pings from another subnet.
If you test from the same LAN-space as the target machine it might reply while pinging remotely it might not.
What is this target machine ? Windows ? Linux+Samba ? Use tcpdump on the target to see if anything arrives etc,etc,etc
Windows and firewall is disabled. I'll try tcpdump
 
siang7711
just joined
Posts: 2
Joined: Sun Sep 28, 2014 10:08 am

Re: WireGuard can't reach LAN

Tue Oct 04, 2022 6:02 pm

Is there any solution here?
I'm having the same issue here, I want to access all computer under the LAN network the following services/port, but WireGuard client on my phone not able to access it.
-smb file sharing
-RDP
-VNC
-http
-https
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard can't reach LAN

Tue Oct 04, 2022 6:24 pm

Best to start a new thread with clear description of your current setup (a drawing will always be helpful), export of your config of Mikrotik router, and what you already tried, how it turned out etc etc.
Also provide export of config of your phone.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard can't reach LAN

Tue Oct 04, 2022 7:17 pm

Concur, post complete config of MT server device /export (minus serial number and any public WANIP info) and phone settings minus key info and publicWANIP info.

Just to be clear CoNFIRM WITH YES OR NO
Requirements from phone connection.,

a. reach LAN devices ?
b. configure router ?
c. reach internet via MT?

Who is online

Users browsing this forum: Amazon [Bot] and 48 guests