Community discussions

MikroTik App
 
voytecky
just joined
Topic Author
Posts: 4
Joined: Tue Feb 01, 2022 12:01 am
Location: PL

Wireguard client cant access local NAS.

Sun Oct 23, 2022 11:50 pm

Hi guys, I have problem with access to NAS server from Media PC connected to VPN provider via Wireguard. NAS is running on 10.100.100.1/24 Main_Lan network with static IP .22 , Media PC is on 10.30.33.1/24 VPN_vlan network with staic IP .204. Everything is working except I can’t ping or access NAS from VPN_Lan network. Thanks for any help.

Image
# oct/23/2022 11:20:33 by RouterOS 7.5
# software id = P0QQ-LSV7
#
# model = RB5009UG+S+
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ISP_Internet_Access name=\
    internet_access
set [ find default-name=ether2 ] comment=off_bridge_access_to_router name=\
    off_bridge
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_Mullvad
/interface vlan
add interface=bridge name=Guest_Wifi vlan-id=66
add interface=bridge name=Lstream vlan-id=22
add interface=bridge name=Main_Lan vlan-id=100
add interface=bridge name=TP-Link vlan-id=44
add interface=bridge name=VOIP vlan-id=55
add interface=bridge name=VPN_vlan vlan-id=33
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MNGMT
add comment="Deny access to ruter and Main_Lan" name=Untrusted
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_MNGMT ranges=172.16.100.2-172.16.100.10
add name=pool_Lstream ranges=10.20.22.199-10.20.22.254
add name=pool_VPN_vlan ranges=10.30.33.199-10.30.33.254
add name=pool_VOIP ranges=10.50.55.99-10.50.55.103
add name=pool_Guest_Wifi ranges=10.60.66.199-10.60.66.254
add name=pool_Main_Lan ranges=10.100.100.150-10.100.100.254
add name=pool_TP-Link ranges=172.16.4.99-172.16.4.199
/ip dhcp-server
add address-pool=pool_MNGMT interface=off_bridge name=dhcp_MNGMT
add address-pool=pool_Guest_Wifi interface=Guest_Wifi name=dhcp_Guest_Wifi
add address-pool=pool_Lstream interface=Lstream name=dhcp_Lstream
add address-pool=pool_Main_Lan interface=Main_Lan name=dhcp_Main_Lan
add address-pool=pool_TP-Link interface=TP-Link name=dhcp_TP-Link
add address-pool=pool_VOIP interface=VOIP name=dhcp_VOIP
add address-pool=pool_VPN_vlan interface=VPN_vlan name=dhcp_VPN_vlan
/routing table
add disabled=no fib name=useWG
add disabled=no fib name=KODI_to_NAS
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=ether6 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=44
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=MNGMT protocol=lldp,mndp
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=Lstream_vlan tagged=bridge,ether8 vlan-ids=22
add bridge=bridge comment=VPN_vlan tagged=bridge,ether8 untagged=ether5 \
    vlan-ids=33
add bridge=bridge comment=VOIP_vlan tagged=bridge,ether8 vlan-ids=55
add bridge=bridge comment=Guest_Wifi_vlan tagged=bridge,ether6,ether8 \
    vlan-ids=66
add bridge=bridge comment=Main_Lan_vlan tagged=bridge,ether8 untagged=\
    ether3,ether4,ether6 vlan-ids=100
add bridge=bridge comment=TP-Link_vlan tagged=bridge untagged=ether7 \
    vlan-ids=44
/interface list member
add comment=defconf interface=internet_access list=WAN
add interface=off_bridge list=MNGMT
add interface=off_bridge list=LAN
add interface=Main_Lan list=MNGMT
add interface=WG_Mullvad list=LAN
add interface=Guest_Wifi list=LAN
add interface=Lstream list=LAN
add interface=Main_Lan list=LAN
add interface=TP-Link list=LAN
add interface=VOIP list=LAN
add interface=VPN_vlan list=LAN
add interface=Guest_Wifi list=Untrusted
add interface=Lstream list=Untrusted
add interface=TP-Link list=Untrusted
add interface=VOIP list=Untrusted
add interface=VPN_vlan list=Untrusted
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxx endpoint-port=\
    51820 interface=WG_Mullvad persistent-keepalive=40s public-key=\
    "yyyyyyyyyyyyyy"
/ip address
add address=172.16.100.1/24 comment=ether2_off_bridge_access interface=\
    off_bridge network=172.16.100.0
add address=10.60.66.1/24 comment=Guest_Wifi_network interface=Guest_Wifi \
    network=10.60.66.0
add address=10.20.22.1/24 comment=Lstream_network interface=Lstream network=\
    10.20.22.0
add address=10.100.100.1/24 comment=Main_Lan_network interface=Main_Lan \
    network=10.100.100.0
add address=172.16.4.1/24 comment=TP-Link_network interface=TP-Link network=\
    172.16.4.0
add address=10.50.55.1/24 comment=Ooma_network interface=VOIP network=\
    10.50.55.0
add address=10.30.33.1/24 comment=VPN_vlan_network interface=VPN_vlan \
    network=10.30.33.0
add address=10.65.138.98 comment="WG_Mullvad interface address" interface=\
    WG_Mullvad network=10.65.138.98
/ip arp
add address=172.16.4.2 comment="TP-Link Archer C7" interface=TP-Link \
    mac-address=98:DE:D0:84:9E:26
add address=10.50.55.10 comment=Ooma interface=VOIP mac-address=\
    00:18:61:0F:ED:DF
add address=10.20.22.199 comment=Denon interface=Lstream mac-address=\
    00:05:CD:1C:D5:84
add address=10.100.100.250 interface=Main_Lan mac-address=68:B5:99:90:04:7A
add address=10.100.100.21 interface=Main_Lan mac-address=74:D4:35:14:60:5B
add address=10.100.100.60 comment=U6-LR interface=Main_Lan mac-address=\
    D0:21:F9:DD:65:95
add address=10.100.100.22 comment=NAS interface=Main_Lan mac-address=\
    38:60:77:05:95:76
add address=10.100.100.24 interface=Main_Lan mac-address=18:56:80:00:E3:0D
/ip dhcp-client
add comment=defconf interface=internet_access use-peer-dns=no
/ip dhcp-server lease
add address=10.50.55.10 comment=Ooma mac-address=00:18:61:0F:ED:DF server=\
    dhcp_VOIP
add address=172.16.4.193 client-id=1:54:2a:1b:a0:1e:f6 comment=Sonos_Bar \
    mac-address=54:2A:1B:A0:1E:F6 server=dhcp_TP-Link
add address=172.16.4.194 client-id=1:8:a6:bc:30:1e:e6 mac-address=\
    08:A6:BC:30:1E:E6 server=dhcp_TP-Link
add address=10.20.22.75 comment=75TLC-TV mac-address=34:93:42:B2:9A:4D \
    server=dhcp_Lstream
add address=10.20.22.65 client-id=00:05:cd:1c:d5:84 comment=Denon \
    mac-address=00:05:CD:1C:D5:84 server=dhcp_Lstream
add address=10.100.100.99 client-id=68:b5:99:90:04:7a comment=HP_Printer \
    mac-address=68:B5:99:90:04:7A server=dhcp_Main_Lan
add address=10.100.100.21 client-id=74:d4:35:14:60:5b comment=Box1 \
    mac-address=74:D4:35:14:60:5B server=dhcp_Main_Lan
add address=10.20.22.55 comment=55TLC-TV mac-address=34:93:42:96:81:9F \
    server=dhcp_Lstream
add address=10.100.100.78 client-id=88:53:2e:95:b1:81 comment=Samsung_Laptop \
    mac-address=88:53:2E:95:B1:81 server=dhcp_Main_Lan
add address=10.100.100.60 client-id=1:d0:21:f9:dd:65:95 comment=U6-LR \
    mac-address=D0:21:F9:DD:65:95 server=dhcp_Main_Lan
add address=10.100.100.24 client-id=1:18:56:80:0:e3:d comment=X1_Wireless \
    mac-address=18:56:80:00:E3:0D server=dhcp_Main_Lan
add address=10.100.100.25 client-id=1:0:0:0:6:c2:f5 comment=X1_USB_Wired \
    mac-address=00:00:00:06:C2:F5 server=dhcp_Main_Lan
add address=10.100.100.146 client-id=1:f2:7:7e:c3:57:46 comment=iPhoneSE \
    mac-address=F2:07:7E:C3:57:46 server=dhcp_Main_Lan
add address=10.30.33.222 client-id=1:18:66:da:21:c0:c comment=KODI \
    mac-address=18:66:DA:21:C0:0C server=dhcp_VPN_vlan
/ip dhcp-server network
add address=10.20.22.0/24 dns-server=10.20.22.1 gateway=10.20.22.1
add address=10.30.33.0/24 dns-server=10.64.0.1,10.30.33.1 gateway=10.30.33.1
add address=10.50.55.0/24 dns-server=10.50.55.1 gateway=10.50.55.1
add address=10.60.66.0/24 dns-server=10.60.66.1 gateway=10.60.66.1
add address=10.100.100.0/24 dns-server=10.100.100.1 gateway=10.100.100.1
add address=172.16.4.0/24 dns-server=172.16.4.1 gateway=172.16.4.1
add address=172.16.100.0/26 dns-server=172.16.100.1 gateway=172.16.100.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=10.100.100.1 comment=def.configuration name=router.lan
/ip firewall address-list
add address=10.20.22.0/24 list=NoAccess
add address=10.30.33.0/24 list=NoAccess
add address=10.50.55.0/24 list=NoAccess
add address=10.60.66.0/24 list=NoAccess
add address=172.16.4.0/24 list=NoAccess
add address=10.100.100.2-10.100.100.254 list=Allow_to_Tp-Link
add address=10.30.33.199-10.30.33.254 list=Allow_to_NAS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Untrusted DNS udp" \
    connection-state=new dst-port=53 in-interface-list=Untrusted protocol=udp
add action=accept chain=input comment="Allow Untrusted DNS tcp" \
    connection-state=new dst-port=53 in-interface-list=Untrusted protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow MNGM to router" \
    in-interface-list=MNGMT
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="KODI access to NAS" dst-address=\
    10.100.100.22 in-interface=VPN_vlan out-interface=Main_Lan \
    src-address-list=Allow_to_NAS
add action=accept chain=forward comment="allow wireguard vpn" in-interface=\
    VPN_vlan out-interface=WG_Mullvad
add action=accept chain=forward comment=\
    "allow port forwarding(Wireguard DNS)" connection-nat-state=dstnat
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,untracked hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=Allow_to_Tp-Link dst-address=\
    172.16.4.2 in-interface=Main_Lan out-interface=TP-Link src-address=\
    10.100.100.24
add action=drop chain=forward comment="\"Drop all else\""
/ip firewall nat
add action=masquerade chain=srcnat comment="Main_Lan_allow _to_TP-Link" \
    out-interface=TP-Link src-address-list=Allow_to_Tp-Link
add action=masquerade chain=srcnat comment=KODI_Access_to_NAS disabled=yes \
    in-interface=VPN_vlan out-interface=Main_Lan src-address-list=\
    Allow_to_NAS
add action=dst-nat chain=dstnat comment=DNS_for__WG_Mullvad dst-port=53 \
    protocol=udp src-address=10.30.33.0/24 to-addresses=10.64.0.1 to-ports=53
add action=masquerade chain=srcnat comment=masquerade_for_WG_Mullvad \
    out-interface=WG_Mullvad
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="DNS to WG_Mullvad" disabled=no distance=1 dst-address=\
    10.64.0.1/32 gateway=WG_Mullvad pref-src=0.0.0.0 routing-table=main \
    scope=30 suppress-hw-offload=yes target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=WG_Mullvad routing-table=useWG \
    suppress-hw-offload=no
add comment=Kodi_To_NAS disabled=no distance=1 dst-address=10.100.100.22/32 \
    gateway=VPN_vlan pref-src="" routing-table=KODI_to_NAS scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.100.100.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.30.33.0/24 table=\
    useWG
add action=lookup disabled=no dst-address=10.100.100.22/32 interface=VPN_vlan \
    src-address=10.30.33.204/32 table=KODI_to_NAS
/system clock
set time-zone-name=America/New_York
/system identity
set name=TikRouter
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MNGMT
/tool romon
set enabled=yes
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard client cant access local NAS.

Mon Oct 24, 2022 1:35 am

Your whole KODI_to_NAS routing table seems weird. You probably want to get rid of that and just add this as first routing rule:
/routing rule
add dst-address=10.100.100.22/32 action=lookup-only-in-table table=main
Or the whole 10.100.100.0/24, because none of that can benefit from being sent to VPN.
 
voytecky
just joined
Topic Author
Posts: 4
Joined: Tue Feb 01, 2022 12:01 am
Location: PL

Re: Wireguard client cant access local NAS.

Tue Oct 25, 2022 2:41 am

Thank you for the help. I’m closer to my goal, can ping the server now. But still can’t access shared folders from the VPN_vlan. Is there anything else in my configuration that I need to change or I got to look into NAS firewall?

Tracing route to NAS4FREE [10.100.100.22] (from VPN_vlan)
over a maximum of 30 hops:
1 2 ms 2 ms 2 ms 10.30.33.1
2 4 ms 3 ms 3 ms NAS4FREE [10.100.100.22]
Trace complete.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard client cant access local NAS.

Tue Oct 25, 2022 4:03 am

It looks like checking firewall on NAS is the next step.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard client cant access local NAS.

Tue Oct 25, 2022 3:53 pm

Couple of things I see.....

(1) Your forward chain firewall rules are out of order...............

(2) What is the purpose of this source nat rule?? YOu make it sound like a firewall forward chain rule in the comments???

add action=masquerade chain=srcnat comment="Main_Lan_allow _to_TP-Link" \
out-interface=TP-Link src-address-list=Allow_to_Tp-Link


Only last two rules i source nat makes sense to me., the first to ensure all WG traffic gets the wireguard IP address before hitting mulvad and the last rule, being the standard sourcenat rule required.

(3) Not sure what all the extra rules are for , the ones you are attempting for DNS, in IP Routes and DST NAT ???

(4) Also as Sob noted, your Kodi stuff is very weird, no clue why all the extra rules everywhere.

(5) Personally I would have one bridge and all vlans on the single bridge ( except for ether2 off bridge of course).

(6) The two important lans here are the main lan 10.100.100.0 and vpn lan 10.30.33.0
The purpose of the vpn vlan is to identify those users in a subnet who are going out WG.

However it appears you want some vpn users also to access a MAIN LAN device, the NAS. 199-254.
In general one doesnt need an address list when identifying only one subnet ( just use the subnet in dst or src addres)
In general one uses interface list for two or more interfaces.
Address lists are good for groups of users within a subnet or to describe some users across subnets OR same but with subnets.......

6a. So its confusing to me when

a. you have vpn subnet to go out WG
b. you have vpn subnet also to have access to the NAS
AND THE CONFUSING PART
c. you have vpn subnet users in firewall rule also accessing the NAS but you call them KODI..........

So which is it ?? is it all VPN users accessing the NAS or this mysterious KODI accessing the NAS.................
Your rule is overblown.
add action=accept chain=forward comment="KODI access to NAS" dst-address=\
10.100.100.22 in-interface=VPN_vlan out-interface=Main_Lan \
src-address-list=Allow_to_NAS


All you need is (since you describe the entire subnet of vpn users)
add action=accept chain=forward comment="KODI access to NAS" dst-address=\
10.100.100.22 in-interface=VPN_vlan out-interface=Main_Lan
OR
add action=accept chain=forward comment="KODI access to NAS" dst-address=\
10.100.100.22 src-address=10.33.33.0/24

(7) In any case, this is simple forward firewall rule allowing traffic stuff not too complicated so why do you add NAT rules to this?????

(8) what you need ONLY is part of what you have and ordered correctly!!!
a FIB for wg
b. standard route for WAN
c. Route for WG
d. Routing Rule for WG
e. Routing Rule for WG users to go NAS - which needs to be put in front of the existing one as order COUNTS!!
Like so

/routing rule
add action=lookup dst-address=10.100.100.22/32 interface=VPN_vlan table=MAIN
add action=lookup-only-in-table src-address=10.30.33.0/24 table=useWG

In this regard any traffic from the VPN users heading for the NAS address will go out table main and simply get routed as the firewall rules also permit. Nothing more required.
If the first rule does not hit, then it will look at the second rule and then traffic will go out WG.

If in fact its only one single address on the vpn vlan that needs to access the NAS, then make it so in firewall rules.
add action=accept chain=forward comment="KODI access to NAS" dst-address=\
10.100.100.22 src-address=10.33.33.204
 
voytecky
just joined
Topic Author
Posts: 4
Joined: Tue Feb 01, 2022 12:01 am
Location: PL

Re: Wireguard client cant access local NAS.

Sun Oct 30, 2022 11:44 pm

Thank you guys for your help. I can access local NAS shares from my LibreELEC and AnroidTv-Kodi now :D Both are hard wired through router's Wireguard to Third party VPN service. You are the best and Mikrotik is the King. Thank you.

Who is online

Users browsing this forum: BioMax, mantouboji, mtkvvv and 47 guests