Community discussions

MikroTik App
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 43
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Access switch behind HAP (WireGuard client) from CCR (WireGuard server)

Fri Nov 04, 2022 10:00 pm

Good evening,

I would like to access my switches which is with a customer who does not have the possibility of opening a port in his firewall (HAP22 side). I am on the PC ADMIN (CCR side)

I'd like to use Wireguard to achieve this simply.

Here is the export of my configuration and a diagram to understand.

Thanks for your help

On PC ADMIN
  • Ping 192.168.130.1 : ok
  • Ping 192.168.131.1 : ok
  • Ping 192.168.131.2 : ko
  • Ping 192.168.222.1 : ko
  • Ping 192.168.222.10 : ko
On CCR
  • Ping 192.168.130.2 : ok
  • Ping 192.168.131.1 : ok
  • Ping 192.168.131.2 : ok
  • Ping 192.168.222.1 : ko
  • Ping 192.168.222.10 : ko
2022-11-06 20_20_55-Window.png
Export HAP22
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguardclient
/interface list
add name=WAN
add name=LAN
/ip pool
add name=POOL222 ranges=192.168.222.100-192.168.222.200
/ip dhcp-server
add address-pool=POOL222 interface=bridge name=DHCP222
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.131.0/24,192.168.130.0/24 endpoint-address=\
    xxx.xxx.xxx.xxx endpoint-port=13231 interface=wireguardclient \
    persistent-keepalive=35s public-key=\
    "x"
/ip address
add address=192.168.222.1/24 interface=bridge network=192.168.222.0
add address=192.168.131.2/24 interface=wireguardclient network=192.168.131.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.222.0/24 dns-server=192.168.222.1 gateway=192.168.222.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=6666
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=HAP22

Export CCR
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguardserveur
/interface list
add name=WAN
add name=LAN
/ip pool
add name=POOL130 ranges=192.168.130.100-192.168.130.200
/ip dhcp-server
add address-pool=POOL130 interface=bridge name=DHCP130
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.131.0/24 endpoint-address=\
    interface=wireguardserveur \
    persistent-keepalive=35s public-key=\
    "x"
/ip address
add address=192.168.130.1/24 interface=bridge network=192.168.130.0
add address=192.168.131.1/24 interface=wireguardserveur network=192.168.131.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.130.0/24 dns-server=192.168.130.1 gateway=192.168.130.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=6666
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR

You do not have the required permissions to view the files attached to this post.
Last edited by xaviernuma on Sun Nov 06, 2022 9:52 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Access Winbox HAP (WireGuard client) from CCR (WireGuard server)

Fri Nov 04, 2022 10:27 pm

If you already have a working Wireguard tunnel between the two devices, it should be only a matter of firewall rules and, of course, accessing the hAP from the CCR site by its IP address rather than by its MAC address.

If you want a more detailed instruction, you have to post both configurations.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Winbox HAP (WireGuard client) from CCR (WireGuard server)

Sat Nov 05, 2022 1:02 pm

Oui! Post both configs
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

Also read: viewtopic.php?t=182340
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 43
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: Access Winbox HAP (WireGuard client) from CCR (WireGuard server)

Sun Nov 06, 2022 9:52 pm

Good evening,
I read your link, it's interesting, my situation seems to be example #3, but I still can't get what I want :(

I updated my first post with a schema and the requested exports

Thanks for your help
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Access switch behind HAP (WireGuard client) from CCR (WireGuard server)

Sun Nov 06, 2022 11:10 pm

If you want to access devices in 192.168.222.0/24 (I assume the 221 is a typo) from the PC connected to the CCR, you have to add 192.168.222.0/24 to the allowed-address list on the /interface/wireguard/peers row on the CCR and to add a route with dst-address=192.168.222.0/24 gateway=wireguardesrveur. The route back is OK in the wireguard configuration of the hAP itself as the PC is in 192.168.130.0/24, but a route dst-address=192.168.130.0/24 gateway=wireguardclient needs to be added too.

But if the .221. is not a typo, it means you'll have to do the above for .221. rather than .222., plus add an interface in the VLAN hosting the .221. at the hAP and assign an address from .221. to it, and to either add a src-nat rule so that the switches would see the connections from the admin PC to come from the hAP itself, or tell the switches that the address of the hAP is the gateway towards .130.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access switch behind HAP (WireGuard client) from CCR (WireGuard server)  [SOLVED]

Mon Nov 07, 2022 1:58 am

Lets review HAPAC!
(1) Peers on HAPAC Good!
/interface wireguard peers
add allowed-address=192.168.131.0/24,192.168.130.0/24 endpoint-address=\
xxx.xxx.xxx.xxx endpoint-port=13231 interface=wireguardclient \
persistent-keepalive=35s public-key=\

(2) What is this rule for, it would appear to give access to winbox but you are missing something. Clearly you should not provide WAN access and thus
you should have something like....
add action=accept chain=input comment=\
"Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp in-interface-list=LAN


(3) Lets look at routes on the hapac, You will have an auto generated route which covers any wireguard IP type traffic (pinging etc)
<dac> dst-address=192.180.131.0/24 gwy=wireguardclient table=main

BUT how will traffic from the the CCR subnet, after reaching a server on the hapac, find its way back (return traffic) to the tunnel. Since the remote subnet is not native on the hapac the router doesnt know where to send such traffic hence:
dst-address=192.168.130.0/24 gwy=wireguardclient table=main

Let look at the CCR......

(4) THe allowed IP address needs a correction, you need to identify the peer itself....... and you are missing the fact that you will reaching for remote subnet and thus you need to tell the router:
/interface wireguard peers
add allowed-address=192.168.131.2/32, 192.168.222.0/24 endpoint-address=\
interface=wireguardserveur \
persistent-keepalive=35s public-key=\
"x"


(5) Same comment on winbox port........... only allow interface-list=LAN access!!!

(6) MISSING input port for wireguard on CCR!!
add action=accept chain=input protocol=udp dst-port=13231

(7) Again the wireguard address specific traffic (pinging etc) will work with autogenerated routes.
BUT you want to visit a remote subnet that is not local on this router so how is the router supposed to know where to send such traffic thus you need:
dst=192.168.222.0/24 gwy=wireguardserveur table=main

( note your diagram for servers has incorrect nomenclature 221 should be 222 )
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 43
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: Access switch behind HAP (WireGuard client) from CCR (WireGuard server)

Thu Nov 10, 2022 12:29 pm

Hi

Thank you very much to both of you for your help and the quality of your answers, it is now functional

If you want to access devices in 192.168.222.0/24 (I assume the 221 is a typo) from the PC connected to the CCR, you have to add 192.168.222.0/24 to the allowed-address list on the /interface/wireguard/peers row on the CCR and to add a route with dst-address=192.168.222.0/24 gateway=wireguardesrveur. The route back is OK in the wireguard configuration of the hAP itself as the PC is in 192.168.130.0/24, but a route dst-address=192.168.130.0/24 gateway=wireguardclient needs to be added too.

This is indeed the routes that I was missing it is now operational.

But if the .221. is not a typo, it means you'll have to do the above for .221. rather than .222., plus add an interface in the VLAN hosting the .221. at the hAP and assign an address from .221. to it, and to either add a src-nat rule so that the switches would see the connections from the admin PC to come from the hAP itself, or tell the switches that the address of the hAP is the gateway towards .130.

It's an error on my schematic, it was fine .222.

(2) What is this rule for, it would appear to give access to winbox but you are missing something. Clearly you should not provide WAN access and thus
you should have something like....
add action=accept chain=input comment=\
"Acc\E8s externe au routeur avec Winbox" dst-port=6666 protocol=tcp in-interface-list=LAN

Now that the VPN works as I want, this rule will disappear :)

(3) Lets look at routes on the hapac, You will have an auto generated route which covers any wireguard IP type traffic (pinging etc)
<dac> dst-address=192.180.131.0/24 gwy=wireguardclient table=main

BUT how will traffic from the the CCR subnet, after reaching a server on the hapac, find its way back (return traffic) to the tunnel. Since the remote subnet is not native on the hapac the router doesnt know where to send such traffic hence:
dst-address=192.168.130.0/24 gwy=wireguardclient table=main

Let look at the CCR......

(4) THe allowed IP address needs a correction, you need to identify the peer itself....... and you are missing the fact that you will reaching for remote subnet and thus you need to tell the router:
/interface wireguard peers
add allowed-address=192.168.131.2/32, 192.168.222.0/24 endpoint-address=\
interface=wireguardserveur \
persistent-keepalive=35s public-key=\
"x"

Indeed that is what I was missing here.. thank you

(6) MISSING input port for wireguard on CCR!!
add action=accept chain=input protocol=udp dst-port=13231

It's a bad copy paste...

( note your diagram for servers has incorrect nomenclature 221 should be 222 )

It's a bad copy paste...

Who is online

Users browsing this forum: BinaryTB, Bing [Bot] and 72 guests