Community discussions

MikroTik App
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Wireguard and PCC with 6 wan

Wed Nov 30, 2022 1:52 pm

Good day everyone!

I used CCR2116-12G-4S+ router,having problem in setup wireguard with PCC loadbalance 6 wan pppoe
I can connect in my WireGuard inside my network through wifi but in my android mobile data carrier, I can't connect returning that handshake error.
I tried many ways, even reset config but no luck
please help me troubleshoot

here my config
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN1 \
    name=WAN1e user=u1
add add-default-route=yes interface=WAN2 name=WAN2e \
    user=u2
add add-default-route=yes disabled=no interface=WAN3 \
    name=WAN3e user=u3
add add-default-route=yes disabled=no interface=WAN4 \
    name=WAN4e user=u4
add add-default-route=yes disabled=no interface=WAN5 \
    name=WAN5e user=u5
add add-default-route=yes disabled=no interface=WAN6 \
    name=WAN6e user=u6
/interface wireguard
add listen-port=13231 mtu=1412 name=LANWG
/interface list
add name=VLL
add name=WAN

/routing table
add fib name=toWAN4
add fib name=toWAN1
add fib name=toWAN2
add fib name=toWAN3
add fib name=toWAN5
add fib name=toWAN6

/interface wireguard peers
add allowed-address=172.16.112.11/32 interface=LANWG \
    public-key="LP//7H4dp85JIGuU/HU+eUuIrHpoQ/CTRJrf5kd483s="
add allowed-address=172.16.112.12/32 interface=LANWG \
    public-key="OyJ754rsXl86bIq+YOVaCxMwnN4EH2/u/Ce5XzJNiR0="
add allowed-address=172.16.112.14/32 interface=LANWG \
    public-key="LiZWtSFNoSXSdfetWV7INq/KK0z+QS8VTQclKnPy8QE="
add allowed-address=172.16.112.15/32 interface=LANWG public-key=\
    "LNpSI1vlMn0JMf3dYn/VtsCXHwUho+1DLhnQre/9YGI="

/ip address-list
add address=0.0.0.0/8 comment="This Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
    BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment=\
    "Network Interconnect Device Benchmark Testing" list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=13231 log=yes \
    protocol=udp
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="drop local subnet connect together" \
    disabled=yes dst-address-list=*insidelist src-address-list=*insidelist
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN6e new-connection-mark=WAN6_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1e new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN4e new-connection-mark=WAN4_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=WAN2e new-connection-mark=WAN4_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN5e new-connection-mark=WAN5_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN3e new-connection-mark=WAN3_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN1e \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN2e \
    new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN3e \
    new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN4e \
    new-connection-mark=WAN4_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN5e \
    new-connection-mark=WAN5_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local in-interface=WAN6e \
    new-connection-mark=WAN6_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN5_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN3_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN4_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN5_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!BOGONS dst-address-type=!local new-connection-mark=\
    WAN6_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/5
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN1 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN5 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN3 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN4 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN5 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN6_conn \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=toWAN6 \
    passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_conn \
    dst-address-type=!local new-routing-mark=toWAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
    dst-address-type=!local new-routing-mark=toWAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn \
    dst-address-type=!local new-routing-mark=toWAN3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4_conn \
    dst-address-type=!local new-routing-mark=toWAN4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5_conn \
    dst-address-type=!local new-routing-mark=toWAN5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN6_conn \
    dst-address-type=!local new-routing-mark=toWAN6 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN6e
add action=masquerade chain=srcnat out-interface=WAN1e
add action=masquerade chain=srcnat out-interface=WAN4e
add action=masquerade chain=srcnat disabled=yes out-interface=WAN2e
add action=masquerade chain=srcnat out-interface=WAN5e
add action=masquerade chain=srcnat out-interface=WAN3e
add action=masquerade chain=srcnat out-interface=LANWG
add action=masquerade chain=srcnat dst-address-list=*outside src-address-list=*inside

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN1e pref-src="" \
    routing-table=toWAN1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN2e pref-src="" \
    routing-table=toWAN2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN3e pref-src="" \
    routing-table=toWAN3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN4e pref-src="" \
    routing-table=toWAN4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN5e pref-src="" \
    routing-table=toWAN5 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN6e pref-src="" \
    routing-table=toWAN6 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=WAN6e pref-src="" \
    routing-table=toWAN6 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=WAN1e pref-src="" \
    routing-table=toWAN1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=4 dst-address=0.0.0.0/0 gateway=WAN4e pref-src="" \
    routing-table=toWAN4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=6 dst-address=0.0.0.0/0 gateway=WAN2e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WAN5e pref-src="" \
    routing-table=toWAN5 scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=WAN3e pref-src="" \
    routing-table=toWAN3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN1e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=WAN2e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=WAN3e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=WAN4e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WAN5e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=6 dst-address=0.0.0.0/0 gateway=WAN6e pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Thu Dec 01, 2022 2:32 pm

Confused what is the purpose of your WG setup. Remote access to CCR? ( and CCR acts as server during handshake).
Any other uses??
Last edited by BartoszP on Sat Dec 03, 2022 12:05 pm, edited 2 times in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Re: Wireguard and PCC with 6 wan

Fri Dec 02, 2022 2:47 pm

my WG setup is road warrior to connect to inside LAN, and yes CCR act as server
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Fri Dec 02, 2022 4:36 pm

By wifi do you mean local to your network, aka already on the LAN??
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Re: Wireguard and PCC with 6 wan

Fri Dec 02, 2022 5:12 pm

yes, in my local network
Last edited by BartoszP on Sat Dec 03, 2022 12:04 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Fri Dec 02, 2022 7:01 pm

Okay so why would you wireguard from a WIFI device into your network which is already local ?? Assuming this was just a test?
The funny thing is that wireguard is meant to connect to the server coming in the WAN side........ not the LAN side........... ??

Is this an internet facing router as your firewall rules SUCK........ for internet facing router and needs much work.

Step1 - Remove all bogon rules everywhere. They are not really required and if you insist based on some horrible experience and not youtube advice, then do it this way.......\
/ip route
add  blackhole disabled=no dst-address=10.0.0.0/8 
add  blackhole disabled=no dst-address=172.16.0.0/12 
add  blackhole disabled=no dst-address=192.168.0.0/16
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Fri Dec 02, 2022 7:24 pm

I gather all your mangle rules are there simply to ensure that traffic originating external to the router and entering a specific WAN will be returned through the same WAN?

Now which WAN are you using for wireguard???

Would need to see wg settings for device you are connecting to router with...............
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Re: Wireguard and PCC with 6 wan

Sat Dec 03, 2022 2:26 am

I was tested WG inside local network and yes, I followed some youtube guide...
I wish to use WAN5 for wireguard, I have rule to track log
add action=accept chain=input comment=Wireguard dst-port=13231 log=yes protocol=udp
and when i active client's wireguard, i have log:
input: in:WAN5e out:(unknown 0), connection-mark:WAN5_conn connection-state:new src-mac d*mac, proto UDP, client's ip :60175->wan5's ip:13231, len 176
here my client (windows) config:
[Interface]
PrivateKey = *key*
Address = 172.16.112.11/32
DNS = 8.8.8.8

[Peer]
PublicKey = *WG server public key (mikrotik)*
AllowedIPs = 0.0.0.0/0
Endpoint = *Wan5's ip*:13231
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Sat Dec 03, 2022 5:34 am

To make it clear on the config, why not
add action=accept chain=input comment=Wireguard dst-port=13231 log=yes protocol=udp in-interface=ether5 {or whatever the WAN5 interface name is}

Since its not the complete config its hard to say.
/export file=anynameyouwish ( minus serial number of MT device and any public WANIP information )

Also your firewall, if the router faces the internet, is very poor. So much concern for bogons (misplaced) and yet very little for core firewall security??
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Re: Wireguard and PCC with 6 wan

Sat Dec 03, 2022 10:47 am

i add in-interface=WAN5e as you mention and log goes:
"input: in:WAN5e out:(unknown 0), connection-mark:WAN5_conn connection-state:new src-mac d0:07:ca:xx:xx:xx, proto UDP, 1xx.1xx.1x.1xx:29428->1xx.1xx.1xx.2xx:13231, len 176
i done export file= router, with file in attachments
I don't have much knowledge in network security, what I do is follow youtube tutorials, so help me to strengthen my router's security, thank you very much
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard and PCC with 6 wan

Sat Dec 03, 2022 4:34 pm

(1) ????????
/dude
set enabled=yes
????????
add bridge=LANBr ingress-filtering=no interface=sfp1
add bridge=LANBr ingress-filtering=no interface=sfp2
add bridge=LANBr ingress-filtering=no interface=sfp3
add bridge=LANBr ingress-filtering=no interface=sfp4

???????????

Seems like you are missing
/interface bridge port

(2) Also I dont understand what you are using the interface list VLL for?
You have some SFP ports and wireguard as members and yet your bridge belongs to nothing????

/interface list member
add interface=WAN6e list=WAN
add interface=WAN1e list=WAN
add interface=WAN4e list=WAN
add interface=WAN2e list=WAN
add interface=WAN5e list=WAN
add interface=WAN3e list=WAN
add interface=WAN6 list=WAN
add interface=WAN1 list=WAN
add interface=WAN4 list=WAN
add interface=WAN2 list=WAN
add interface=WAN5 list=WAN
add interface=WAN3 list=WAN
add interface=Wireg list=VLL
add interface=sfp1 list=VLL
add interface=sfp2 list=VLL
add interface=sfp3 list=VLL
add interface=sfp4 list=VLL


(3) Any reason why wan5 doesnt show on IP address but all the other wans do?
/ip address
add address=192.168.79.1/23 interface=LANBr network=192.168.78.0
add address=192.168.3.8/24 disabled=yes interface=WAN6 network=192.168.3.0
add address=192.168.4.8/24 disabled=yes interface=WAN1 network=192.168.4.0
add address=192.168.5.4/24 disabled=yes interface=WAN2 network=192.168.5.0
add address=172.16.1.4/24 disabled=yes interface=WAN3 network=172.16.1.0
add address=192.168.7.4/24 disabled=yes interface=WAN4 network=192.168.7.0
add address=172.16.112.1/24 interface=Wireg network=172.16.112.0


(4) You are seemingly confused on subnet or there is a different way of doing things that I am not aware of ( I have limited experience )

/ip address
add address=192.168.79.1/23 interface=LANBr network=192.168.78.0
add address=192.168.3.8/24 disabled=yes interface=WAN6 network=192.168.3.0
add address=192.168.4.8/24 disabled=yes interface=WAN1 network=192.168.4.0
add address=192.168.5.4/24 disabled=yes interface=WAN2 network=192.168.5.0
add address=172.16.1.4/24 disabled=yes interface=WAN3 network=172.16.1.0
add address=192.168.7.4/24 disabled=yes interface=WAN4 network=192.168.7.0
add address=172.16.112.1/24 interface=Wireg network=172.16.112.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.78.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.79.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=10000 servers=\
192.168.79.1,8.8.8.8


(5) Missing something again, /firewall address-list... which tells me once again not providing the full config despite the request............. too much editing.........

/ip dns
set allow-remote-requests=yes max-udp-packet-size=10000 servers=\
192.168.79.1,8.8.8.8
?????????????????????????????
add address=192.168.78.0/23 list=localnet
add address=0.0.0.0/8 comment="This Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
BOGONS


(6) Missing IP POOL

(7) Related, your /ip dhcp-server is not in the usual format (you have arp everywhere not sure why) but no pool???? etc......
/ip dhcp-server
add add-arp=yes authoritative=after-2sec-delay interface=LANBr lease-time=8h \
name=local


Need to address these items as a starting point................
 
caokyk
just joined
Topic Author
Posts: 6
Joined: Thu Sep 22, 2016 10:27 am

Re: Wireguard and PCC with 6 wan

Sun Dec 04, 2022 1:54 pm

1. yes, I was:
/interface bridge port
2. I was used VLL list for old Mangle rules, which is replaced
interface sfps and ether12 was belong to my bridge interface, and yes, bridge belongs to nothing
3. old config I use other router modem to pppoe dial, those wans's ip belong to interface connect directly to router modem, now I use CCR to PPPOE dial, then those IPs is not needed anymore
4. everythings on that subnet is work perfect !
5. Sorry because I have some address-list not convenient to show, that a mess, so I removed those to not confuse who ever see
6+7. again i have a lot of ips binding with mac-addresses, its make config file very big, so I remove the DHCP config

Who is online

Users browsing this forum: JBrinkZA and 52 guests