Community discussions

MikroTik App
 
Rox169
Member
Member
Topic Author
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Wireguard handshake ok, but no ping

Sun Jan 29, 2023 11:05 pm

Hello,

please help with setting wireguard. I have public IP on hAP AX2 and no public IP on hAP AC3. I have handshake but I can not ping from one device to another... I have deleted some private in export..please check wireguard setting and help me...

hAP AX2 with public IP
/interface bridge
add admin-mac=:A9:08 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=:DD:78 name=\
    "ether1 POE"
set [ find default-name=ether2 ] mac-address=:DD:79 name=\
    "ether2 Internet"
set [ find default-name=ether3 ] name="ether3 NAS"

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=bridge comment=defconf interface="ether3 NAS"
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface="MATRIX 5G"
add bridge=bridge comment=defconf interface="MATRIX 2G"
add bridge=bridge interface="ether1 POE"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether2 Internet" list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.1.168.101/24,10.1.168.38/24 endpoint-address=\
    185.5.225.240 endpoint-port=13231 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    "yh5i1.......="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface="ether2 Internet"

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=drop chain=forward disabled=yes src-address=192.168.1.12
add action=accept chain=forward dst-address=109.105.48.0/24 src-address=\
    10.1.168.0/24
add action=accept chain=forward dst-address=10.1.168.0/24 src-address=\
    109.105.48.0/24
add action=jump chain=forward comment=DDOS connection-state=new jump-target=\
    detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos comment=DDOS
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=4w2d chain=input comment="BRUTEFORCE Blacklist" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1d chain=input comment="Third attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=5h chain=input comment="Second attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=2h chain=input comment="First attempt" \
    connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment=BRUTEFORCE dst-port=22 protocol=tcp \
    src-address-list=!bruteforce_blacklist
add action=return chain=detect-ddos comment="SYN Flood" dst-limit=\
    32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    185.5.225.240
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge type=internal
add interface="ether1 POE" type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="TAP AX2"
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.1.0/24
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=192.168.2.4 http-codes="" interval=1m \
    test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.1.11 http-codes="" interval=1m \
    test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.2 http-codes="" interval=1m \
    test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.3 http-codes="" interval=1m \
    test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.5 http-codes="" test-script="" \
    type=simple up-script=""
add disabled=no down-script="" host=192.168.2.6 http-codes="" test-script="" \
    type=simple up-script=""
add disabled=no down-script="" host=192.168.3.2 http-codes="" test-script="" \
    type=simple up-script=""
add disabled=no down-script="" host=192.168.3.3 http-codes="" interval=1m \
    test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script=":log error \"Ping to 8.8.8.8 LOST\"" host=\
    8.8.8.8 http-codes="" interval=1m test-script="" timeout=1s type=simple \
    up-script=":log error \"Ping to 8.8.8.8 OK\""
add disabled=no down-script="" host=192.168.3.1 http-codes="" test-script="" \
    type=simple up-script=""
add disabled=no down-script="" host=192.168.4.1 http-codes="" test-script="" \
    type=simple up-script=""
hAP AC3 without public IP
/interface bridge
add admin-mac=:A4:CC auto-mac=no comment=defconf name=bridge
add name="bridge Bratr" protocol-mode=stp

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip kid-control
add mon=7h-22h name=ECHO sat=7h-22h sun=7h-22h thu=7h-22h tue=7h-22h wed=\
    7h-22h

/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface="ether1 Internet" list=WAN
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=109.105.48.173/24 endpoint-address=109.105.48.173 \
    endpoint-port=13231 interface=wireguard1 persistent-keepalive=25s \
    public-key="Jgyhw......."
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=\
    192.168.3.0
add address=192.168.2.1/24 interface="bridge Bratr" network=192.168.2.0
add address=10.255.255.2/24 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface="ether1 Internet"

/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.3.1 comment=defconf name=router.lan
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=forward dst-address=10.1.168.0/24 src-address=\
    109.105.48.0/24
add action=accept chain=forward dst-address=109.105.48.0/24 src-address=\
    10.1.168.0/24
add action=drop chain=forward comment=Ring disabled=yes src-address=\
    192.168.3.187
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    109.105.48.173
add action=accept chain=input in-interface=zerotier5
add action=accept chain=forward in-interface=zerotier5
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "\"defconf: accept to local loopback (for CAPsMAN)\"" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip kid-control device
add mac-address=:4F:AA name=ECHO user=ECHO
/ip route
add disabled=no distance=2 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip smb shares
set [ find default=yes ] disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add disabled=yes interface="ether1 Internet" type=external
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="Rap AC3"

/system logging
add disabled=yes topics=wireguard
add topics=firewall
add disabled=yes topics=wireguard
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.3.0/24
add allow-address=192.168.1.0/24 store-on-disk=no
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface=bridge name=tmonBridge on-event=\
    "log info \"Traffic\"" traffic=received
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 5:57 am

(1) Why do you have allowed IP settings on the AX3 for the hapac2 that include endpoint address and keep alive......... the hapax3 is the client and will not be initiating a connection?

(2) Why is there not the wireguard IP address showing on the AX3 for allowed IPs on the hapac2 peer??
/interface wireguard peers
add allowed-address=10.1.168.101/24,10.1.168.38/24

Furthermore what are these IPs here............ A clue, they dont match what you have entered in routes which identify 192.168.2.0/24 and 192.168.3.0/24 as traffic needing routing through wireguard and I suspect that is for return traffic for those remotes subnets after connecting to users or devices on the local 192.168.1.0/24

(3) So your hapac2 has a fixed public IP??
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
185.5.225.240
???


(4) UR firewall rules are bloated mess of stuff that has nothing to do with requirements and the traffic flow users need....... would dump it all and stick to default rules plus what you need for user traffic. Also firewall rules are easy to read.troubleshoot when grouped together........

(5) on hapac3 I wouldnt call my wireguard interfaces the same thing between two routers just for the sake of clarity!

(6) Also on hapac2 your allowed peers for ax3 make no sense......
Why is the allowed address the same as the endpoint address......

Its clear you have no understanding of how to setup wireguard up.......

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You should do some reading first....... viewtopic.php?t=182340
 
Rox169
Member
Member
Topic Author
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 8:49 am

Hello @anav,

thank you for helping.

1. The AX2 is with public IP and this device will initiate conection. Hap AX2 is not client. How do I change it?
2. Those adress are allowed in hap AX2. Im also running Zerotier which is currently running but I want to switch to Wireguard.
On hap AX2 I have in peer allowed IP 10.1.168.101/24 this is my IP of my wifi client from provider and it is there only to be sure. This IP 10.1.168.38/24 is my IP which I get from DHCP on my main router on WLAN. You are right local IP on hap AC3 is 192.168.3.0/24 and I have another bridged network with 192.168.2.0/24

3. This 185.5.225.240 is public fixed IP of my provider on hap AC3.
4. the firewall should be ok, I have there only bruteforce, ddos attack blocked and the basic mikrotik firewall rulles + zerotier+WG
5. I should name WG interface diffrently? for example wireguard2?
6. My provider gave me public IP adress which is the same as IP adress which I get from dhcp on my WAN from provider.

I have read your post...it is quite long but I read it.... with the setting I have followed exactly the Mikrotik guide I have handshake so im not so far....I was able to set the Zerotier almost imidiately so I do not think Im such a beginner...
 
Rox169
Member
Member
Topic Author
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 10:39 pm

Hello,

can anyone help please?
 
Rox169
Member
Member
Topic Author
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 10:39 pm

Hello,

can anyone help please?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 10:40 pm

I doubt anyone will because the advice i gave was useful and accurate and your config is a mess.
 
Rox169
Member
Member
Topic Author
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard handshake ok, but no ping

Mon Jan 30, 2023 10:51 pm

I doubt anyone will because the advice i gave was useful and accurate and your config is a mess.
which advice do you mean? Do you mean advice 2?

check the config one more time it is there..... I have on AX2 this.... /interface wireguard peers add allowed-address=10.1.168.101/24,10.1.168.38/24

Who is online

Users browsing this forum: 0xAA55, EmuAGR and 49 guests