Community discussions

MikroTik App
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

wireguard site to site and strange problem

Sun Feb 05, 2023 9:19 pm

Hello,
i have 2 mikrotik hap ac2 with ROS 7.7 with default config.
so simple config 1 WAN 1 LAN both side.
LAN subnet site1 10.1.1.0/24
LAN subnet site2 10.2.1.0/24

i create a wireguard tunnel as decribed
https://help.mikrotik.com/docs/display/ ... uardtunnel

tunnel works fine,
strange is from site1 i can ping all devices to site2 (even the opposite)

but on site1 when i open a browser and connect to a devices to site2 i can't.
sometimes seems open a website but don't work. load half pages...

strange is if i check on firewall connections seems is ok (i attach screen of both mikrotik)

someone can help me to point in right directions?

thank you in advance
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site and strange problem

Sun Feb 05, 2023 11:42 pm

Which device is the server for the initial handshake and which is the client?
Normally the one connection with a publicly accessible wanip is the server. In your case are both that way?

What you will need for assistance is to post both configs.
/export file=anynameyouwish (minus router serial number and any public WANIP info and keys of course )
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

Re: wireguard site to site and strange problem

Mon Feb 06, 2023 4:10 pm

thank you for reply.
for screenshot
left = site1
right = site2

i attach here export hide sensitive

but i thinked if ping works all works... :)

thank you again
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site and strange problem

Mon Feb 06, 2023 5:41 pm

R1

(1) Remove WIREGUARD FROM BRIDGE!!
Wireguard can be added to interface lists but not a Bridge

(2) You have an error in your IP address guessing...... maybe in allowed IPs
From:
add allowed-address=172.16.100.1/30,10.2.1.0/24 interface=\
TO:
add allowed-address=172.16.100.2/32,10.2.1.0/24 interface=\

(3) I dont understand why you have two different wireguard interfaces on R1 ???

(4) I dont understand why you have two IP addresses assigned to the bridge?

(5) I dont understand why you have vlan filtering enabled when you have no vlans assigned.

(6) Your firewall rules are a mess, chains not organized and rules that are questionable.

(7) masquerade rules seem overly complex

(8) Use of distance not needed in this case................. and also should use wireguard interface name for gwy.
add comment="ROUTE PER LAN RETE REMOTA CASA CARVICO WIREGUARD" disabled=no \
distance=5 dst-address=10.2.1.0/24 gateway=172.16.100.2 pref-src=10.1.1.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10


R2

9. Does your LTE provider have the traffic coming in on VLAN 300 ?
10. If so why is ETHER1 part of any bridge. Not applicable.

11. Why do you have two bridges?? One bridge is all you need......... Then this line becomes.........
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether1 { Remove if ether1 is the WAN port }
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=252

12. MISSING /interface bridge vlan
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wifi3 vlan-ids=252


13. Same comment on ROUTES, use gwy=WIREGUARD not the address and distance doesnt matter.

14. Dont understand the 192.168.82 ROUTE, but assuming that
a. either you have remote users coming from R1 with that address and this allows the return traffic to be routed into the TUNNEL OR
b. you have local R2 users (originating traffic) headed to 192.168.82 users and this routes such traffic to the tunnel
OR BOTH ???????????

15. Based on Peer settings or R2 Neither A or B is true because you dont have the 192.168.82 subnet identified on allowed IPs and thus my confusion on why there is a route?

16. Same comment on Firewall as R1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site and strange problem

Mon Feb 06, 2023 5:43 pm

By the way I am assuming both R1 and R2 have reachable/accessible public IPs and thus you have it set up where both can be either client or server depending upon which router user starts a wireguard session. ?????
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

Re: wireguard site to site and strange problem

Mon Feb 06, 2023 6:19 pm

yes, i know.
i'm testing various scenario and have a problem to organize rules...

just to try to explain...

R1
1 - ok, i removed wireguard interface from bridge
2 - ok i correct ip with 172.16.100.2/32 (and same on R2 with 172.16.100.1/32)
3 - 2 wireguard interfaces because 1 is to test road warrior, 1 to test site2site (road warrior works fine with my laptop and android phone)
4 - this is strange... because i have a ISP router with wifi enabled and router on same LAN (192.168.82.1 is isp router with dhcp server off, 192.168.82.2 is R1 "WAN" address and 10.1.1.1 is R1 "LAN" address
5 - vlan is for testing wifi guest (i enabled this to test)
6 - yes i know, when i have FTTH change my topology and start from ground
7 - same
8 - ok, i don't know i use "name", so now i'm changing gateway to "name-wireguard-interface"

R2
9 - yes i have a SXT LTE with ether1 with passthrough with vlan 300
10 - ether1 is on bridge so i can use 10.2.1.253 to SXT LTE

11 - same for R1 i test wifi guest (without VLAN but separate with differente bridge)
12 - yes i check and is enabled but i accidentally delete it
13 - ok i change it
14 - just from R2 reach isp router on R1 (but this is not important) , i think this is not cause or if you think yes i can delete
a/b is not a problem i can delete route without problem
15/16 - no is only route for isp router on R1 (office)

thank you again

now, i'm testing same situation with SSTP server (server on R1 and R2 is a client) and works fine.
from R1 i can see all devices on R2 (not only ping but http smb winbox ecc) and reverse...

i can try to setup with 2 mikrotik in a normal topology, but in my crazy setup if you problem is on
firewall rules
NAT
route
wireguard setup (i think not because ping works fine)

thank you again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site and strange problem

Mon Feb 06, 2023 6:59 pm

I always work from the lastest changed configs................ evidenced based help. :-)
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

Re: wireguard site to site and strange problem

Thu Feb 16, 2023 3:00 pm

now i can't reset and clean my ROS setup.

but i setup a SSTP server on R1 and SSTP client on R2.
add route to other site and with SSTP works fine... of course SSTP use TCP and is not faster like UDP, but that's okay...

so now I leave it like this ...
in future i check with other customer , in more classical setup , with wireguard

thank you again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site and strange problem

Thu Feb 16, 2023 3:23 pm

Good idea, a clear plan and clear set of requirements and diagram will help organize the config.

Who is online

Users browsing this forum: Ahrefs [Bot], CGGXANNX and 47 guests