Community discussions

MikroTik App
 
GuntOn
just joined
Topic Author
Posts: 15
Joined: Mon Apr 23, 2018 7:11 pm

Can access branch office devices from LAN but can't access from VPN clients

Fri Mar 10, 2023 10:04 am

There are main office and branch office both are connected with IPSec site to site tunnel. From main office LAN I can access branch office devices without any problems but I also need to get access to branch office devices from random remote locations (road warriors). So I configured WireGuard VPN server on main office router and now I can ping these devices from WireGuard clients and also can ping google.com but can't access devices and internet from web browser. I have no clear idea what I have misconfigured... Something with firewall?

Main Office config
# mar/10/2023 08:53:39 by RouterOS 7.8
# software id = XXXX-XXXX
#
# model = RB3011UiAS
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=195.XX.XXX.108/32 name=Branch Office
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=10.10.100.2/32 comment="Samsung" interface=\
wireguard1 public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=10.10.100.3/32 comment="Lenovo" interface=\
wireguard1 public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=62.XX.XXX.8/28 interface=ether1 network=62.XX.XXX.0
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0
add address=10.10.100.1/24 interface=wireguard1 network=10.10.100.0
/ip dns
set allow-remote-requests=yes servers=91.198.156.20,194.8.2.2,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input src-address=10.10.100.0/24
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.11.0/24 src-address=\
10.10.10.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=10.10.100.0/24
add action=dst-nat chain=dstnat log=yes src-address=10.10.100.0/24 \
to-addresses=10.10.10.1
/ip ipsec identity
add peer=Branch Office
/ip ipsec policy
add dst-address=10.10.11.0/24 peer=Branch Office src-address=10.10.10.0/24 tunnel=\
yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=62.XX.XXX.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="62.XX.XXX.6/32,62.XX.XXX.7/32,62.XX.XXX.1\
0/32,62.XX.XXX.13/32" port=8292
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="Main Office"

Branch Office config
# mar/10/2023 09:48:15 by RouterOS 6.48.6
# software id = XXXX-XXXX
#
# model = 2011UiAS-2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=62.XX.XXX.8/32 name=Main Office
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=195.13.199.108/29 interface=ether1 network=195.13.199.104
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=91.198.156.20,194.8.2.2,8.8.8.8
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.10.0/24 src-address=\
10.10.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=Main Office
/ip ipsec policy
add dst-address=10.10.10.0/24 peer=Main Office src-address=10.10.11.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=195.13.199.105
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="62.XX.XXX.6/32,62.XX.XXX.7/32,62.XX.XXX.1\
0/32,62.XX.XXX.13/32" port=8292
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="Branch Office"

WireGuard client config
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can access branch office devices from LAN but can't access from VPN clients

Fri Mar 10, 2023 3:17 pm

You are missing the wg config on the branch office to tie into the wg server at the main office. ??????
It is like your 1/2 done.
 
GuntOn
just joined
Topic Author
Posts: 15
Joined: Mon Apr 23, 2018 7:11 pm

Re: Can access branch office devices from LAN but can't access from VPN clients

Tue Mar 14, 2023 8:47 am

You are missing the wg config on the branch office to tie into the wg server at the main office. ??????
It is like your 1/2 done.
Both sites are already connected via site to site IPSec. Problem is that I can't access branch office trough main office WireGuard VPN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can access branch office devices from LAN but can't access from VPN clients

Tue Mar 14, 2023 1:42 pm

As I said you dont have WG settings on branch office.......... 1/2 done
 
GuntOn
just joined
Topic Author
Posts: 15
Joined: Mon Apr 23, 2018 7:11 pm

Re: Can access branch office devices from LAN but can't access from VPN clients

Tue Mar 14, 2023 1:49 pm

In that case there would be two WireGuard VPN servers, but I only need one server on main office router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can access branch office devices from LAN but can't access from VPN clients

Tue Mar 14, 2023 5:17 pm

No thats your wrong assumption.
You use the same WG interface on the Main router.

You have to be far more clearer in your intentions.
IS IT
a. RW warrior connects to Main router via wireguard and then connects to branch office via ISPEC
OR
b. RW connects all the way to Branch Office via wireguard by way of Main Router //

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Main Router

(1) add peer for branch office, interface=wireguard1 allowed IPs=add address=10.10.100.4,branchsubnets***
**** add branch subnets that the RWs will need to visit

(2) add relay firewall rule
add action=accept chain=forward in-interface=wireguard1 out-interface-wireguard1

(3) add ip routes for branch subnets that RWs need to visit
/ip route
add dst-address=branchsubnetA gateway=wireguard1 table=main
add dst-address=branchsubnetB gateway=wireguard1 table=main


Branch Router

(1) Create wg interface wg-branch
Peer settings for MAIN Router
interface=wg-branch allowedIPs=10.10.100.0/24 persistent-keep-alive=35 seconds, endpointaddress=XXXX endpoint port=YYYYY

(2) Create firewall rule
add action=accept chain=forward in-interface=wg-branch dst-address=subnetX { both roadwarriors need access to same single subnet example } *****

*****
Note1: If one RW is specific to a particular subnet then add src-address=10.10.100.X to narrow down access.
Note2: If both RWs need access to multiple subnets, then make an interface list of them = WG-Incoming
add action=accept chain=forward in-interface=wg-branch out-interface-list=WG-Incoming { both roadwarriors need access to multiple subnets }

Wireguard RoadWarriors

Ensure, that their allowed IPs = 10.10.100.0/24,branchsubnets

+++++++++++++++++++++++++++++++++

Why do the road warrior wireguard allowed IPs reflect 0.0.0.0/0 ???

It would seem you have an unclear requirement implicitly stated. Besides access branch subnets, IS IT
a. for road warriors to use the internet of the main router?
or
b. for road warriors to use the internet of the branch router?
 
GuntOn
just joined
Topic Author
Posts: 15
Joined: Mon Apr 23, 2018 7:11 pm

Re: Can access branch office devices from LAN but can't access from VPN clients

Thu Mar 16, 2023 10:29 am

No thats your wrong assumption.
You use the same WG interface on the Main router.

You have to be far more clearer in your intentions.
IS IT
a. RW warrior connects to Main router via wireguard and then connects to branch office via ISPEC
OR
b. RW connects all the way to Branch Office via wireguard by way of Main Router //


It would seem you have an unclear requirement implicitly stated. Besides access branch subnets, IS IT
a. for road warriors to use the internet of the main router?
or
b. for road warriors to use the internet of the branch router?
I am trying to achieve this scenario.

Who is online

Users browsing this forum: Batterio, Bing [Bot], DanMos79, intania, jhbarrantes, popecix and 72 guests