Hi,
You need some allowed addresses in the mikrotik peers setting.
10.255.255.0/24 and 192.168.9.0/24
Awesome, thank you and that's done.
Unfortunately, still no joy.
For the record, here's the output of
pgrep -f -a wg; wg show; wg showconf wg0
on the work (OpenWRT) side:
3 kworker/0:0-wg-
2304 wg-crypt-wg0
2936 kworker/0:2-wg-
interface: wg0
public key: REMOVED
private key: (hidden)
listening port: 13231
peer: REMOVED
endpoint: REMOVED:13231
allowed ips: 192.168.88.0/24, 10.255.255.0/24
latest handshake: 1 minute, 21 seconds ago
transfer: 211.74 KiB received, 238.59 KiB sent
persistent keepalive: every 25 seconds
[Interface]
ListenPort = 13231
PrivateKey = REMOVED
[Peer]
PublicKey = REMOVED
AllowedIPs = 192.168.88.0/24, 10.255.255.0/24
Endpoint = REMOVED:13231
PersistentKeepalive = 25
Output of
ip address show; ip route show table all
on the work (OpenWRT) side:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether REMOVED brd ff:ff:ff:ff:ff:ff
inet REMOVED/23 brd REMOVED scope global eth0
valid_lft forever preferred_lft forever
inet6 REMOVED/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether REMOVED brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.9.1/24 brd 192.168.9.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fde3:e6b9:a6dd::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 10.255.255.2/24 brd 10.255.255.255 scope global wg0
valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 84:16:f9:d6:e7:fa brd ff:ff:ff:ff:ff:ff
inet6 fe80::8616:f9ff:fed6:e7fa/64 scope link
valid_lft forever preferred_lft forever
default via REMOVED dev eth0 src REMOVED
10.255.255.0/24 dev wg0 scope link
HOME_IP_REMOVED via WORK_IP_REMOVED dev eth0
REMOVED/23 dev eth0 scope link src REMOVED
192.168.9.0/24 dev br-lan scope link src 192.168.9.1
192.168.88.0/24 dev wg0 scope link
broadcast 10.255.255.0 dev wg0 table local scope link src 10.255.255.2
local 10.255.255.2 dev wg0 table local scope host src 10.255.255.2
broadcast 10.255.255.255 dev wg0 table local scope link src 10.255.255.2
broadcast REMOVED dev eth0 table local scope link src REMOVED
local REMOVED dev eth0 table local scope host src REMOVED
broadcast REMOVED dev eth0 table local scope link src REMOVED
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.9.0 dev br-lan table local scope link src 192.168.9.1
local 192.168.9.1 dev br-lan table local scope host src 192.168.9.1
broadcast 192.168.9.255 dev br-lan table local scope link src 192.168.9.1
fde3:e6b9:a6dd::/64 dev br-lan metric 1024
unreachable fde3:e6b9:a6dd::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
local ::1 dev lo table local metric 0
anycast fde3:e6b9:a6dd:: dev br-lan table local metric 0
local fde3:e6b9:a6dd::1 dev br-lan table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan1 table local metric 0
anycast fe80:: dev wlan0 table local metric 0
local fe80::8616:f9ff:fed6:e7fa dev wlan0 table local metric 0
local fe80::8616:f9ff:fed6:e7fb dev br-lan table local metric 0
local fe80::8616:f9ff:fed6:e7fb dev wlan1 table local metric 0
local fe80::8616:f9ff:fed6:e7fc dev eth0 table local metric 0
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev wg0 table local metric 256
multicast ff00::/8 dev wlan1 table local metric 256
multicast ff00::/8 dev wlan0 table local metric 256
output of
on the work (OpenWRT) side:
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6' 'wg0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='REMOVED'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='alt port ssh'
firewall.@redirect[0].dest_ip='192.168.9.92'
output of
on the work (OpenWRT) side:
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fde3:e6b9:a6dd::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.9.1'
network.lan.dns='192.168.9.92' '192.168.9.90'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='192.168.9.92' '192.168.9.90'
network.wan.device='eth0'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.device='eth0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='REMOVED'
network.wg0.defaultroute='0'
network.wg0.peerdns='0'
network.wg0.delegate='0'
network.wg0.addresses='10.255.255.2/24'
network.wg0.listen_port='13231'
network.wgserver=wireguard_wg0
network.wgserver.public_key='REMOVED'
network.wgserver.endpoint_host='REMOVED'
network.wgserver.endpoint_port='13231'
network.wgserver.route_allowed_ips='1'
network.wgserver.persistent_keepalive='25'
network.wgserver.description='home'
network.wgserver.allowed_ips='192.168.88.0/24' '10.255.255.0/24'
Thanks again in advance for all of the assistance. I feel like I owe everyone a few beers.