Community discussions

MikroTik App
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

using safe mode to setup wireguard

Sun Dec 12, 2021 8:54 pm

My remote Mikrotik is 1500 miles away and I want to try wireguard. My problem is both LANs are 192.168.100.0/24 so I need to change the remote site from my understanding. I'm going to try changing the devices to 192.168.200.xxx to keep it simple.
My DHCP server assigns IPs based on MAC so I think I can edit those with the new addresses, add 192.168.200.1 to ether 2 (LAN to the switch), then use
ipconfig/release and /renew on each PC to get the .200.xxx address.

I have not used safe mode and want to confirm if I set it before these changes and the changes cause me to loose connection from a PC there running winbox that the router will reject the changes and go back to the .100.xxx scheme after 9 minutes.
thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: using safe mode to setup wireguard

Sun Dec 12, 2021 9:24 pm

Correct if you enter safe mode and make a bunch of changes they do not stick UNLESS you uncheck safe mode.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: using safe mode to setup wireguard

Sun Dec 12, 2021 9:57 pm

Changing remote LAN should be safe, because if you're going to be connected to router remotely, that will be from WAN. So no matter how much you mess up remote LAN, it shouldn't affect your ability to connect to router and correct it.

One tip for renumbering, export the whole configuration, open it in text editor and find all places with "192.168.100.", to be sure that you don't miss any.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Sat Jan 15, 2022 8:15 am

>>So no matter how much you mess up remote LAN, it shouldn't affect your ability to connect to router and correct it.

Maybe for a normal person but I always find a way to shoot myself in the foot. I had a rule blocking me from WAN access, once I figure that out I was able to get in that way. Being a dyslexic typist does not help either.

Thanks for the tip on export, I've got something goofed up in my guest wifi network at the remote site so I'm going through my main site which works to do a comparison.
The hAPs can ping each other and PCs on opposite sites but the PCs can't see each other, is this normal under wireguard?

I had this working under L2TP way back v6.2 but it quit after an update.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: using safe mode to setup wireguard

Sat Jan 15, 2022 7:59 pm

So you had a nice trip? ;)

Wireguard just gives you simple interfaces, it doesn't do anything special. It's like another ethernet port (not exactly, because WG is point to point and doesn't use ARP, but that's not much difference). So what matters are routes, firewall, ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: using safe mode to setup wireguard

Sat Jan 15, 2022 8:11 pm

Another backup method I have used is the freebie offering of Remote Winbox, third party but also a very easy SSTP backup in case you are afraid of screwing up wireguard LOL.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: using safe mode to setup wireguard

Sat Jan 15, 2022 8:19 pm

Another option (just in case) is to have access to a PC at the remote location that has remote access software such as TeamViewer, AnyDesk, etc. As long at you have not totally messed up internet access for that LAN, you can access that remote PC via remote access software (no special router config required). That gives you access to a computer on the LAN that can have WinBox (or a terminal program for you CLI fans). If you screw up your remote access to the router, a local PC accessed via TeamView may give you a back door.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: using safe mode to setup wireguard

Sat Jan 15, 2022 8:26 pm

A second VPN possibility sounds easier and more environment friendly :D
Besides, if that second vpn will not work anymore, chances are 100 to 1 that PC will not respond anymore either.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Jan 17, 2022 6:00 am

[quote=k6ccc post_id=905806 time=1642270786 user_id=89501]
Another option (just in case) is to have access to a PC at the remote location that has remote access software such as TeamViewer, AnyDesk, etc.
[/quote]
I used team viewer and then went with anydesk, but around Christmas they bombarded me with update offers so I took it off. I use splashtop for my paid version and have been testing remote utilities, seems to work well. A license is only $99 so I may add that as my backup. I use tight VNC on the LAN but I have problems with copy and paste.

Did you make an APCO post about uniforms recently? your call sign looks familiar. I'm a 2 way tech on the APCO ANSI standards revision committee.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Jan 17, 2022 6:19 am

[quote=Sob post_id=905797 time=1642269571 user_id=33312]
So you had a nice trip? ;)[/quote]
Yes except for the 40 degree drop in daily high temps.

What's weird is I can put //192.168.100.225 in IE and see my video camera system at the main site from here at the remote site which is now 192.168.200.0/24.
\\192.168.100.220 does not see my main NAS, but IP scan in winbox sees all .100.xxx IPs.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: using safe mode to setup wireguard

Mon Jan 17, 2022 9:23 am

Did you make an APCO post about uniforms recently? your call sign looks familiar. I'm a 2 way tech on the APCO ANSI standards revision committee.
Good memory. Yes I did. I run a regional P-25 system for a living...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: using safe mode to setup wireguard

Tue Jan 18, 2022 1:01 am

If there's at least something passing through tunnel, then tunnel itself should be ok. Check firewalls on both routers and also on involved devices, they can have own firewalls and block traffic from other subnet.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Wed Jan 19, 2022 4:28 am

[quote=k6ccc post_id=906116 time=1642404226 user_id=89501]
I run a regional P-25 system for a living...
[/quote]
LA-RICS?
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Wed Jan 19, 2022 4:30 am

thanks SOB, I'll look at the rules and post them if nothing stands out, which it probably won't.
Really appreciate you and sindy taking time to help out in this forum.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: using safe mode to setup wireguard

Wed Jan 19, 2022 4:31 am

I run a regional P-25 system for a living...
LA-RICS?
No. The system that works - the Interagency Communications Interoperable System (or I-C-I system).
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Feb 07, 2022 12:08 am

I had to do a hard reset on site 1 this week after I lost internet access, turned out to be a cable modem / ISP issue where I was getting a 192.168.100.1 address for my WAN which kept me from getting into the hAP.

site 1 WAN 72.xxx.xxx.xxx
/ip/address> pr
# ADDRESS NETWORK INTERFACE
1 192.168.100.1/24 192.168.100.0 bridge
2 10.10.10.1/24 10.10.10.0 GUEST BRIDGE
3 D 72.xxx.xxx.xxx 72.xxx.xxx.0 ether1 WAN
4 10.0.0.1/30 10.0.0.0 wireguard1

/ip/route> pr
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 72.xxx.xxx.1 1
DAc 10.0.0.0/30 wireguard1 0
DAc 10.10.10.0/24 GUEST BRIDGE 0
DAc 72.xxx.xxx.xxx ether1 WAN 0
DAc 192.168.100.0/24 bridge 0
0 As 192.168.200.0/24 10.0.0.2 1

/interface/wireguard/peers> pr
# INTERFACE PUBLIC-KEY ENDPOINT-ADDRESS ENDPOINT-PORT ALLOWED-ADDRESS
0 wireguard1 from site 2 50.xxx.xxx.xxx 0 10.0.0.0/30
192.168.200.0/24
site 2 WAN 50.xxx.xxx.xxx

2 192.168.200.10/24 192.168.200.0 bridge
3 10.0.0.2/24 10.0.0.0 wireguard1
4 10.10.10.1/24 10.10.10.0 GUEST BRIDGE
5 D 50.xxx.xxx.xxx 50.xxx.xxx.0 ether1 WAN

/ip/route> pr
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 50.xxx.xxx.1 1
DAc 10.0.0.0/24 wireguard1 0
DAc 10.10.10.0/24 GUEST BRIDGE 0
DAc 50.xxx.xxx.0/21 ether1 WAN 0
0 As 192.168.100.0/24 10.0.0.1 1

# INTERFACE PUBLIC-KEY ENDPOINT-ADDRESS ENDPOINT-PORT ALLOWED-ADDRESS
0 wireguard1 from site 1 72.xxx.xxx.xxx 13231 10.0.0.0/30
192.168.100.0/24

I got this setup from
https://www.youtube.com/watch?v=lS4zeMACT3w

Even though winbox shows my wireguard interface as running and a link up time with not down time I can't ping 10.10.10.x from either side.
The 10.10.10.0 range is for the guest network on the AP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: using safe mode to setup wireguard

Mon Feb 07, 2022 12:10 am

Not what is needed.
Please add export of both configs.
Confirm both MT devices at both ends have public IPs as well or is one of them behind an ISP router??
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Feb 07, 2022 6:07 am

thanks for the quick reply.
Both IPs are public and pingable from the tools / ping function in winbox.

working on editing the configs to remove private stuff
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Feb 07, 2022 6:57 am

Oh boy what an idiot I am. I was pinging 10.10.10.2 when I needed 10.0.0.2.
It's working now.

@Jeff - I'd like to ask you some P25 questions, can you email me - your call sign at vtn55.org
thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: using safe mode to setup wireguard

Mon Feb 07, 2022 2:23 pm

Sounds good, in the future
/export file=anynameyouwish

Removes most sensitive stuff, one still has to look out for public IP info, but thats about it.
(or any info you have added like in dstnat rules)
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Sun Feb 13, 2022 9:10 am

Lost my link between the units after upgrading to 7.1.2, anyone else seen that?
I checked my WAN IPs and public keys, nothing changed.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: using safe mode to setup wireguard

Sun Feb 13, 2022 10:06 am

Lost my link between the units after upgrading to 7.1.2, anyone else seen that?
I checked my WAN IPs and public keys, nothing changed.
Both sides have a public ip address directly assigned to them ?
If not, try to toggle the peer from disabled to enabled.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Feb 14, 2022 1:25 am

Thanks but that did not help.
Both side are sending data

What is odd is that torch on wireguard1 on the remote router shows a non existent IP, 192.168.100.240, trying to reach one of my PCs.
My printer use to be 192.168.100.240 but I changed all IPs at my remote site to 192.168.200.xxx so wireguard would work.
The ARP table does not show 192.168.100.240, it's not in the lease table and I can't ping it
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: using safe mode to setup wireguard

Mon Feb 14, 2022 6:39 am

Wireguard will always try to send.
It is only when it receives, then you'll know it works.

It worked before, right ?
What happens if you go back to previous version ?
What else did you change (since you mention change of IP subnet) ? What was changed to what ?
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Mon Feb 14, 2022 9:33 am

[quote=holvoetn post_id=912860 time=1644813568 user_id=185526]
It worked before, right ?
What happens if you go back to previous version ?
What else did you change (since you mention change of IP subnet) ? What was changed to what ?
[/quote]
I don't recall changing anything, it did work before, I was able to use file explorer from the main site and see the NAS at the remote by using
\\192.168.200.25 from the 192.168.100.0 network.

I'm at the remote site and will revert back but will wait and do the main site when I get back next week. I did a brief glance at the backup file I made before the upgrade and don't see any differences. I removed and reinstalled the wireguard interface and still don't connect.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: using safe mode to setup wireguard

Mon Feb 14, 2022 10:13 am

/export hide-sensitive file=anynameyouwish
Post current config for both sites between code quotes.
Make sure to review those configs so no public info slips through.
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: using safe mode to setup wireguard

Sun Feb 27, 2022 10:18 am

This rule was blocking wireguard from working.

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

so I put this in just above it
chain=forward action=accept src-address=10.0.0.0/24 in-interface=wireguard1 log=no log-prefix=""

It's working now, are they any negatives to doing this?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: using safe mode to setup wireguard

Sun Feb 27, 2022 11:13 am

Can work like that.

What interface list is your wg connection in ?

Who is online

Users browsing this forum: BioMax, Farid0085 and 40 guests