I'm trying to migrate a VPN setup to a road warrior wireguard configuration. The scenario looks like this:
ether1: ISP
ether5: Office network 10.0.0.0/16
wireguard0: address list entry 11.0.5.1/24, connected peers have /32 entries, e.g. 11.0.5.2/32
No firewalls, mangles or rules except for a single masquerade rule to allow office connections on ether5 sharing out the internet connection on ether1.
wireguard clients can connect without issues, from both inside the office network and externally on internet. They can ping their own IP addresses (11.0.5.2/32). They can ping both mikrotik addresses (10.0.0.1/16 and 11.0.5.1/24). They can ping internet addresses (google.com). They can ping IP addresses in 10.0.0.0/24.
Office clients can ping wireguard clients, and can establish connections such as ssh sessions.
wireguard clients cannot ping each other, nor can they ping anything outside of 10.0.0.0/24.
Using the mikrotik tool to ping any address on interface wireguard1 fails with host unreachable, despite hosts being able to.
Creating a temporary rule to watch traffic, chain:chain in-interface:wireguard1 action:accept shows packets flowing.
Addresses are plain:
10.0.0.1/16 10.0.0.0
11.0.5.1/24 11.0.5.0
IP routes are all dynamic:
0.0.0.0/0 ISP
10.0.0.0/16 ether5
11.0.5.0/24 wireguard1
ISP ether1
The fact that traffic in one direction is possible and not in others has me completely stumped. I wonder if it's a wireguard issue.
Do you see anything unusual? Am I overlooking something fundamental or basic?
Re: Possible wireguard bug when trying to setup roadwarriors?
You seem to have some mistake in your description, wireguard clients can hardly at the same time:
- can ping internet addresses (google.com)
- nor can they ping anything outside of 10.0.0.0/24
I'm pretty sure that google.com is not in 10.0.0.0/24. And 11.0.5.0/24 is public subnet, you shouldn't use it if it's not yours.
- can ping internet addresses (google.com)
- nor can they ping anything outside of 10.0.0.0/24
I'm pretty sure that google.com is not in 10.0.0.0/24. And 11.0.5.0/24 is public subnet, you shouldn't use it if it's not yours.
Re: Possible wireguard bug when trying to setup roadwarriors?
adding to this:
/export hide-sensitive file=anynameyouwish and post contents between CODE quotes
/export hide-sensitive file=anynameyouwish and post contents between CODE quotes
Re: Possible wireguard bug when trying to setup roadwarriors?
Suggest a more accurate title
To: pick your poison
Trouble Setting Up Wireguard
Need Help For Basic Wireguard Setup
Dont Understand why WG Not Working?
The ones with this tone, should experience the sound of one hand clapping!!!
My Config is Perfect, It has to be a Bug.
I'm Never Wrong, Suspect a Bug
etc........
)
Without seeing your config as others have noted, what do you expect ??
Let me pull out my crystal ball, the tarot cards, the ouji board and perhaps a sample of your hair??
Yes, I see it now its becoming clearer,,,,,,, the mist is fading, yes, the problem is with your config.
To: pick your poison
Trouble Setting Up Wireguard
Need Help For Basic Wireguard Setup
Dont Understand why WG Not Working?
The ones with this tone, should experience the sound of one hand clapping!!!
My Config is Perfect, It has to be a Bug.
I'm Never Wrong, Suspect a Bug
etc........
)Without seeing your config as others have noted, what do you expect ??
Let me pull out my crystal ball, the tarot cards, the ouji board and perhaps a sample of your hair??
Yes, I see it now its becoming clearer,,,,,,, the mist is fading, yes, the problem is with your config.
Who is online
Users browsing this forum: No registered users and 13 guests