I'm trying to migrate a VPN setup to a road warrior wireguard configuration. The scenario looks like this:
ether1: ISP
ether5: Office network 10.0.0.0/16
wireguard0: address list entry 11.0.5.1/24, connected peers have /32 entries, e.g. 11.0.5.2/32
No firewalls, mangles or rules except for a single masquerade rule to allow office connections on ether5 sharing out the internet connection on ether1.
wireguard clients can connect without issues, from both inside the office network and externally on internet. They can ping their own IP addresses (11.0.5.2/32). They can ping both mikrotik addresses (10.0.0.1/16 and 11.0.5.1/24). They can ping internet addresses (google.com). They can ping IP addresses in 10.0.0.0/24.
Office clients can ping wireguard clients, and can establish connections such as ssh sessions.
wireguard clients cannot ping each other, nor can they ping anything outside of 10.0.0.0/24.
Using the mikrotik tool to ping any address on interface wireguard1 fails with host unreachable, despite hosts being able to.
Creating a temporary rule to watch traffic, chain:chain in-interface:wireguard1 action:accept shows packets flowing.
Addresses are plain:
10.0.0.1/16 10.0.0.0
11.0.5.1/24 11.0.5.0
IP routes are all dynamic:
0.0.0.0/0 ISP
10.0.0.0/16 ether5
11.0.5.0/24 wireguard1
ISP ether1
The fact that traffic in one direction is possible and not in others has me completely stumped. I wonder if it's a wireguard issue.
Do you see anything unusual? Am I overlooking something fundamental or basic?