Community discussions

MikroTik App
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

WireGuard and routing allowed IP`s issue

Wed May 25, 2022 11:01 pm

Hi there,

i have 2 IP Nets..Net A is @ home and has an Internet connection
Net B is Hamnet completly isolated from the internet..
NET A and B connected through a Wireguard tunnel Net A initiated the connection to Net B
the internal WG IP`s are 192.168.2.1@ NET B and 192.168.2.2 @Net A
i set up srcnat with masquerading on each device that i can reach all ip`s of Net B behind the Router and vice versa and that i can reach the internet from Net B via Net A
In the Wireguard config (peers) of allowed Adresses i have to put 0.0.0.0/0 that every adress is allowed to get access to the internet from a device from Net B via Net A
i had to do the same 0.0.0.0/0 on the device @ Net A to get access to devices behind the router of Net B
if i put a single ip into allowed adresses @ Router on Net B and try to get a connection to the internet via the Tunnel that doesn`t work i always have to put 0.0.0.0/0 into allowed adresses
the problem is that every device can use the internet when i allow everything but i only want that 4 devices can use the internet over that tunnel
is this a bug in implementation of wg ?!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard and routing allowed IP`s issue

Wed May 25, 2022 11:11 pm

Can you draw a diagram. As if I know what a hamnet is, and how do you have any wireguard connectivity if the hamnet has no internet, let alone its the server and not the client ?????
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Wed May 25, 2022 11:20 pm

There is at least some inconsistency to be detected ...
completely isolated from internet yet able to terminate a wireguard connection, that's not possible.
Somehow there has to be SOME internet access, even if only one lousy port.

A drawing might be needed indeed.

@anav:
hamnet = High-speed Amateur-radio Multimedia Network
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 1:24 am

wg.jpg
Router A connects via NAT to Router B the connection works and isn`t the problem
the problem is why do i have to allow all ip`s that the routing works ?
normally it should be possible to allow one ip adress that has access to the internet via the tunnel and the router on Side A
example: i allow 44.149.55.13 in the allowed adress list in wg and this device is connected to the Router B 44.149.55.2 but when i only allow this Adress the device doesnt become internet access via the Tunnel...if i allow 0.0.0.0/0 it has access to the internet.. a default route is already added and is pointing to the tunnel...
You do not have the required permissions to view the files attached to this post.
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 7:41 pm

nobody an idea ?!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 7:42 pm

So does hamnet 44.0 get an IP address or something is that an internet connection?
how is A connected to B, ethernet cable?
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 8:46 pm

hamnet has his own ip range and is connected through wlan links but isolated from the internet..
and the routers are not connected via ethernet cable they are connected through a one way firewall from internet to the hamnet
but the connection between the 2 routers isn`t the problem the connection works fine the only problem what i have is that i have to grant access to the internet all ip`s that it works and if i only pick one ip to grant access to the internet it won`t work and i don`t know why...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 8:49 pm

Sorry have no understanding of your network and thus cannot help.
Without access to the internet on the hamnet, wireguard is not possible.

or are you saying the two routers are connected through a wireless link without any internet involvement???
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 11:38 pm

sorry that`s not the point !!
the Wireguard connection is established and how i do that is not the point of my Question !!
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 11:39 pm

Sorry have no understanding of your network and thus cannot help.
Without access to the internet on the hamnet, wireguard is not possible.
Actually... ( and I was wrong there too ) all it takes is a connection between two end points to have a wireguard connection.
It doesn't have to be "internet" as we know it.
But it needs to go 2 way.
Still confused there as well.

@ sebi099
No need to get upset.
You came here for help.
We need to understand how it goes in order to do that.
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Thu May 26, 2022 11:48 pm

@holvoetn yes i know but the thing is when i ask a specific question it doesn`t matter how they are connected when i say the connection is established and the tunnel is working !!
the only problem that i have is that i have to allow ALL ip`s on both sides that the routing to the internet works if i specify one ip of the device that should get internet it doesn`t work
sorry but then it doesn`t matter how they are connected because the fact is that the tunnel is working you can ping the internal ip`s etc...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 2:23 am

Yes well then please show your config on the mikrotik .......

/export file=anynameyouwish
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 8:57 am

here we go....
routerA.rsc
routerB.rsc
You do not have the required permissions to view the files attached to this post.
Last edited by sebi099 on Fri May 27, 2022 10:03 am, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 9:14 am

First remark:
Ether1 is used on both routers for the actual connection ?

Why is it added to bridge on router B ? It can not be part of bridge (and being defined as LAN) yet also be defined as WAN on itself.
Remove from bridge.

PS use SAFE MODE when doing changes on a remote device. I can not assess how far that device is from your location.
Once you see it works, toggle safe mode so the changes are applied before you change anything else.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 9:23 am

Second remark:
On router A you use 0.0.0.0/0 which means ALL TRAFFIC is allowed, which is probably not what you want.
Most likely because of this: add allowed-address=192.168.2.1/32,44.149.55.0/32

Your usage of /32 is why you needed 0.0.0.0/0 to have it working.
You were correct in allowing the subnet, but then you need to use the correct netmask.

/32 means ONLY that address and nothing else.
IP address 44.149.55.0 on itself, doesn't exist (theoretically it does but it is normally only used for definition of a subnet). That needs to be /24 if you want the complete subnet.

Similar with Wireguard addresses, best to use the address range which is allowed for both sides: 192.168.2.0/30
So that becomes add allowed-address=192.168.2.1/30,44.149.55.0/24

Same on router B:
add allowed-address=192.168.2.2/30,44.149.55.0/24
Last edited by holvoetn on Fri May 27, 2022 9:35 am, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 9:34 am

Final remark:
on those exports, you may want to redact out the serials for those devices.
In some cases it could pose a security risk.
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 10:08 am

ok i edited the files, i already removed the keys but didn`t knew that with the Serial Number something can happen...
i will check your suggestions later when im back home..
maybe you can explain me how this with the safe mode works ?! when i made a mistake in safe mode what do i have to do then to get it back working ?!
on Net A every ip can be allowed because it`s my home net behind a firewall and nobody else has access to it i only have to be careful with Net B because there are hundreds of stations that could use the internet connection then and that shouldnt happen :-)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 10:19 am

maybe you can explain me how this with the safe mode works ?! when i made a mistake in safe mode what do i have to do then to get it back working ?!
That's the beauty of it: absolutely nothing expect for using it !
If you goof up the config with safe mode active and as a result your connection gets lost, the device will detect this and REVERT the last changes after some minutes. (I seem to recall the buffer is around 100 changes).
This reversion will bring you back to the prior (working) config and hence will allow you to get back in.

When the device is within reach, you usually have other means to access it again (Winbox with MAC-access usually works). But for remote devices it can get tricky.
Hence use safe mode !

I learned that lesson the hard way with an SXT device 930 kms away from me ... had to wait several weeks before I was physically there again and correct my mistake on site.

See here for more detailed info:
https://help.mikrotik.com/docs/display/ ... t-SafeMode
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 10:40 am

on Net A every ip can be allowed because it`s my home net behind a firewall and nobody else has access to it i only have to be careful with Net B because there are hundreds of stations that could use the internet connection then and that shouldnt happen :-)
And still ... you should only add in allowed addresses what is really allowed to enter the tunnel.
Your usage of 0.0.0.0/0 is what accidentally made it working (ALL allowed) but that's only to be used if you really want to route all traffic from that device through that tunnel.
If for one reason or the other you make a mistake in your firewall, that WG tunnel also becomes accessible for whatever is passing the firewall.

If you want your local devices to use that tunnel, use 192.168.1.0/24. It's also more clear for yourself when you look at it later what is allowed (and what not).

If you persist on keeping 0.0.0.0/0, there is no further need for any other IP-subnet definition since that first one will already allow all.
And then this whole thread should not have been posted either :lol:

Other question (for my comprehension):
you mention "hundreds of stations" yet I see only 5 possible addresses in the DHCP pool on router B ? Or is the rest statically assigned ?
/ip pool
add name=dhcp ranges=44.149.55.5-44.149.55.9
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 10:47 am

Similar with Wireguard addresses, best to use the address range which is allowed for both sides: 192.168.2.0/30
So that becomes add allowed-address=192.168.2.1/30,44.149.55.0/24

Same on router B:
add allowed-address=192.168.2.2/30,44.149.55.0/24
Correction from my side:
for WG addresses it can be /32 if you only have 1 on 1. Both will work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard and routing allowed IP`s issue

Fri May 27, 2022 6:00 pm

Think of it as a multisetp process when selecting allowed IPs.

1. what are the allowed destination IPs that the local users can use to enter the tunnel.
0.0.0.0/0 is typical if the local users are going out internet on the far site.
0.0.0.0/0 includes all so it includes all subnets including Wireguard subnet at far site.

Thus at the far site hopefully MT, one has to use Firewall rules to parse SPECIFIC users to SPECIFIC entities.

(2) If the allowed IPs, is more restrictive, for example only to subnets on the external sites LAN, then
a. you include the wireguard subnet xx.xx.xx.0/24 as an allowed IP,
b. you include the applicable subnets subnetA, subnetB etc.........
C. you use firewall rules at the external site to allow users to those subnets or you may wish to use the firewall to only allow them access to a server for now.

ON the receiving end of incoming traffic, the server uses the peer Allowed IPs to identify,
'which IPs will be coming out of the tunnel. So in this case, you want to identify
a. the wireguard Ip address of the incoming sites in the format xx.xx.xx.xx/32 for MT and mobile/other clients etc............
b. the subnets or users coming in from the client MT device.
 
sebi099
just joined
Topic Author
Posts: 10
Joined: Wed May 25, 2022 5:21 pm

Re: WireGuard and routing allowed IP`s issue

Wed Jun 01, 2022 7:26 pm

on Net A every ip can be allowed because it`s my home net behind a firewall and nobody else has access to it i only have to be careful with Net B because there are hundreds of stations that could use the internet connection then and that shouldnt happen :-)
And still ... you should only add in allowed addresses what is really allowed to enter the tunnel.
Your usage of 0.0.0.0/0 is what accidentally made it working (ALL allowed) but that's only to be used if you really want to route all traffic from that device through that tunnel.
If for one reason or the other you make a mistake in your firewall, that WG tunnel also becomes accessible for whatever is passing the firewall.

If you want your local devices to use that tunnel, use 192.168.1.0/24. It's also more clear for yourself when you look at it later what is allowed (and what not).

If you persist on keeping 0.0.0.0/0, there is no further need for any other IP-subnet definition since that first one will already allow all.
And then this whole thread should not have been posted either :lol:

Other question (for my comprehension):
you mention "hundreds of stations" yet I see only 5 possible addresses in the DHCP pool on router B ? Or is the rest statically assigned ?
/ip pool
add name=dhcp ranges=44.149.55.5-44.149.55.9
Thats a static pool that i assigned :-) and only local ip`s from my Station

Who is online

Users browsing this forum: apitsos, Bing [Bot], eworm, GoogleOther [Bot], moorezilla, orionren and 81 guests