Community discussions

MikroTik App
 
gkaro
just joined
Topic Author
Posts: 3
Joined: Thu May 26, 2022 3:21 pm

Wireguard Road warrior Firewall Question

Thu May 26, 2022 4:44 pm

I have two WG tunnels. One tunnel is a PTP between two mikrotik's which works great. I can ping any address in the LAN on both sides using that tunnel. The problem I am having is setting up a tunnel for our guys out in the field (the road warriors). I have set up another tunnel which works when locally on the wifi, but offsite does not. I am using 0.0.0.0/24 as the allowed address on the laptops and phones. I do have a rule with Chain=input, Protocol=UDP and my Dst port. And yes it placed before any drop rule. I feel like I missing some more rules to allow the traffic pass to the LAN. Any help would be appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road warrior Firewall Question

Fri May 27, 2022 2:28 am

/export config file=anynameyouwish
 
gkaro
just joined
Topic Author
Posts: 3
Joined: Thu May 26, 2022 3:21 pm

Re: Wireguard Road warrior Firewall Question

Fri May 27, 2022 3:51 pm

Here is my config file
myconfig.txt
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road warrior Firewall Question

Fri May 27, 2022 5:18 pm

(1) Your wireless is confusing, as you note bridge ports with wlan1 and wlan2 and then bridge-guest with wlan name Guest-Wifi?
Is it a virtual WLAN interface?

(2) Your use of VLAN20 and ether3 is very confusing and you are missing an address for this network and network server etc......
I will assume the following requirements.
a. you need vlan20 on the etherport3.
b. you still wish to have the bridge subnet also available on the port.

If so then the following changes need to be made
...........
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=GuestWifiPool interface=bridge_GuestWifi name=GuestWifi
add address-pool=Voice_pool1 ranges=10.10.20.2-10.10.20.254
/ip address
add address=10.10.20.254/24 interface=ether3-LANVOICE network=10.10.20.0
And get rid of this rule which is wrong on many levels ( you dont tag or untag the vlan you do so to ports (ether or wlan).
/interface bridge vlan
add bridge=bridge tagged=VOICE vlan-ids=20


(3) Trying to make sense of your firewall rules, they are ALL out of order and they are not grouped by chain.
Re-arrange by input chain first with proper order and then forward chain.

(4) You have issues with IP address, you have two IP addresses for WG-Server and one for WG-mobile.
I am assuming you have ONE server for Mt client to MT main router and Second wg for mobile clients to MT main router.
Thus you have one two many IP addresses here...............
Also the nomenclature is awkward, one is for a server and the other is for mobile (implies you name one for the local end and the other for the external end).
Be consistent, call WG server1, WG server2, (both local functions) or WG-ClientMT and WG-Mobile (both external functions).

(5) Confirm, use cases for users from MT client device ( both users and admin) as well as mobile users etc...........
What do they need to access??
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard Road warrior Firewall Question

Fri May 27, 2022 7:52 pm

If all needs to go down that tunnel, it should be 0.0.0.0/0, not /24.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road warrior Firewall Question

Fri May 27, 2022 9:05 pm

Concur, but thats NOT a settting I see on the MT end, thats at the client end.
 
gkaro
just joined
Topic Author
Posts: 3
Joined: Thu May 26, 2022 3:21 pm

Re: Wireguard Road warrior Firewall Question

Sat May 28, 2022 10:34 pm

Ok: answers to questions please keep in mind I still learning MT, but loving it so far!
Question #1, yes, that was my intension. But really I was just messing around with that. Question #2 Cool thanks for the help on that. I will make those changes. Question #3 besides the factory firewall rules I do see that the input chains are at the top and then the forward chains are second. Or should I move all the factory rules too? Question #4 I thought I had to put on the second address in order to access it? But I guessing now its done in the firewall? I that correct? Yes wg-server is for connecting MT to MT. Actually there will be a total of three MT connecting back to MT server 189.20.20.1. 189.20.20.2 (mine), 20.3 and 20.4. The 20.2 will need access to all subnets but the 20.3 and 20.4 will only need LAN access. For the wg-mobile they just need access to our server. And yes I do agree. I will change my the way I labeled things. I was just trying to make it stupid simple for the next guy if I ever leave. But on the other hand I have documented everything. Thank you for the help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Road warrior Firewall Question

Sat May 28, 2022 10:35 pm

Good to know, and thus be open minded to suggestions LOL.

It sounds like you are on the right track.
When ready to post the Main Config I will have a look at it.
In the meantime dont post your config until you have gone through this read.......... viewtopic.php?p=906311

What you will find especially germane is the section in Para 4

Who is online

Users browsing this forum: voytecky and 23 guests