Community discussions

MikroTik App
 
alessandrobozzo
just joined
Topic Author
Posts: 4
Joined: Mon Jun 13, 2022 10:02 am

Wireguard Client QNAP

Mon Jun 13, 2022 10:10 am

Good morning guys,

I am writing for the first time I introduce myself I am Alessandro Bozzo, I am writing from the province of Savona in Italy.
I have a problem on a Mikrotik: I have successfully activated a client vpn with the Wireguard server on QNAP, I can ping the IPs in the qnap subnet within the Mikrotik terminal without problems, but in my internal Mikrotik subnet it does not work, I set up a source nat with suorce address my subnet dest address subnet of the qnap and out interface wireguard but nothing.
I am attaching configuration of the mikrotik:

# jun / 13/2022 06:17:50 by RouterOS 7.3.1
# software id = V5EL-CMUG
#
# model = RouterBOARD mAP L-2nD
# serial number = <CENSORED>
/ interface wireless
set [find default-name = wlan1] band = 2ghz-b / g / n disabled = no mode = ap-bridge \
ssid = MikroTik
/ interface wireguard
add listen-port = 13231 mtu = 1420 name = wireguard1
/ interface wireless security-profiles
set [find default = yes] supplicant-identity = MikroTik
/ ip hotspot profile
set [find default = yes] html-directory = hotspot
/ ip pool
add name = pool1 ranges = 192.168.200.50-192.168.200.100
/ ip dhcp-server
add address-pool = pool1 interface = wlan1 name = server1
/ interface wireguard peers
add allowed-address = 0.0.0.0 / 0 endpoint-address = 82.215.131.20 endpoint-port = \
51820 interface = wireguard1 persistent-keepalive = 10s public-key = \
"WdrBS / JgIrJORFBjYEvV1pwdRlZipWr + HTv2LiSSphA ="
/ ip address
add address = 198.18.7.4 / 24 interface = wireguard1 network = 198.18.7.0
add address = 192.168.200.1 / 24 interface = wlan1 network = 192.168.200.0
/ ip dhcp-client
add interface = ether1
/ ip dhcp-server network
add address = 192.168.200.0 / 24 dns-server = 8.8.8.8 gateway = 192.168.200.1 netmask = \
24
/ ip firewall nat
add action = masquerade chain = srcnat out-interface = ether1
add action = accept chain = srcnat dst-address = 172.20.0.0 / 16 out-interface = \
wireguard1 src-address = 192.168.200.0 / 24
/ ip route
add disabled = no distance = 1 dst-address = 172.20.0.0 / 16 gateway = 198.18.7.1 \
pref-src = "" routing-table = main scope = 30 suppress-hw-offload = no \
target-scope = 10
[admin @ MikroTik]>
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard Client QNAP

Mon Jun 13, 2022 3:24 pm

I don't think that rules with action=accept in the NAT section do what you think it does.
Try setting that up in the Filter section.
 
alessandrobozzo
just joined
Topic Author
Posts: 4
Joined: Mon Jun 13, 2022 10:02 am

Re: Wireguard Client QNAP

Mon Jun 13, 2022 3:41 pm

Thanks for the answer,
I don't have any filter rules, do you think I should try to create a forward rule between the two subnets?
I continued with the tests and I don't understand why I keep being able to see and ping from the mikrotik to the internal network of the wireguard server but nothing from the internal network of my mikrotik.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard Client QNAP

Mon Jun 13, 2022 3:55 pm

Oh, I thought you just left that part out. I don't understand anything from that config.
Post the config from both sides.
And write the subnets from both sides.
 
alessandrobozzo
just joined
Topic Author
Posts: 4
Joined: Mon Jun 13, 2022 10:02 am

Re: Wireguard Client QNAP

Mon Jun 13, 2022 4:44 pm

Site A: (Server VPN Wireguard QNAP)
Subnet LAN: 172.16.0.0/16
IP Wireguard 198.18.7.1

Sito B: (client wireguard Mikrotik ip 198.18.7.4)
Subnet LAN: 192.168.200.0/24

Inside Mikrotik from the terminal I see the 172.16 network and the ping (idem 198.18..), from the local network instead no, that is from 192.168.200.0 I cannot ping 172.16.

TNX
 
alessandrobozzo
just joined
Topic Author
Posts: 4
Joined: Mon Jun 13, 2022 10:02 am

Re: Wireguard Client QNAP  [SOLVED]

Mon Jun 13, 2022 7:05 pm

I solved, I agree if anyone was in the same situation as me. I created a NAT masq with source address my lan, dest address lan "site a" with out interface wireguard.
thank you all
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard Client QNAP

Mon Jun 13, 2022 7:12 pm

Or you can set up proper routing between 172.16.0.0/16 and 192.168.200.0/24 via the wireguard tunnel.
But hey, if you guys like NAT so much.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 74 guests