Community discussions

MikroTik App
 
3rv1s
just joined
Topic Author
Posts: 1
Joined: Tue Jul 12, 2022 9:52 pm

'Response packages' from WireGuard tunnel not reaching connection initiator  [SOLVED]

Tue Jul 12, 2022 10:13 pm

Hello,

I would like to get the following setup running:

- There is a WireGuard tunnel through which all internet traffic from a certain local network (guest = bridge1-vlan60) should be routed.
-> All other internet traffic should be routed via the regular WAN gateway as before.
- There is an IPv6 prefix available from the tunnel to be advertised in the guest network but only a few IPv4 addresses are available. This is why IPv4 should use NAT.

The setup HAD been working already but I cannot figure out why it stopped working.
(How did I verify that it had worked? On a device connected to the guest network I visited ipv6-test.com. Both IPv4 and IPv6 addresses shown were definitely correct.)

The setup still works for IPv6 traffic.

The problem just seems to be related with NAT for IPv4.

I can see packages leaving to the wireguard1 interface being NATted:
prerouting: in:bridge1-vlan60 out:(unknown 0), src-mac 5a:a9:5b:x:x:x, proto TCP (SYN), 192.168.60.195:51213->17.57.146.173:5223, NAT (192.168.60.195:51213->100.x.x.177:51213)->17.57.146.173:5223, len 64
And I can see response packages that are being NATted, too:
prerouting: in:wireguard1 out:(unknown 0), proto TCP (SYN,ACK), 17.57.146.173:5223->100.x.x.177:51213, NAT 17.57.146.173:5223->(100.x.x.177:51213->192.168.60.195:51213), len 60
But those packages never seem to reach the connection initiating host in the guest network.

And even in the firewall connection list the connections are displayed with TCP state "syn received" without changes.


You can find my configuration in the following ... I hope I've included all relevant settings.
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=xxx endpoint-port=xxx interface=wireguard1 public-key="xxx"

/interface list
add name=public
add name=admin
add name=private
add name=non-admin
add include=private,public name=private-and-public
add include=admin,private name=admin-and-private
add name=guest
add name=vpn

/interface list member
add interface=bridge1-vlan29 list=public
add interface=bridge1-vlan92 list=admin
add interface=bridge1-vlan92 list=private
add interface=bridge1-vlan21 list=private
add interface=bridge1-vlan21 list=non-admin
add interface=bridge1-vlan29 list=non-admin
add interface=ether10 list=admin
add interface=bridge1-vlan60 list=guest
add interface=wireguard1 list=vpn

/ip address
add address=10.20.18.1/24 interface=ether10 network=10.20.18.0
add address=192.168.92.1/24 interface=bridge1-vlan92 network=192.168.92.0
add address=192.168.21.1/24 interface=bridge1-vlan21 network=192.168.21.0
add address=192.168.29.53/24 interface=bridge1-vlan29 network=192.168.29.0
add address=100.x.x.177/19 interface=wireguard1 network=100.x.x.0
add address=192.168.60.1/24 interface=bridge1-vlan60 network=192.168.60.0

/ip dhcp-client
add interface=bridge1-vlan29 use-peer-dns=no

/ip dhcp-server
add address-pool=dhcp-pool92 interface=bridge1-vlan92 lease-time=30m name=dhcp-server92
add address-pool=dhcp-pool21 interface=bridge1-vlan21 lease-time=30m name=dhcp-server21
add address-pool=dhcp-pool60 interface=bridge1-vlan60 lease-time=30m name=dhcp-server60

/ip dhcp-server network
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.60.0/24 dns-server=100.x.x.1 gateway=192.168.60.1
add address=192.168.92.0/24 dns-server=192.168.92.1 gateway=192.168.92.1

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid log=yes log-prefix=Invalid
add action=accept chain=forward comment="Accept Established,Related Connections" connection-state=established,related
add action=accept chain=forward comment="Accept from guest interfaces to vpn interfaces" in-interface-list=guest out-interface-list=vpn
add action=accept chain=forward comment="Accept from private interfaces to public interfaces" in-interface-list=private out-interface-list=public
add action=accept chain=forward comment="Accept from admin interfaces to admin and private interfaces" in-interface-list=admin out-interface-list=admin-and-private
add action=accept chain=forward comment="Accept incoming packets that are NATted" connection-nat-state=dstnat connection-state=new in-interface-list=public
add action=drop chain=forward comment="Drop everything else"
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid log-prefix=Invalid
add action=accept chain=input comment="Accept Established,Related Connections" connection-state=established,related
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS requests from private and public interfaces" dst-port=53 in-interface-list=private-and-public protocol=udp
add action=accept chain=input comment="Accept from admin interfaces" in-interface-list=admin
add action=drop chain=input comment="Drop everything else"

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp to pmtu for outgoing" disabled=yes new-mss=clamp-to-pmtu out-interface-list=public passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Clamp to pmtu for incoming" disabled=yes in-interface-list=public new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment="special routing for guest network" connection-mark=no-mark in-interface-list=guest new-connection-mark=usevpn passthrough=yes
add action=mark-routing chain=prerouting comment="special routing for guest network" connection-mark=usevpn connection-nat-state=!dstnat in-interface-list=guest new-routing-mark=useVPN passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=vpn
add action=masquerade chain=srcnat comment="Default masquerade rule" out-interface-list=public

/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=guest protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=private protocol=udp src-address=0.0.0.0 src-port=68

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=100.x.x.1 pref-src=0.0.0.0 routing-table=useVPN scope=30 suppress-hw-offload=no target-scope=10

/routing table
add disabled=no fib name=useVPN

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=useVPN table=useVPN
I am pretty sure there's just a firewall or routing rule missing ... I hope it's something too obvious :D

Any help is greatly appreciated.

Best wishes,
Tobi

Who is online

Users browsing this forum: gigabyte091, lurker888 and 51 guests