Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard - Sometimes working, sometimes not

Post Reply
 
karoolpl
just joined
Topic Author
Posts: 6
Joined: Sat Feb 25, 2017 1:56 am

Wireguard - Sometimes working, sometimes not

Mon Sep 12, 2022 3:12 pm

Hi,

I have strange problem with wireguard, i setup everything as it should be:
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
I have public dynamic IP, but my ISP provider gave me their device, i set it in bridge mode, and i'm getting public address on my mikrotik device.

example peer config:
Code: Select all
/interface wireguard peers
add allowed-address=10.100.100.3/24 interface=wg1 persistent-keepalive=30s \
    public-key="pubkey"
I have setup static address for my wg1 interface -> 10.100.100.1/24

My client setup:
Code: Select all
[Interface]
PrivateKey = PRIVKEY
ListenPort = 13231
Address = 10.100.100.3/24
DNS = 192.168.102.1

[Peer]
PublicKey = PUB
PresharedKey = PREshared
AllowedIPs = 192.168.102.0/24, 192.168.0.0/24
Endpoint = mikrotik.mynetname.net:13231
PersistentKeepalive = 30
When i connect my device, sometimes everything works perfect, and sometimes it's not working properly, i got connection established, but cant ping any device on Allowed IP's, only Tx counter on mikrotik side counts packets, but no Rx.
If it's not working i'm doing some disabled/enable on client or mikrotik side and everything start working again.

My mikrotik router CCR2004-16G-2S+ with ROS 7.5

I was trying to work on MTU size, but no positive result, could you provide me some advice in wiregaurd behaviour? Maybe someone encountered same problem and resolved it?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Sometimes working, sometimes not

Mon Sep 12, 2022 4:33 pm

I have strange problem with wireguard, i setup everything as it should be:
Jajajajajaja, thanks for that, a good chuckle is an excellent way to start the day.

Rarely, is an OP ever correct when they make such bold statements LOL.
The problem encountered is the brain configing the router without the knowledge of how to do so.
Easily remedied with some study and time.
viewtopic.php?t=182340

In any case, lets look at the config.

(1) What is your expectation from the client when reaching your router?
It would appear that you want them to reach some subnets on the router?
Having a clear network diagram and/or explanation of users needs, does actually assist one helping !!!!

(2) The mikrotik device doesnt have to have a keep alive setting for the peer in this case, but causes no harm. You do have AT the peer device and settings correctly done with keep alive!.

(3) The requirement for the allowed IPs at the Router, is twofold.
a. to match any remote addresses that local router traffic that needs to enter the tunnel { not in your case, except for perhaps to ping the client device and of course we also put in the wireguard IP address of the peer device.
b. to filter any incoming remote traffic wishing to enter the lan side after exiting the tunnel, thus what remote addresses are allowed to exit the tunnel at the router device.

In the case of a single client, be it a laptop, or iphone etc........... the wireguard IP address of the client suffices for allowed IP as it covers both a, b above, so good to go there!

(4) DNS, typically one puts the wireguard IP address of the router, so would suggest changing 192.168.102.1 TO 10.100.100.1 (or whatever your IP wg1 address is)

(5) Okay so you will be accessing two subnets on the router..........

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Conclusion from what you have shown, nothing really wrong.

What you need to do is provide all the facts which means.
a. /export need the full config of the router only remove/hide the serial number of the router and any public WANIP information etc......
b. Print or photo of IP routes (just cover public IP info)
Top
 
karoolpl
just joined
Topic Author
Posts: 6
Joined: Sat Feb 25, 2017 1:56 am

Re: Wireguard - Sometimes working, sometimes not

Mon Sep 12, 2022 9:29 pm

Jajajajajaja, thanks for that, a good chuckle is an excellent way to start the day.
I set it up with documentation and some examples, so for me it should work :) But thx for reply and your effort in thread

In any case, lets look at the config.

(1) What is your expectation from the client when reaching your router?
It would appear that you want them to reach some subnets on the router?
Having a clear network diagram and/or explanation of users needs, does actually assist one helping !!!!

Diagram is very Simple:
Image



(2) The mikrotik device doesnt have to have a keep alive setting for the peer in this case, but causes no harm. You do have AT the peer device and settings correctly done with keep alive!.
I turned it off on mikrotik site, left only for mikrotik behind nat in peer config

(3) The requirement for the allowed IPs at the Router, is twofold.
a. to match any remote addresses that local router traffic that needs to enter the tunnel { not in your case, except for perhaps to ping the client device and of course we also put in the wireguard IP address of the peer device.
b. to filter any incoming remote traffic wishing to enter the lan side after exiting the tunnel, thus what remote addresses are allowed to exit the tunnel at the router device.

I set pool for wireguard 10.100.100.0/24, and wanted to just have access from wireguard peer trough Main router to both subnets, LAN in office with public IP and LAN in office behind NAT, and in my configuration, everything worked good, i just added one more routing entry pointing each other network from routers trough wiregaurd iface

(4) DNS, typically one puts the wireguard IP address of the router, so would suggest changing 192.168.102.1 TO 10.100.100.1 (or whatever your IP wg1 address is)
It was just added to handle one DNS entry for shared disk from synology,
(5) Okay so you will be accessing two subnets on the router..........

What you need to do is provide all the facts which means.
a. /export need the full config of the router only remove/hide the serial number of the router and any public WANIP information etc......
b. Print or photo of IP routes (just cover public IP info)
Code: Select all
# sep/12/2022 20:17:28 by RouterOS 7.5
# 
#
# model = CCR2004-16G-2S+
# 
/interface bridge
add name=bridge-lan
add fast-forward=no mtu=1500 name=bridgeguest
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=ether2 name=vlan1 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-guest ranges=10.10.0.2-10.10.0.100
add name=pool-lan2 ranges=192.168.102.200-192.168.102.220
add name=pool-vpn1 ranges=10.1.0.10-10.1.0.50
add name=pool-vpn2 ranges=192.168.103.2/31
add name=pool-ovpn ranges=10.122.1.2-10.122.1.100
add name=pool-lan next-pool=pool-lan2 ranges=192.168.102.30-192.168.102.196
/ip dhcp-server
add address-pool=pool-guest authoritative=after-2sec-delay interface=bridgeguest lease-time=2h name=server-guest
add address-pool=pool-lan authoritative=after-2sec-delay interface=bridge-lan lease-time=10h name=server-lan
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=wb-table
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridgeguest interface=vlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wireguard peers
add allowed-address=10.100.100.2/24 disabled=yes interface=wg1 public-key="LsG0b6NU7ZGm2kSN9/zKRxMEGlSYKGJ0mLqlEzWQGgE="
add allowed-address=10.100.100.3/24 interface=wg1 public-key="axLoNWucioeU3snFbNcuoUB8pv4+NjZOF1Ftr4/PF3g="
add allowed-address=10.100.100.4/24 interface=wg1 public-key="igj3yEBPuzGuX+8hn7tRFdzI5xrepgY8wUWZzOqtUxA="
add allowed-address=10.100.100.5/24 interface=wg1 public-key="YGE+iT2QxSidJFNEnL27W6AI1fj9ilECsghFgv+mNUE="
add allowed-address=10.100.100.6/24 interface=wg1 public-key="h7bqHwTHukc/gg5xLqz91GIhoZSXT4iYLGBNArDbsTY="
add allowed-address=10.100.100.7/24 interface=wg1 public-key="E2JOwZut1DBHxVirBKaQVYfHlxucYErAe7Cx1ghugUY="
add allowed-address=10.100.100.8/24 interface=wg1 public-key="slkSi2pv9L3d44yAgFzeZ7mN8Op39IiI5A3ue++5iQo="
add allowed-address=10.100.100.9/24 interface=wg1 public-key="LSOE+bN3c4Z11g5yB2x0h+FVXK/O9fX2/SLY6zxrwn0="
add allowed-address=10.100.100.10/24 interface=wg1 public-key="XV4kIEjZgpLsNUaGdt+GaX3LXq4/OhpDRRshqkHY6A4="
add allowed-address=10.100.100.11/24 interface=wg1 public-key="R2y2w/GbnL2rCu/BG8NC8azgifjCfKtVhDggiDPI3i4="
add allowed-address=10.100.100.12/24 interface=wg1 public-key="R31RK12H16egjNLjv+23Sv4NcedgX4IVicXEbyHBDW8="
add allowed-address=10.100.100.13/24 interface=wg1 public-key="vAfHSQupsxiH2XcVhWqjSvve48DPHrE6pwNI1Sbo0ns="
add allowed-address=10.100.100.14/24 interface=wg1 public-key="ku/lW+sbjWR1lpw69S+GL9M+vczrS5NwlZiE3SAtiWc="
add allowed-address=10.100.100.15/24 interface=wg1 public-key="edH2WGlwbqX5APwXWTYJkvaBqL4g8ME5xHGyyKJy2RM="
add allowed-address=10.100.100.16/24 interface=wg1 public-key="j+i3anA4WaT/xhCIklc9fuJY9gzXp1W4M/zDX6XxzEI="
add allowed-address=10.100.100.17/24 interface=wg1 public-key="CFfBdQVPQC+q8YgkFVkJ8uQ4E62UOQ6cp+pOVvpDJUI="
add allowed-address=10.100.100.18/24 interface=wg1 public-key="nBZ0vfkiVISct8WEycy87+GaG07Fru4RuwMe9I7pSAg="
add allowed-address=10.100.100.19/24 interface=wg1 public-key="OC8i1bqmMX1f7lyXIcYUaaKWoYD/vpZeLW1ZdYWqjAE="
add allowed-address=10.100.100.20/24 interface=wg1 public-key="at5rudgdrwQv9wycd+Ize6ylZVTELdmK4dBvbRqMz3E="
add allowed-address=10.100.100.21/24 interface=wg1 public-key="hVqrnULMYAkzmCX6h2oxci+hIDI5e1K5QWCrvJzlHgQ="
add allowed-address=10.100.100.22/24 interface=wg1 public-key="HRXOz+uU39BHJezzkgIzvQmWwqIly75vUiCdf/VM1hg="
add allowed-address=10.100.100.23/24 interface=wg1 public-key="LEdIbl2Pc0tu4IVTpukif05cZUvc/2evysZdKKbSwUQ="
add allowed-address=10.100.100.24/24 interface=wg1 public-key="oSsRlxWl7JMT97lbAtpE6lx2Qmydb982aEiO2vMw034="
add allowed-address=10.100.100.25/24 interface=wg1 public-key="vw38kK8HX+gZcFKtgtgLF2E4qc+YK9kPB6YYM+hAkAk="
add allowed-address=10.100.100.26/24 interface=wg1 public-key="bKv+skJB9IvUiv51/SyiXMJzIbSPH54JHnuHFGZE1y4="
add allowed-address=10.100.100.27/24 interface=wg1 public-key="lFtZYus+A6N4Xh2h81jH0/eZ29ghmKfZW6BkejJRVWs="
add allowed-address=10.100.100.28/24 interface=wg1 public-key="KWE4aIu4IN0HNHccS89Om6mBodB0rXq9HSxFUKRc9G4="
add allowed-address=10.100.100.29/24 interface=wg1 public-key="qsSdvzhgM7i4ErkEAmpnHcGHnu34BviOB+SPfxIVbk8="
add allowed-address=10.100.100.30/24 interface=wg1 public-key="jwhd4mHvSxgM1S1oMH54eysLvfKiZRZ+rrBJw+gquyQ="
add allowed-address=10.100.100.31/24 interface=wg1 public-key="cPv5lavYQjqpzulnr5N6fPUJwR8dxN7QyitZLE8ZIXg="
add allowed-address=10.100.100.32/24 interface=wg1 public-key="Bs39YWD46nbYg3o+Rw4EXoVtrEQ/3DCG21Kqu4PVcQ4="
add allowed-address=10.100.100.33/24 interface=wg1 public-key="alaWvUpOM6yj+OZOR+H24VqdxZqhBbLAuXwq1yZ07iw="
add allowed-address=10.100.100.34/24 interface=wg1 public-key="Bs6oeWvVtAWfUw1GJr/M8rmjtKVmoZKWHDljy8PkSxA="
add allowed-address=10.100.100.35/24 interface=wg1 public-key="ymGDkJUrFlbcQZFW8IYmxXrve47ROleuPyEtA7U3eVg="
add allowed-address=10.100.100.36/24 interface=wg1 public-key="sBNmh2b2MAj1WIet126GMuHZQLLBbxt+mEql5NI5qSI="
add allowed-address=10.100.100.37/24 interface=wg1 public-key="LO1WHML0EAoYoXz4xDDylyKoLDlgy4WYuRhhmzCp5So="
add allowed-address=10.100.100.38/24 interface=wg1 public-key="Q8D2SSY7s3F7sXJEXdbrbt/+83UenZB7xLbIbZ93i0U="
add allowed-address=10.100.100.39/24 interface=wg1 public-key="MZUmQpHe4Be4qhe/h8TWbhB6c/AHOVfXuobbfDhSwno="
add allowed-address=10.100.100.40/24 interface=wg1 public-key="xSrVwu4PAksY4/4XwI1xbO9Mnphe9DI0ZmvyOqmtIAE="
add allowed-address=10.100.100.41/24 interface=wg1 public-key="DJEawhMB+SnpulmHV1zrInxmzmJ6aQmHR+tFWX9oq0o="
add allowed-address=10.100.100.42/24 interface=wg1 public-key="krVd9J0HiPGnk5gFY3v7frc2ocEqT3kd1njYkx+iMWU="
/ip address
add address=192.168.102.1/24 interface=bridge-lan network=192.168.102.0
add address=10.10.0.1/24 interface=bridgeguest network=10.10.0.0
add address=192.168.1.1/24 disabled=yes interface=bridge-lan network=192.168.1.0
add address=10.100.100.1/24 interface=wg1 network=10.100.100.0
add address=PUBLICIP interface=ether1-WAN network=PUBLICIP
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.102.105 always-broadcast=yes client-id=1:50:e5:49:3c:61:1e mac-address=50:E5:49:3C:61:1E server=server-lan
add address=192.168.102.120 client-id=1:0:24:d7:96:91:d8 mac-address=00:24:D7:96:91:D8 server=server-lan
add address=192.168.102.3 client-id=1:0:1b:9c:0:46:47 mac-address=00:1B:9C:00:46:47 server=server-lan
add address=192.168.102.138 client-id=1:0:2:d1:31:a8:e5 mac-address=00:02:D1:31:A8:E5 server=server-lan
add address=192.168.102.139 client-id=1:0:2:d1:31:a8:9c mac-address=00:02:D1:31:A8:9C server=server-lan
add address=192.168.102.140 always-broadcast=yes client-id=1:0:2:d1:31:a8:98 mac-address=00:02:D1:31:A8:98 server=server-lan
add address=192.168.102.141 always-broadcast=yes client-id=1:0:2:d1:31:a8:99 mac-address=00:02:D1:31:A8:99 server=server-lan
add address=192.168.102.98 mac-address=00:11:32:4F:8C:A3 server=server-lan
add address=192.168.102.97 client-id=1:0:11:32:4f:8c:a2 mac-address=00:11:32:4F:8C:A2 server=server-lan
add address=192.168.102.223 client-id=1:0:2:d1:31:a8:99 mac-address=3C:EF:8C:C0:26:0B server=server-lan
add address=192.168.102.144 client-id=1:0:e:53:24:fb:2c mac-address=00:0E:53:24:FB:2C server=server-lan
add address=192.168.102.145 client-id=1:0:e:53:24:fb:48 mac-address=00:0E:53:24:FB:48 server=server-lan
add address=192.168.102.146 client-id=1:0:e:53:24:fb:32 mac-address=00:0E:53:24:FB:32 server=server-lan
add address=192.168.102.159 always-broadcast=yes client-id=1:fc:15:b4:2d:41:b mac-address=FC:15:B4:2D:41:0B server=server-lan
add address=192.168.102.117 mac-address=00:11:0A:F7:81:16 server=server-lan
add address=192.168.102.136 client-id=1:0:20:6b:38:c0:be mac-address=00:20:6B:38:C0:BE server=server-lan
add address=192.168.102.110 client-id=1:0:20:6b:6b:0:40 mac-address=00:20:6B:6B:00:40 server=server-lan
add address=192.168.102.134 mac-address=00:26:55:14:02:F9 server=server-lan
add address=192.168.102.2 mac-address=8C:3B:AD:68:A9:80 server=server-lan
add address=192.168.102.113 client-id=1:e0:69:95:9e:f:13 mac-address=E0:69:95:9E:0F:13 server=server-lan
add address=192.168.102.133 client-id=1:48:f:cf:49:8b:2b mac-address=48:0F:CF:49:8B:2B server=server-lan
add address=192.168.102.5 client-id=1:0:11:32:b5:6b:43 mac-address=00:11:32:B5:6B:43 server=server-lan
add address=192.168.102.111 client-id=1:dc:a6:32:ac:cb:46 mac-address=DC:A6:32:AC:CB:46 server=server-lan
add address=192.168.102.177 client-id=1:dc:a6:32:a1:e3:60 mac-address=DC:A6:32:A1:E3:60 server=server-lan
add address=192.168.102.54 client-id=1:e8:d8:d1:7b:21:b8 mac-address=E8:D8:D1:7B:21:B8 server=server-lan
add address=192.168.102.114 client-id=1:e4:5f:1:0:de:b2 mac-address=E4:5F:01:00:DE:B2 server=server-lan
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.102.1,8.8.8.8,8.8.4.4 gateway=192.168.102.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.102.199 name=diskstation
add address=192.168.102.199 name=diskstation.local
add address=192.168.102.199 name=DiskStation
/ip firewall address-list
add address=192.168.102.0/24 list=local
add address=10.100.100.0/24 list=local
add address=192.168.0.0/24 list=local
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1194 protocol=udp
add action=accept chain=input disabled=yes dst-port=13231 log=yes log-prefix=wg-tcp protocol=tcp
add action=accept chain=input dst-port=13231 log-prefix=wg-udp protocol=udp
add action=accept chain=forward src-address=192.168.104.0/24
add action=accept chain=input src-address=192.168.104.0/24
add action=accept chain=input disabled=yes protocol=tcp src-address=192.168.102.2
add action=jump chain=forward disabled=yes jump-target=192.168.102.199 protocol=tcp src-port=361
add action=drop chain=input disabled=yes dst-address=10.10.0.0/24 src-address=192.168.102.0/24
add action=drop chain=forward dst-address=10.10.0.0/24 src-address=192.168.102.0/24
add action=drop chain=input disabled=yes dst-address=192.168.102.0/24 src-address=10.10.0.0/24
add action=drop chain=forward dst-address=192.168.102.0/24 src-address=10.10.0.0/24
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp src-address-list=!local
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=tcp src-address-list=!local
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!local dst-port=65001 new-routing-mark=wb-table \
    passthrough=yes protocol=tcp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.104.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=10.1.0.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 src-address=192.168.103.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 src-address=192.168.104.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.103.0/24 src-address=192.168.102.0/24
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=3389 protocol=tcp to-addresses=192.168.102.105 to-ports=3389
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=65001 protocol=tcp to-addresses=10.100.100.2 to-ports=8291
add action=dst-nat chain=dstnat dst-address=192.168.102.1 dst-port=65001 protocol=tcp to-addresses=10.100.100.2 to-ports=8291
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9000 protocol=tcp to-addresses=192.168.102.221 to-ports=361
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9001 protocol=tcp to-addresses=192.168.102.223 to-ports=80
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9010 log=yes log-prefix=dst2 protocol=tcp to-addresses=\
    192.168.104.2 to-ports=8291
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=6000 log=yes log-prefix=winbox protocol=tcp to-addresses=\
    192.168.104.2 to-ports=8291
add action=dst-nat chain=dstnat comment=NETGEAR disabled=yes dst-address=PUBLICIP dst-port=8081 log-prefix=winbox protocol=\
    tcp to-addresses=192.168.102.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=PUBLICIP dst-port=9002 log-prefix=winbox protocol=tcp \
    to-addresses=192.168.102.199 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=PUBLICIP dst-port=9000 protocol=udp to-addresses=192.168.102.159
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=192.168.104.2 src-port=9002 to-addresses=PUBLICIP \
    to-ports=9002
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=192.168.102.247 src-port=9000 to-addresses=PUBLICIP \
    to-ports=9000
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=192.168.102.224 src-port=80 to-addresses=192.168.102.220 \
    to-ports=9000
add action=dst-nat chain=dstnat disabled=yes dst-address=PUBLICIP protocol=rdp to-addresses=192.168.102.105
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=3389 protocol=udp to-addresses=192.168.102.105 to-ports=3389
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=192.168.102.105 src-port=3389 to-addresses=PUBLICIP \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=21 protocol=tcp to-addresses=192.168.102.199 to-ports=21
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=20 protocol=tcp to-addresses=192.168.102.199 to-ports=20
add action=dst-nat chain=dstnat disabled=yes dst-address=PUBLICIP dst-port=22 protocol=tcp to-addresses=192.168.102.199 \
    to-ports=22
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=55536-55567 protocol=tcp to-addresses=192.168.102.199 \
    to-ports=55536-55567
add action=dst-nat chain=dstnat comment="nowy rackstation" dst-address=PUBLICIP dst-port=5000 protocol=tcp to-addresses=\
    192.168.102.199 to-ports=5000
add action=dst-nat chain=dstnat comment="nowy rackstation" dst-address=PUBLICIP dst-port=5300 protocol=tcp to-addresses=\
    192.168.102.63 to-ports=5000
add action=dst-nat chain=dstnat comment="nowy rackstation" dst-address=PUBLICIP dst-port=5443 protocol=tcp to-addresses=\
    192.168.102.199 to-ports=5443
add action=dst-nat chain=dstnat comment="nowy rackstation" dst-address=PUBLICIP dst-port=5678 protocol=tcp to-addresses=\
    192.168.102.199 to-ports=5678
add action=dst-nat chain=dstnat comment="nowy rackstation" dst-address=PUBLICIP dst-port=8890 protocol=tcp to-addresses=\
    192.168.102.199 to-ports=8890
add action=dst-nat chain=dstnat comment="stary diskatation" dst-address=PUBLICIP dst-port=5500 protocol=tcp to-addresses=\
    192.168.102.5 to-ports=5000
add action=dst-nat chain=dstnat comment="stary diskatation" dst-address=PUBLICIP dst-port=5550 protocol=tcp to-addresses=\
    192.168.0.99 to-ports=5000
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9987 protocol=tcp to-addresses=192.168.102.197 to-ports=9987
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9987 protocol=udp to-addresses=192.168.102.197 to-ports=9987
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 protocol=udp src-address=PUBLICIP to-addresses=192.168.102.199 \
    to-ports=5000
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=7089 protocol=tcp to-addresses=192.168.102.3 to-ports=7089
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=7091 protocol=tcp to-addresses=192.168.102.3 to-ports=7091
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=8099 protocol=tcp to-addresses=192.168.102.115 to-ports=80
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=8090 protocol=tcp to-addresses=192.168.102.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=PUBLICIP dst-port=7089-7091 protocol=tcp to-addresses=\
    192.168.102.115 to-ports=7098
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=9004 protocol=tcp to-addresses=192.168.104.2 to-ports=8291
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-WAN
add action=masquerade chain=srcnat log=yes log-prefix=winbox2 out-interface=ether1-WAN src-address=192.168.104.0/24 \
    src-address-list=local
add action=masquerade chain=srcnat disabled=yes src-address-list=PPPVPN
add action=accept chain=srcnat disabled=yes src-address=192.168.102.0/24
add action=dst-nat chain=dstnat dst-port=8055 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.102.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=8056 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.102.10 to-ports=37777
add action=dst-nat chain=dstnat dst-port=9432 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.102.110 to-ports=443
add action=dst-nat chain=dstnat dst-address=PUBLICIP dst-port=6002 protocol=tcp to-addresses=192.168.102.133 to-ports=3389
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.102.0/24
add action=masquerade chain=srcnat dst-address=192.168.102.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=5900,5901,5902 protocol=tcp to-addresses=192.168.102.114 to-ports=5900
/ip route
add disabled=no dst-address=192.168.0.0/24 gateway=wg1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=65000
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=ing-rtr-01
Code: Select all

admin_ingeo@ing-rtr-01] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY      DISTANCE
  DAd 0.0.0.0/0         PUBLICIP         1
  DAc 10.10.0.0/24      bridgeguest         0
  DAc 10.100.100.0/24   wg1                 0
  DAc PUBLIVIP    ether1-WAN          0
0  As 192.168.0.0/24    wg1                 1
  DAc 192.168.102.0/24  bridge-lan          0

Maybe i made some config error doing wg between sites on same subnet as peers? should i split it into two other wg interface? Another thing which i observed if im connected and everything is working fine, when i disable other interface from peer for example address 10.100.100.2 for 2nd site, also my wireguard on my local machine stops working, After that if i disable my wg peer for my machine and let work keepalive from local client peer config it starts to work againm but until i disable my wg peer, my connection is not working properly.

Thank very much in advice and helping me resolve my issue :)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Sometimes working, sometimes not

Tue Sep 13, 2022 12:24 am

So there is a second wireguard device behind the first router?
My question is why are you wireguarding from one connected router to another?
Why have another router with NAT is the first question,
Do you need wireguard on that second router.
Everything is going to be routed by the first router anyway.

NExt, user peers wow. 77 of them??
Are they all road warriors each with their own public key to put on the main router?

2. Your config seems overly complex, I would use all vlans and one bridge, and one pool per subnet, but thats my preference.

3. why two pools for same LAN??
/ip pool
add name=pool-guest ranges=10.10.0.2-10.10.0.100
add name=pool-lan2 ranges=192.168.102.200-192.168.102.220
add name=pool-vpn1 ranges=10.1.0.10-10.1.0.50
add name=pool-vpn2 ranges=192.168.103.2/31
add name=pool-ovpn ranges=10.122.1.2-10.122.1.100
add name=pool-lan next-pool=pool-lan2 ranges=192.168.102.30-192.168.102.196

4. This is wrong. For bridges, interfaces can be etherports or wlans............... A vlan is what is going through the interface, either tagged or untagged etc...........
You do have vlan1 (name vlan-id=10) going on top of ether2 which is already hosted by bridge-lan. As I stated overly complex and confusing, clearly demonstrated in that you made a hash of it.

add bridge=bridgeguest interface=vlan1
/interface vlan
add interface=ether2 name=vlan1 vlan-id=10
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridgeguest interface=vlan1

Thus, What you seem to really want is this,,,,,,,
add interface=bridgeguest name=vlan1 vlan-id=10
add bridge=bridgeguest interface=ether2 ( pvid =10 BUT ONLY if this is an access port , aka going to a dumb device, otherwise dont include the pvid)


Personally Once i introduce vlans I dont mix apples and oranges and the bridge does no work for dhcp or anything else.
So I would have one bridge not two
BR1
add interface=BR1 name=vlan1 vlan-id=10
add interface=BR1 name MainVlan vlan-id=20
/interface bridge port
add bridge=bridge-lan interface=ether2 pvid=10
add bridge=bridge-lan interface=ether3 pvid=20
add bridge=bridge-lan interface=ether4 pvid=20
add bridge=bridge-lan interface=ether5 pvid=20
add bridge=bridge-lan interface=ether6 pvid=20
add bridge=bridge-lan interface=ether7 pvid=20
add bridge=bridge-lan interface=ether8 pvid=20

If any port is a trunk port remove the pvid etc.. But I digress ;-) and that is not your style.

5. What you are missing is the matching /interface bridge vlan settings, probably something like
add bridge=bridgeguest tagged=bridgeguest untagged=ether2 vlan-ids=10

6. For the main router, the allowed IPs should be set at /32, not 24, for all the peers. The different case would be e peer router, where you add besides the IP address/32 of the peer but also any subnets that you may wish to access or peer subnets that may be wishing to access the main router.

7. Your firewall rules are not clear and not complete and uselessly complex in some bits, but I am tired of this config and wont comment further.

8. Source nat rules and destination nat rules same thing, what a dogs breakfast,,,,,,, no comments further.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Sometimes working, sometimes not

Tue Sep 13, 2022 12:35 am

Now on to the wireguard stuff. First you need to provide the config of the natted router!!

Treating the router behind the Main Router as a separate entity you need to
AT MAIN ROUTER
a. allow the peers to enter main router (so identify them on allowed IPs of main) and if any subnet from natted router that may either be access the main router or be the intended target of main router users.
on firewall forward rules accept in-interface-wg1 dst-address=mainRouter-LanSubnet if any peers may head there.
on firewall forward rules accept in-interface-wg1 dst-address=nattedRouter-LanSubnet if any peers headed there.

{ this is accurate, easier would be in forward chain accept in-interface=wg1 (which cover traffic all over the place but we are trying to learn what we are actually allowing)

b. have a route to the second router so that those peers with destination of NATTED router can get there, dst-address=nattedroutersubnet gwy=wg1 table=main
c. allow same original peers to enter WIREGUARD TUNNEL again to head to other Natted router
accept src-address=10.100.100.0/24 out-interface-list=wg1
d. accept src-address=mainrouter subnet out-interface-list=wg1 ( if you had any main router subnet users going to natted router )
e. return traffic routes are mostly handled by DAC created by wg ip address config.

AT NATTED ROUTER
a. allowed peers should be set 10.100.100.0/24 and ALSO include subnets at main router if they are either the target of natted users, or if main router subnet users are coming to natted router)
b. firewall rule accept in-interface=wgnatted dst-address=nattedLANsubnet ( this includes a subnet on main router going to natted router if need be)
c. Route for returning traffic is already covered by the DAC rule that will exist
d. Route for returning traffic would be needed if a subnet for the main router needs to go back through the tunnel
add dst-address=mainroutersubnet gwy=wgnatted table=main.

I think thats mostly it.

If in doubt.......
viewtopic.php?t=182340
Top
 
karoolpl
just joined
Topic Author
Posts: 6
Joined: Sat Feb 25, 2017 1:56 am

Re: Wireguard - Sometimes working, sometimes not

Tue Sep 13, 2022 11:35 am

So there is a second wireguard device behind the first router?
My question is why are you wireguarding from one connected router to another?
Why have another router with NAT is the first question,
Do you need wireguard on that second router.
Everything is going to be routed by the first router anyway.
We just have 2 office, one office with public dynamic IP which i want to use like VPN gateway for all company workers (who need access to local synology share disk ina office A 192.168.102.199 and Second disk is in office B with address 192.168.0.99). Right now when i have setup wireguard beetween 2 sites (one behind NAT) i'm able to access networks from opposite office 0.0/24 from office A and 102.0/24 from office B
NExt, user peers wow. 77 of them??
Are they all road warriors each with their own public key to put on the main router?
Yes i ant to use wireguard as office VPN, last time i Was using OpenVPN and everything works good, but when theres wireguard i consider it as better solution. Yes everyone have it's own config, own private/public key and preshared key
2. Your config seems overly complex, I would use all vlans and one bridge, and one pool per subnet, but thats my preference.
This is just some old config things which stayed on router, you can ignore it i will make some cleaning afterwards
3. why two pools for same LAN??
/ip pool
add name=pool-guest ranges=10.10.0.2-10.10.0.100
add name=pool-lan2 ranges=192.168.102.200-192.168.102.220
add name=pool-vpn1 ranges=10.1.0.10-10.1.0.50
add name=pool-vpn2 ranges=192.168.103.2/31
add name=pool-ovpn ranges=10.122.1.2-10.122.1.100
add name=pool-lan next-pool=pool-lan2 ranges=192.168.102.30-192.168.102.196
This i will fix too

4. This is wrong. For bridges, interfaces can be etherports or wlans............... A vlan is what is going through the interface, either tagged or untagged etc...........
You do have vlan1 (name vlan-id=10) going on top of ether2 which is already hosted by bridge-lan. As I stated overly complex and confusing, clearly demonstrated in that you made a hash of it.

This is just for guest network

add bridge=bridgeguest interface=vlan1
/interface vlan
add interface=ether2 name=vlan1 vlan-id=10
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridgeguest interface=vlan1

Thus, What you seem to really want is this,,,,,,,
add interface=bridgeguest name=vlan1 vlan-id=10
add bridge=bridgeguest interface=ether2 ( pvid =10 BUT ONLY if this is an access port , aka going to a dumb device, otherwise dont include the pvid)


Personally Once i introduce vlans I dont mix apples and oranges and the bridge does no work for dhcp or anything else.
So I would have one bridge not two
BR1
add interface=BR1 name=vlan1 vlan-id=10
add interface=BR1 name MainVlan vlan-id=20
/interface bridge port
add bridge=bridge-lan interface=ether2 pvid=10
add bridge=bridge-lan interface=ether3 pvid=20
add bridge=bridge-lan interface=ether4 pvid=20
add bridge=bridge-lan interface=ether5 pvid=20
add bridge=bridge-lan interface=ether6 pvid=20
add bridge=bridge-lan interface=ether7 pvid=20
add bridge=bridge-lan interface=ether8 pvid=20

If any port is a trunk port remove the pvid etc.. But I digress ;-) and that is not your style.

5. What you are missing is the matching /interface bridge vlan settings, probably something like
add bridge=bridgeguest tagged=bridgeguest untagged=ether2 vlan-ids=10

6. For the main router, the allowed IPs should be set at /32, not 24, for all the peers. The different case would be e peer router, where you add besides the IP address/32 of the peer but also any subnets that you may wish to access or peer subnets that may be wishing to access the main router.

7. Your firewall rules are not clear and not complete and uselessly complex in some bits, but I am tired of this config and wont comment further.

8. Source nat rules and destination nat rules same thing, what a dogs breakfast,,,,,,, no comments further.

This is stuff which i got from previous guy, now i'm cleaning everything up

And now i wanted to make thing simpler, to focus on wireguard as VPN soltuon, but got random timeouts or disconnections when i connect second client, enable, disable, so this is strange for me
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Sometimes working, sometimes not

Tue Sep 13, 2022 2:12 pm

Latest configs on both routers when all the issues have been addressed and will have another look.
Top
 
karoolpl
just joined
Topic Author
Posts: 6
Joined: Sat Feb 25, 2017 1:56 am

Re: Wireguard - Sometimes working, sometimes not

Sat Sep 17, 2022 3:39 pm

@anav thx for replies i figured out what was causing problems in my config. The peer config in which allowed IP i set whole 10.100.100.CLIENTIP/24 subnet, i found some topic with not same problem but it pinpointed me for finding error.

Nowe when i set Peer allowed address for only signle ip (32 mask) everything works without interruption. So now on my MT i have simple wg interface:
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/ip address
add address=10.100.100.1/24 interface=wg1 network=10.100.100.0

/interface wireguard peers
add allowed-address=10.100.100.2/32,192.168.0.0/24 interface=wg1 public-key="pubkey client"  -> This is 2nd mikrotik behind nat hes
add allowed-address=10.100.100.3/32 interface=wg1 public-key="ClientPUBKey" -> "Normal VPN client" 

/ip/route
1  As 192.168.0.0/24    wg1                 1
2nd router config which is behind NAT:
Code: Select all
[admin@MikroTik] /interface/wireguard> export
/interface wireguard
add listen-port=13232 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=10.100.100.1/24,192.168.102.0/24 endpoint-address=\     ->> allowed address whole 10.100.100.0/24 subnet for other peers to access 192.168.0.0/24 and 192.168.102.0/24 for local access to 2nd office LAN
    WG1RouterDDNS endpoint-port=13231 interface=wg1 \
    persistent-keepalive=30s public-key=\
    "wg server pubkey"
 
/ip/address
2 10.100.100.2/24   10.100.100.0  wg1    

/ip/route
   DAc 10.100.100.0/24    wg1                   0
10  As 192.168.102.0/24   wg1                   1

Only one consideration is DNS, i can ommit it, but i got one static entry for shared NAS on which i wouldn't need add hosts entry on client computer, when i set it for 192.168.102.1 it works out of hand, cuz i got this adddress allowed in wireguard client config, when i set it for wireguard IP 10.100.100.1 i also need add entry in client config for AllowedIP 10.100.100.1/32 or i could also add 10.100.100.0/24 so the clients can comunicate between each other or just leave LAN network gw as default DNS (192.168.102.1)

Thx for help, and let this post be guide for others if they need to connect 2 office which one is behind NAT and got some issues like me :)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Sometimes working, sometimes not

Sat Sep 17, 2022 11:42 pm

Yes on the receiving router
for peer settings all must be /32 for wireguard ip addresses
a. in the case of mobile clients the wireguard IP adddress is the same as client address coming in.
b. in the case of a remote router (originating a request), besides the wireguard ip/32 you may need to detail subnets coming from remote router or subnets people on the local router will connect to on the remote router.
Top
Post Reply

Who is online

Users browsing this forum: Google [Bot], techcomtecnico and 146 guests
  4. RouterOS
  5. General