Community discussions

MikroTik App
 
MicaelAman
just joined
Topic Author
Posts: 2
Joined: Sat Sep 17, 2022 5:54 pm

WireGuard on a new RB5009

Sat Sep 17, 2022 8:11 pm

Hello,
I have replaced my old Hex with a shiny new RB5009. However I can't get Wireguard work as it used to do in my old Hex. I have a basic understanding of networking, but this is beyond me :)
I want to be able to access my local LAN from my Windows Wireguard client. I can connect to my RB5009 with Wireguard and I can access the internet when connected, but i can't access the LAN.
I have compared the config from my old HEX with the new RB5009, but I can't find the error.

Obviously. I'm missing some important config, but I cant figure int out.
Is there anyone out there who can sheer some light over this? I'm loosing my hair (what's left of it) over this :)

See attached config.

All the best!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard on a new RB5009

Sun Sep 18, 2022 6:01 am

NOT CLEAR WHY IT ISNT WORKING but do have some cleanup that might make the difference.

(1) Input chain rules......... all good here but I would make a few minor changes, order of rules etc....
...
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.2.0/24
add action=accept chain=input comment="Allow ALL LAN"  in-interface-list=LAN
add action=drop  chain=input  comment="drop all else"
This rule seems a bit wide though? Why not be accurate 192.168.2.2
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.2.0/24


(2) Forward chain rules...... Mostly good need to change one of the default rules, for dropping dst-nat............... and replace with three rules........ and two for wireguard!
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address= 192.168.1.0/24 src-address=192.168..2.2

add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(3) Assuming you need this rule because traffic is also going out the internet from your client laptop??
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat src-address=192.168.2.0/24

(4) This should be set to NONE as plain mac is not secure.......
/tool mac-server
set allowed-interface-list=LAN

(5) What is not clear is your IP routes section.
However the IP address you have for your Wireguard should create the necessary routing information as the client IP is within this network
and the router creates the following route dynamically:

<DAC> dst-address=192.168.2.0/24 gwy=wireguard1 table=main

This ensure return internet traffic and return traffic from the subnets goes back out through the tunnel to the remote computer client.
If the traffic was back to a client router to a subnet, then one would have to create the subnet return route manually.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am assuming that on your windows wireguard client peer settings for the router, the allowed IPs is set to 0.0.0.0/0 which covers everything so nothing wrong there........
Often a windows firewall can get in the way.
 
MicaelAman
just joined
Topic Author
Posts: 2
Joined: Sat Sep 17, 2022 5:54 pm

Re: WireGuard on a new RB5009

Sun Sep 18, 2022 4:49 pm

Thanks for your reply.
I didn't manage to get it to work so I did a factory reset and started all over again.
Now it works. :)

Thanks for the help

Micael Åman

Who is online

Users browsing this forum: Amazon [Bot], bkuyk1, cmmike, JR2, lurker888 and 26 guests