Community discussions

MikroTik App
 
Newplay
just joined
Topic Author
Posts: 16
Joined: Sun Sep 18, 2022 12:10 pm
Location: Germany

Wireguard to IPSec VPN routing

Sun Sep 18, 2022 12:22 pm

Hello,
I have a Wireguard connection to devices, as well as an IP-Sec connection to another network via an existing FritzBox in the other network.
I can get from my internal network to the IP-Sec network via VPN without any problems, but I cannot get from a device connected via WireGuard to the FritzBox network.

Home network: 192.168.20.0/24
FritzBox (IP-Sec connection): 192.168.10.0/24
WireGuard: 192.168.22.0/24

I don't know what else I have to set for this to work, any help would be appreciated.

# sep/18/2022 11:08:41 by RouterOS 7.5

# software id = ####

#

# model = RB760iGS

# serial number = ######

/interface bridge

add name=BRIDGE-LAN

/interface ethernet

set [ find default-name=ether5 ] poe-out=off

/interface wireguard

add listen-port=13231 mtu=1420 name=wireguard

/interface vlan

add interface=ether1 name=vlan7-pppoe vlan-id=7

/interface list

add name=WAN

add name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec peer

add address=########### exchange-mode=aggressive name=FritzBox

/ip ipsec profile

set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128

/ip pool

add name=dhcp ranges=192.168.20.10-192.168.20.200

/ip dhcp-server

add address-pool=dhcp interface=BRIDGE-LAN lease-time=1d name=DHCP-LAN

/port

set 0 name=serial0

/interface pppoe-client

add add-default-route=yes disabled=no interface=ether1 name=ether1-pppoe profile=default-encryption use-peer-dns=yes user=#############@t-online.de

/interface bridge port

add bridge=BRIDGE-LAN interface=ether2

add bridge=BRIDGE-LAN interface=ether3

add bridge=BRIDGE-LAN interface=ether4

add bridge=BRIDGE-LAN interface=ether5

add bridge=BRIDGE-LAN interface=sfp1

/interface list member

add interface=BRIDGE-LAN list=LAN

add interface=ether1-pppoe list=WAN

add interface=wireguard list=LAN

/interface wireguard peers

add allowed-address=192.168.22.10/32 comment=Handy endpoint-address="" interface=wireguard public-key="########"

/ip address

add address=192.168.20.1/24 interface=BRIDGE-LAN network=192.168.20.0

add address=192.168.22.1/24 interface=wireguard network=192.168.22.0

/ip dhcp-client

add disabled=yes interface=ether1 use-peer-dns=no

/ip dhcp-server network

add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24 ntp-server=192.168.20.1 wins-server=192.168.20.1

/ip dns

set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall filter

add action=accept chain=input comment="Allow Access to Router Interface from IPSEC trusted Network" dst-address=192.168.10.0/24 src-address=192.168.20.0/24

add action=accept chain=input comment=Wireguard dst-address=192.168.10.0/24 src-address=192.168.22.0/24

add action=accept chain=input comment="WAN -> FW | WireGuard Zugriff erlauben" dst-port=13231 protocol=udp

add action=accept chain=input in-interface=wireguard

add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" dst-address=!192.168.22.0/24 in-interface=wireguard out-interface=all-ethernet

add action=accept chain=forward comment="WIREGUARD -> WAN | Internetzugriff" in-interface=wireguard out-interface=ether1

add action=drop chain=input comment="WAN -> FW | Ping blockieren" in-interface=all-ppp protocol=icmp

add action=accept chain=input comment="Allgemein Aufgebaute Verbindungen erlauben" connection-state=established

add action=accept chain=input connection-state=related

add action=accept chain=input comment="LAN -> FW | Zugriff zur Firewall erlauben" in-interface=BRIDGE-LAN

add action=drop chain=input comment="Allgemein | Alle ohne Verbindungsstatus blockieren"

add action=accept chain=forward comment="Allgemein | Aufgebaute Verbindungen erlauben"

add action=accept chain=forward comment="LAN -> WAN | Internetzugriff" in-interface=BRIDGE-LAN out-interface=ether1

add action=drop chain=forward comment="Allgemein | Alles andere verwerfen"

/ip firewall nat

add action=masquerade chain=srcnat out-interface-list=WAN

add action=masquerade chain=srcnat out-interface-list=WAN

add action=accept chain=srcnat comment="NAT BYPASS for IPSEC Tunnel" dst-address=192.168.10.0/24 src-address=192.168.20.0/24

add action=accept chain=srcnat comment=Wireguard dst-address=192.168.10.0/24 dst-limit=1,5,dst-address/1m40s limit=1,5:packet src-address=192.168.22.0/24 time=0s-1d,sun,mon,tue,wed,thu,fri,sat

/ip firewall raw

add action=notrack chain=prerouting comment="Fasttrack BYPASS for IPSec traffic " dst-address=192.168.20.0/24 src-address=192.168.10.0/24

add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.20.0/24

add action=notrack chain=prerouting comment=Wireguard dst-address=192.168.22.0/24 src-address=192.168.10.0/24

add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.22.0/24

/ip firewall service-port

set sip disabled=yes

/ip ipsec identity

add peer=FritzBox

/ip ipsec policy

add dst-address=192.168.10.0/24 peer=FritzBox src-address=192.168.20.0/24 tunnel=yes

/ip route

add disabled=yes distance=1 dst-address=192.168.178.0/24 gateway=ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

add disabled=no dst-address=0.0.0.0/0 gateway=ether1-pppoe pref-src="" routing-table=main suppress-hw-offload=no

/routing rule

add action=lookup disabled=no dst-address=192.168.10.0/24 interface=ether1 src-address=192.168.22.0/24 table=main

/system clock

set time-zone-name=Europe/Berlin

/system ntp client

set enabled=yes

/system ntp server

set enabled=yes multicast=yes

/system ntp client servers

add address=0.pool.ntp.org

add address=1.pool.ntp.org

add address=2.pool.ntp.org

add address=3.pool.ntp.org
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard to IPSec VPN routing

Sun Sep 18, 2022 4:58 pm

So basically you need an incoming wireguard remote user, that ends up on the MIKROTIK router that you now need to send out the ISPEC tunnel.
BUT TO WHAT and to WHERE, the only logical answer is out to the internet ??????

(1) not that it is likely needed but to be on the safe side no harm in adding the vlan also to the WAN list............
add name= name=vlan7-pppoe list=WAN

(2) Assuming you only have one wireguard peer (remote user coming into the Mikrotik), either a smart phone or windows client on a computer etc......

(3) Potential issues with your sourcenat settings..............
/ip firewall nat

add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN { duplicate }
add action=accept chain=srcnat comment="NAT BYPASS for IPSEC Tunnel" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment=Wireguard dst-address=192.168.10.0/24 dst-limit=1,5,dst-address/1m40s limit=1,5:packet src-address=192.168.22.0/24 time=0s-1d,sun,mon,tue,wed,thu,fri,sat

This seems to be an unecessary rule.................
You have remote user coming onto the router with source address 192.168.22.10
You want to replace that source address with the ipsec interface address?

Why not ( at least for now for testing )
add action=accept chain=srcnat src-address=192.168.22.10 out-interface=ipsec or
add action=accept chain=srcnat in-interface=wireguard out-interface=ipsec

The reason being, its not clear to me dst-address is actually useful in that rule and the other stuff added is noise until we get the connection working.

(4) Your firewall rules are WHACKED. but until I get a clearer understanding of the requirement cannot help much further. You have no ipsec allow rules on the input chain for example............. is your ipsec not hosted on the router but you are connecting to some third party ipsec provider ?????

a. identify users/ groups of users
b. state what traffic they should be able to do and what they shouldnt be able to do

Its clear you have two vpns on the go.
The purpose of wireguard is to enable remote users (currently one, supposedly you the admin) to:
a. access LAN devices etc.
b. admin to config the mikrotik remotely
c. ????????????? enter ipsec tunnel and do what, go where ????

d. do the local LAN users also go out the ipsec tunnel ?? if so do what, go where???

e. are any users coming over ipsec into the router ??
f. if so for what purpose, to access lan devices?
g. if so for admin to access config of router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard to IPSec VPN routing

Sun Sep 18, 2022 6:22 pm

More coherent firewall rules.......... where one doesn't mix up chains so its fricken readable!!! for starters!! and of course the usual missing rules......

/ip firewall filter

add action=accept chain=input comment="Allow Access to Router Interface from IPSEC trusted Network" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=input comment=Wireguard dst-address=192.168.10.0/24 src-address=192.168.22.0/24
add action=accept chain=input comment="WAN -> FW | WireGuard Zugriff erlauben" dst-port=13231 protocol=udp
add action=accept chain=input in-interface=wireguard
add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" dst-address=!192.168.22.0/24 in-interface=wireguard out-interface=all-ethernet
add action=accept chain=forward comment="WIREGUARD -> WAN | Internetzugriff" in-interface=wireguard out-interface=ether1
add action=drop chain=input comment="WAN -> FW | Ping blockieren" in-interface=all-ppp protocol=icmp
add action=accept chain=input comment="Allgemein Aufgebaute Verbindungen erlauben" connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="LAN -> FW | Zugriff zur Firewall erlauben" in-interface=BRIDGE-LAN
add action=drop chain=input comment="Allgemein | Alle ohne Verbindungsstatus blockieren"
add action=accept chain=forward comment="Allgemein | Aufgebaute Verbindungen erlauben"
add action=accept chain=forward comment="LAN -> WAN | Internetzugriff" in-interface=BRIDGE-LAN out-interface=ether1
add action=drop chain=forward comment="Allgemein | Alles andere verwerfen"


/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow wireguard initial connection" dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=authorized comment="admin local and remote access"
add action=accept chain=input comment="Allow LAN DNS& NTP" dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

**** Authorized is a firewall address list for those with access to config router.
add address=192.168.22.10 list=Authorized comment="remote wireguard admin access"
add address=192.168.20.xx list=Authorized comment="local router admin access - desktop"
add address=192.168.20.yy list=Authorized comment="local router admin access - ipad"

{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface=bridge-LAN out-interface-list=WAN
add action=accept chain=forward comment="allow wireguard to local subnet" in-interface=wireguard dst-address=192.168.20.0/24
add action=accept chain=forward comment="allow wireguard to ispec tunnel" in-interface=wireguard dst-address=192.168.10.0/24
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Get rid of all mangle rules and raw rules, they are getting in the way of success.
once we have established traffic flow on both ispec and subnets and wireguard, then we can look at whether or not they are required.
 
Newplay
just joined
Topic Author
Posts: 16
Joined: Sun Sep 18, 2022 12:10 pm
Location: Germany

Re: Wireguard to IPSec VPN routing

Sun Sep 18, 2022 11:53 pm

Why not ( at least for now for testing )
add action=accept chain=srcnat src-address=192.168.22.10 out-interface=ipsec or
add action=accept chain=srcnat in-interface=wireguard out-interface=ipsec
how to create an interface for IPSec ?

Why allow ICMP in the firewall ? Isn't that stupid from outside ?

Network A (Mikrotik Router): 192.168.20.0/24
Network B (FritzBox): 192.168.10.0/24
WireGuard (Via Mikrotik Router): 192.168.22.0/24

It should be so that over the IP-Sec connection two networks are connected together (Site-To-Site).
However, only people from network A should be able to access B, but not the other way around.
My cell phone should be able to access both networks (A and B) from outside (via wireguard). Again, people from network B should not be able to access devices on the wireguard network.

Everything has worked so far, except that my cell phone cannot access network B via wireguard. This can only access network A

Thanks for your help!
Jan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard to IPSec VPN routing

Mon Sep 19, 2022 2:08 am

yes ICMP allowing is normal and more beneficial and not all that harmful.

You didnt answer these questions if I am to help any further.........

1. NETWORK DIAGRAM please.

2. a. identify users/ groups of users
b. state what traffic they should be able to do and what they shouldnt be able to do

3. Its clear you have two vpns on the go.
The purpose of wireguard is to enable remote users (currently one, supposedly you the admin) to:
a. access LAN devices etc.
b. admin to config the mikrotik remotely
c. ????????????? enter ipsec tunnel and do what, go where ????

d. do the local LAN users also go out the ipsec tunnel ?? if so do what, go where???

e. are any users coming over ipsec into the router ??
f. if so for what purpose, to access lan devices?
g. if so for admin to access config of router?

Who is online

Users browsing this forum: ckonsultor, Google [Bot] and 16 guests