I have a Wireguard connection to devices, as well as an IP-Sec connection to another network via an existing FritzBox in the other network.
I can get from my internal network to the IP-Sec network via VPN without any problems, but I cannot get from a device connected via WireGuard to the FritzBox network.
Home network: 192.168.20.0/24
FritzBox (IP-Sec connection): 192.168.10.0/24
WireGuard: 192.168.22.0/24
I don't know what else I have to set for this to work, any help would be appreciated.
Code: Select all
# sep/18/2022 11:08:41 by RouterOS 7.5
# software id = ####
#
# model = RB760iGS
# serial number = ######
/interface bridge
add name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface vlan
add interface=ether1 name=vlan7-pppoe vlan-id=7
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=########### exchange-mode=aggressive name=FritzBox
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.200
/ip dhcp-server
add address-pool=dhcp interface=BRIDGE-LAN lease-time=1d name=DHCP-LAN
/port
set 0 name=serial0
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ether1-pppoe profile=default-encryption use-peer-dns=yes user=#############@t-online.de
/interface bridge port
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3
add bridge=BRIDGE-LAN interface=ether4
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=sfp1
/interface list member
add interface=BRIDGE-LAN list=LAN
add interface=ether1-pppoe list=WAN
add interface=wireguard list=LAN
/interface wireguard peers
add allowed-address=192.168.22.10/32 comment=Handy endpoint-address="" interface=wireguard public-key="########"
/ip address
add address=192.168.20.1/24 interface=BRIDGE-LAN network=192.168.20.0
add address=192.168.22.1/24 interface=wireguard network=192.168.22.0
/ip dhcp-client
add disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24 ntp-server=192.168.20.1 wins-server=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow Access to Router Interface from IPSEC trusted Network" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=input comment=Wireguard dst-address=192.168.10.0/24 src-address=192.168.22.0/24
add action=accept chain=input comment="WAN -> FW | WireGuard Zugriff erlauben" dst-port=13231 protocol=udp
add action=accept chain=input in-interface=wireguard
add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" dst-address=!192.168.22.0/24 in-interface=wireguard out-interface=all-ethernet
add action=accept chain=forward comment="WIREGUARD -> WAN | Internetzugriff" in-interface=wireguard out-interface=ether1
add action=drop chain=input comment="WAN -> FW | Ping blockieren" in-interface=all-ppp protocol=icmp
add action=accept chain=input comment="Allgemein Aufgebaute Verbindungen erlauben" connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="LAN -> FW | Zugriff zur Firewall erlauben" in-interface=BRIDGE-LAN
add action=drop chain=input comment="Allgemein | Alle ohne Verbindungsstatus blockieren"
add action=accept chain=forward comment="Allgemein | Aufgebaute Verbindungen erlauben"
add action=accept chain=forward comment="LAN -> WAN | Internetzugriff" in-interface=BRIDGE-LAN out-interface=ether1
add action=drop chain=forward comment="Allgemein | Alles andere verwerfen"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat comment="NAT BYPASS for IPSEC Tunnel" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment=Wireguard dst-address=192.168.10.0/24 dst-limit=1,5,dst-address/1m40s limit=1,5:packet src-address=192.168.22.0/24 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/ip firewall raw
add action=notrack chain=prerouting comment="Fasttrack BYPASS for IPSec traffic " dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=notrack chain=prerouting comment=Wireguard dst-address=192.168.22.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.22.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=FritzBox
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=FritzBox src-address=192.168.20.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.178.0/24 gateway=ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=ether1-pppoe pref-src="" routing-table=main suppress-hw-offload=no
/routing rule
add action=lookup disabled=no dst-address=192.168.10.0/24 interface=ether1 src-address=192.168.22.0/24 table=main
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org