Community discussions

MikroTik App
 
mokoko
just joined
Topic Author
Posts: 3
Joined: Fri Jun 03, 2022 12:28 pm

No routing between 2 LANs connected via wireguard and a linux server

Thu Sep 22, 2022 11:43 pm

Hi,
I try to connect 2 LANs that are behind firewalls/DSL lines and do not have public IPs. I have a Mikrotik on each LAN and want them to use a linux server with a public IP as a gateway using wireguard. IP-forwarding on the server is enabled.

LAN1/Mikrotik1: 10.253.108.1/24
LAN2/Mikrotik2: 10.253.109.1/24
I want the hosts in each LAN to be able to access the other LAN IP addresses. Eventually I want to add 2 more LAN segments.
The connection/routing should be done using wireguard, the server is (internal IP) 10.253.253.1, the Mikrotik routers are 10.253.253.108 and 10.253.253.109

- wireguard works perfectly
- the Mikrotiks can ping the server (10.253.253.1 and each other 10.253.253.108 and 10.253.253.109)
- from the linux server, I can ping the local LAN IPs (10.253.108.1 and the hosts on that LAN, same with 10.253.109.x)
- but I can't get one Mikrotik to reach the other one (or any hosts) on the LAN side. So I cannot ping 10.253.108.1 from Mikrotik2 and 10.253.109.1 from Mikrotik1.

I just spent 3 hours trying to figure out why, not understanding where the mistake is. Can anyone help me please?

Wireguard-Peers on the linux server:
[Peer]
PublicKey = XXXXX
AllowedIPs = 10.253.253.108/32, 10.253.108.0/24
PersistentKeepalive = 15
[Peer]
PublicKey = XXXXX
AllowedIPs = 10.253.253.109/32, 10.253.109.0/24
PersistentKeepalive = 15
Mikrotik1 config (other one is exactly the same, just 108/109 changed). Some details XXXX'd:
# sep/22/2022 22:12:00 by RouterOS 7.5
# software id = QH2C-IGET
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=XXXXX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=53923 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.253.108.100-10.253.108.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.253.253.1/24 endpoint-address=XXXXX endpoint-port=XXXXX interface=wireguard1 persistent-keepalive=10s public-key="XXXXX"
/ip address
add address=10.253.253.108/24 interface=wireguard1 network=10.253.253.0
add address=10.253.108.1/24 interface=bridge network=10.253.108.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.253.108.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.253.108.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=10.253.109.0/24 gateway=10.253.253.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router_MT_108
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
    ":delay 15 \r\
    \n/interface/wireguard/disable wireguard1\r\
    \n:delay 1\r\
    \n/interface/wireguard/enable wireguard1\r\
    \n:log info \"WGPeer toggled\"\r\
    \n" host=10.253.253.1 http-codes="" interval=10s start-delay=20s test-script="" timeout=5s type=simple up-script=""
    
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: No routing between 2 LANs connected via wireguard and a linux server

Fri Sep 23, 2022 2:01 am

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No routing between 2 LANs connected via wireguard and a linux server

Fri Sep 23, 2022 2:06 am

Please draw a network diagram as I cannot make heads or tails out of what you described.
Each LAN does not require a router for example, how does a linux server have a public IP but the MT routers dont, nothing makes sense.
 
mokoko
just joined
Topic Author
Posts: 3
Joined: Fri Jun 03, 2022 12:28 pm

Re: No routing between 2 LANs connected via wireguard and a linux server

Fri Sep 23, 2022 11:52 am

I read through that at least twice, but now this morning when I looked at (again) and was comparing my configs (again) I realized I was missing the "allowed-adress" parts for the remote subnet in the wireguard peers section. Sometimes it takes a night of sleep to see clearly again. It all works now.
/interface wireguard peers
add allowed-address=10.253.253.1/24,10.253.0.0/16 endpoint-address=XXXXX endpoint-port=XXXXX interface=wireguard1 \
    persistent-keepalive=10s public-key="XXXXX"
I was missing the 10.253.0.0/16 part above.
 
mokoko
just joined
Topic Author
Posts: 3
Joined: Fri Jun 03, 2022 12:28 pm

Re: No routing between 2 LANs connected via wireguard and a linux server

Fri Sep 23, 2022 11:54 am

Please draw a network diagram as I cannot make heads or tails out of what you described.
Each LAN does not require a router for example, how does a linux server have a public IP but the MT routers dont, nothing makes sense.
Here is a simple diagram.
Screenshot.png
I fixed the issue (see above), but I hope this helps others that want to create similar setups!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No routing between 2 LANs connected via wireguard and a linux server

Fri Sep 23, 2022 3:48 pm

Glad its all working for you, so basically your MT devices are acting as routers getting a private IP address from unreachable routers.
Hence they simply need to be able to get out to the internet to reach the server as you described.
Yup, pretty standard wireguard setup.
Allowed addresses, firewall rules and IP routes have to line up.

The servers allowed IPs should include the wireguard IP address of each peer (/32) , the mT devices as peers should have the subnet of the IP wireguard network /24 as the allowed IP address (this permits you as the admin to be able to access the other MT router from another MT router for example for pinging purposes.

Thats the starting point, then add subnets that ALWAYS concern the other end (either the other ends subnets you will have local users reaching OR the other ends subnets that are coming to the local router).

Who is online

Users browsing this forum: Ahrefs [Bot], sfrode and 25 guests