I try to connect 2 LANs that are behind firewalls/DSL lines and do not have public IPs. I have a Mikrotik on each LAN and want them to use a linux server with a public IP as a gateway using wireguard. IP-forwarding on the server is enabled.
LAN1/Mikrotik1: 10.253.108.1/24
LAN2/Mikrotik2: 10.253.109.1/24
I want the hosts in each LAN to be able to access the other LAN IP addresses. Eventually I want to add 2 more LAN segments.
The connection/routing should be done using wireguard, the server is (internal IP) 10.253.253.1, the Mikrotik routers are 10.253.253.108 and 10.253.253.109
- wireguard works perfectly
- the Mikrotiks can ping the server (10.253.253.1 and each other 10.253.253.108 and 10.253.253.109)
- from the linux server, I can ping the local LAN IPs (10.253.108.1 and the hosts on that LAN, same with 10.253.109.x)
- but I can't get one Mikrotik to reach the other one (or any hosts) on the LAN side. So I cannot ping 10.253.108.1 from Mikrotik2 and 10.253.109.1 from Mikrotik1.
I just spent 3 hours trying to figure out why, not understanding where the mistake is. Can anyone help me please?
Wireguard-Peers on the linux server:
Code: Select all
[Peer]
PublicKey = XXXXX
AllowedIPs = 10.253.253.108/32, 10.253.108.0/24
PersistentKeepalive = 15
[Peer]
PublicKey = XXXXX
AllowedIPs = 10.253.253.109/32, 10.253.109.0/24
PersistentKeepalive = 15
Code: Select all
# sep/22/2022 22:12:00 by RouterOS 7.5
# software id = QH2C-IGET
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=XXXXX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=53923 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.253.108.100-10.253.108.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.253.253.1/24 endpoint-address=XXXXX endpoint-port=XXXXX interface=wireguard1 persistent-keepalive=10s public-key="XXXXX"
/ip address
add address=10.253.253.108/24 interface=wireguard1 network=10.253.253.0
add address=10.253.108.1/24 interface=bridge network=10.253.108.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.253.108.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.253.108.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=10.253.109.0/24 gateway=10.253.253.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router_MT_108
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
":delay 15 \r\
\n/interface/wireguard/disable wireguard1\r\
\n:delay 1\r\
\n/interface/wireguard/enable wireguard1\r\
\n:log info \"WGPeer toggled\"\r\
\n" host=10.253.253.1 http-codes="" interval=10s start-delay=20s test-script="" timeout=5s type=simple up-script=""