MT2
(1) The wg1 wireguard IP address
for MT2, is incorrect
From:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0
add address=
172.16.10.2 interface=wg1 network=172.16.10.0
TO:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0
add address=172.16.10.2
/24 interface=wg1 network=172.16.10.0
(2) WHY DO you have this Input chain rule on MT2 ??? The handshake is in the opposite direction and plus you cannot receive such things as there is no public iP address??
add action=accept chain=input protocol=udp src-address="my public address" src-port=13231
Because I use tutorials site-to-site connection when both MT are using pubic IP.
When endpoint on MT1 are empty then are’t handshake in WireGuard….. I don’t know why…..
(3) There is no need for the extra source nat rule on MT2, it can be removed. The reason for allowed IPs on MT1, means that you dont need to use sourcenat, your LAN members will be welcome at MT1!!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg1 out-interface-list=WAN protocol=udp
(4) The IP route to MT1 subnets is great but there is a slight config error!!!
From:
/ip route
add disabled=no distance=1 dst-address=192.68.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10
TO:
/ip route
add disabled=no distance=1 dst-address=192.
168.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10
MT1
(4) Allowed IPs...... There is no requirement to fill in any endpoint address or endpoint port information, should be removed!
/interface wireguard peers
add allowed-address=172.16.10.120/32 comment="Klient ipad"
endpoint-address=193.239.58.35 endpoint-port=13231 interface=wireguard1 \
persistent-keepalive=10s public-key="i9QMyKH2aiZhRleIeKGUl0JUNABBq1I0W3IniXb12GA="
add allowed-address=172.16.10.2/32,192.168.7.0/24 comment="Testowy w domu"
endpoint-address=193.239.58.35 endpoint-port=13231 \
interface=wireguard1 persistent-keepalive=5s public-key="Zi5xqAAQACtMQkOxohiXw8LPkiyIJNNYqdjmzHN/MUM="
The same like my answer above about empty endpoint address…..
when this are empty even iOS client doesn’t work…. I don’t know why….. I attached peer configuration about mobile device.
682FC254-4CA0-4A68-BCBD-A4D4F046B747.jpeg
(5) Not sure what you are accomplishing with the SOURCE NAT RULES but the one in yellow for wireguard should be removed.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.16.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=172.16.10.0/24
(6) The IP routes are incomplete missing the route to the subnet on M2!
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway="Huawei Play USB"
add disabled=no dst-address=192.168.1.0/0 gateway="my public IP" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.7.0/24 gateway=wireguard1