yes i notice that but the connection is not exist, every 1 minute i get 2KiB -give or take- i compare those value with my PC that already have an active wireguard so there is a big difference in the valueWorks fine here.
In your screenshots I see counters on both Rx / Tx and "last handshake values so it seems a connection WAS established.
I would think THE CONNECTION itself is working, but perhaps DNS not working ?
What do you mean "I don't have a connection" ?
i try your setting but still no connection ..Difference I see when I look at my settings in Android (and please provide /wireguard export excluding the keys):
MTU left auto
Persistent keepalive left empty
What you can do (besides above):
Check if the firewall filter rule is hit
Check if the peer shows on the router
1- the duplicate rule is for testing purpose so no thing significant(1) Why the duplicate pool?
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.150
add name=l2tp ranges=192.168.100.1-192.168.100.200
(2) What is the purpose of this rule.........??
add action=passthrough chain=forward
Its best practice to put all rules in one chain together so they are easy to read and less prone to error
(3) Wouldnt hurt to add a forward chain rule
add chain=forward action=accept in-interface=wireguard2 out-interface=ether1
the MTU in client side must be lower than server side inorder for this connection to work..! .however, i try alot of different values but with no avail.Not that it probably makes a difference but the MTU on the android does not match the setting on the MT device.
Other than that I dont see the issue in plain sight.
i disable my rules and put your rules, and know i am out of mikrotik so your rule kick me out, so know i have to go back to my office to disable the rule. my wireguard tunnel that's already active in my windows machine is know unactive and also i can't reach my mikrotik via puplic ip ...Nope, did not presume LAN list since the fellow seems to avoid list as you can see I added a wg to internet forward rule, but concur one small change to what I have would be needed.
I suppose one should change all WAN interface-list entries to interface=ether1 as well..............
{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input comment="android dns udp" dst-port=53 protocol=udp
add action=accept chain=input comment="android dns tcp" dst-port=53 protocol=tcp
{forward chain}
add action=accept chain=forward comment="allow wg to internet" in-interface=wireguard out-interface=ether1
I do agree if he used lists then
add wireguard2 list=LAN
Then Would simplify matters to such that the three rules i created would not be required and would be covered by already existing two rules.
{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface=ether1
Hello Mr jvanhambelgium..!0.0.0.0/0 is fine, I also have it on my Android phone. (meaning = everything is pushed through the tunnel)
but remember, make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups, make sure it has NAT-config to access internet if the range of wireguard-peer is differently from your Mikrotik-LAN/Bridge range etc.
Meaning, putting 0.0.0.0/0 has consequences! If you only put like 192.168.0.0/16 or something then nothing destined for "Internet" is going to the central Mikrotik! Only packets with destinations 192.168.0.0/16
I don't use any keepalives on my phone-config, that field is empty.
Hello Mr anav...so the connection is active again.. if you want to add any info or advise i am listening . go a head..:You are missing the interface list and interface list members in your config........ otherwise you would not have been locked out.
If I had known you were goiing to get rid of all your rules I would have provided additional info
Hello Mr jvanhambelgium..!
Remember that once packets exit the "wireguard" interface there is the aspect of firewallling!Hello Mr jvanhambelgium..!
so clearly enough it seems that i have a DNS problem in my config and i don't know in which side..so please can you clarify more what you mean by this sentence "make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups,"
how can i enable this DNS lookup on my mikrotik device..?
this is my complete config.Yes post COMPLETE config
/export (minus serial number and any public WANIP info)
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
i will Mr anav..!Ensure you let us know what the issue is when you find it please.
Hi, did you make any progress??i will Mr anav..!Ensure you let us know what the issue is when you find it please.