Community discussions

MikroTik App
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Wireguard connection won't work

Thu Oct 13, 2022 1:30 am

Hi guys,

Does anyone know if they can help me.

I have followed the following youtube video for Mikrotik Wireguard setup: https://www.youtube.com/watch?v=CH10spRyGpU

Essentially he gets you to set up a wireguard server, then a peer, then download wireguard on your remote PC, enter in public key, address, DNS, endpoint, allowedIPs and public key of the mikrotik wireguard.

Then he clicks activate and he is able to ping his server remotely.

However I followed this and it won't work. Also when I click activate on my remote PC I lose internet connection which is not good either.

In the video he mentions you MAY have to add a firewall filter rule. He doesn't show this in the video because not all users will need to add this.

Does anyone know if thats why I can't connect?

I have tried to add a filter rule for DST port 13231 in interface: ether1 which is what my WAN cable is connected to.

Thank you.
# oct/12/2022 23:26:46 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MANAGE
add comment=defconf name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
    remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether7-access list=MANAGE
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.34.3/32 interface=Mikrotik-Wireguard public-key=\
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=*D network=192.168.100.0
add address=192.XX.XX.1/24 interface=Mikrotik-Wireguard network=192.XX.XX.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.232 mac-address=00:21:9B:3C:13:ED server=defconf
add address=192.168.88.231 client-id=1:b4:2e:99:16:e1:d0 comment=\
    "Lorcan PC C1" mac-address=B4:2E:99:16:E1:D0 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.209 client-id=1:38:22:e2:9f:d:91 mac-address=\
    38:22:E2:9F:0D:91 server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e comment=\
    "lorcan phone" mac-address=00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.201 client-id=1:0:1f:c1:1c:c4:22 mac-address=\
    00:1F:C1:1C:C4:22 server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.163 client-id=1:34:f6:2d:89:e4:82 mac-address=\
    34:F6:2D:89:E4:82 server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.92 client-id=1:b8:ec:a3:fd:1d:1f mac-address=\
    B8:EC:A3:FD:1D:1F server=defconf
add address=192.168.88.91 client-id=1:b8:ec:a3:fd:1d:1c mac-address=\
    B8:EC:A3:FD:1D:1C server=defconf
add address=192.168.88.192 client-id=1:e0:91:f5:c0:c:88 mac-address=\
    E0:91:F5:C0:0C:88 server=defconf
add address=192.168.88.217 client-id=1:ec:8e:b5:d9:d7:82 comment="Joyce PC" \
    mac-address=EC:8E:B5:D9:D7:82 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 comment=\
    "Backup server" mac-address=00:11:32:B8:2C:31 server=defconf
add address=192.168.88.48 client-id=1:48:2c:a0:79:49:22 comment=\
    "lorcan phone" mac-address=48:2C:A0:79:49:22 server=defconf
add address=192.168.88.104 client-id=1:80:5e:c0:a0:3:a3 comment=\
    "W60B DECT Base station" mac-address=80:5E:C0:A0:03:A3 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Wireguard 13231 port allowed" \
    dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    to-addresses=XX.XX.XX.XX
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX WebGUI" dst-address=\
    XX.XX.XX.XX dst-port=8080 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=5500-5501 \
    protocol=tcp to-addresses=192.168.88.194 to-ports=5500-5501
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=443 \
    protocol=tcp to-addresses=192.168.88.194 to-ports=443
/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
EDIT: In my Addresses section, my wireguard address says Invalid. This could be why?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Thu Oct 13, 2022 3:41 am

You should avoid youtube sometimes LOL.
Read this. - viewtopic.php?t=182340

(1) Well there is your problem you don't have numbers for your wireguard IP address..
add address=192.XX.XX.1/24 interface=Mikrotik-Wireguard network=192.XX.XX.0

It should be
add address=192.168.34.1/24 interface=Mikrotik-Wireguard network=192.168.34.0

(2) Not sure what you wish to accomplish with your wireguard connection.
if you want to access local subnets

add chain=forward action=accept in-interface=Wireguard-Mikrotik out-interface-list=LAN

If you want to access router to config
add chain=input action=accept in-interface=Wireguard-Mikrotik

If you want to access internet
add chain=forward action=accept in-interface=Wireguard-Mikrotik out-interface-list=WAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Thu Oct 13, 2022 6:20 am

@anav:
knowing where you came from with respect to using IP addresses, there might be hope for this world :lol:

OP:
Why all the VPN protocols ? Disable the ones you do not use (and remove the accompanying filter rules in firewall)

This rule might have to be looked at as well:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Either add Wireguard to LAN list or change that rule from =!LAN to =WAN (last option will also allow Trusted)
It is the same result as anav's second suggestion for adding filter rules.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 10:08 am

You should avoid youtube sometimes LOL.
Read this. - viewtopic.php?t=182340

(1) Well there is your problem you don't have numbers for your wireguard IP address..
add address=192.XX.XX.1/24 interface=Mikrotik-Wireguard network=192.XX.XX.0

It should be
add address=192.168.34.1/24 interface=Mikrotik-Wireguard network=192.168.34.0

(2) Not sure what you wish to accomplish with your wireguard connection.
if you want to access local subnets

add chain=forward action=accept in-interface=Wireguard-Mikrotik out-interface-list=LAN

If you want to access router to config
add chain=input action=accept in-interface=Wireguard-Mikrotik

If you want to access internet
add chain=forward action=accept in-interface=Wireguard-Mikrotik out-interface-list=WAN
I put the XX in myself as I thought it was needed lol my bad. In reality I have exactly what you wrote in there
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Thu Oct 13, 2022 2:03 pm

I know, it was a joke recommendation. :-)
Dont overcomplicate your input rules.

What I would do is when learning wireguard not to get fancy with assigning it to an interface list (unless it was necessary and there are some cases where it is).

It do agree with holvoe but I would suggest something simliar but better for the last two rules of the input chain and is good practice.
add action=accept chain=input comment="allow all from LAN" \
in-interface-list=LAN
THEN
add action=drop chain=input comment="drop all else"

The concept of using the drop rule at the end means you only need to explicitly allow traffic above that for admin created rules.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 6:55 pm

@anav:
knowing where you came from with respect to using IP addresses, there might be hope for this world :lol:

OP:
Why all the VPN protocols ? Disable the ones you do not use (and remove the accompanying filter rules in firewall)

This rule might have to be looked at as well:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Either add Wireguard to LAN list or change that rule from =!LAN to =WAN (last option will also allow Trusted)
It is the same result as anav's second suggestion for adding filter rules.
I am not sure what you mean by disable VPN protocols and the filter rules in firewall. The only VPN protocol I understand I have is the single one in Wireguard?

I have added Wireguard to the LAN list now
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 7:18 pm

I know, it was a joke recommendation. :-)
Dont overcomplicate your input rules.

What I would do is when learning wireguard not to get fancy with assigning it to an interface list (unless it was necessary and there are some cases where it is).

It do agree with holvoe but I would suggest something simliar but better for the last two rules of the input chain and is good practice.
add action=accept chain=input comment="allow all from LAN" \
in-interface-list=LAN
THEN
add action=drop chain=input comment="drop all else"

The concept of using the drop rule at the end means you only need to explicitly allow traffic above that for admin created rules.
I tried to the best of my ability to do what you said, I am not sure if you want me to include holvoe's rules or not. I have both your and holvoe's rules in the Firewall rules.

Not sure why but it still won't work.

Just to clarify, the reason for wireguard is for remote users to be able to access our NAS located in our office.

Also, it would ideally not disrupt their work i.e. they must have internet while using Wireguard. Currently, when I activate wireguard, I lose internet connection and can't ping 192.168.34.1 (the wireguard IP)

I have attached a picture of my ipconfig. For some reason the 192.168.34.1 wireguard network does not have a gateway assigned. I would have thought it should say 192.168.34.1 as the gateway?
# oct/13/2022 17:13:26 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MANAGE
add comment=defconf name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
    remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether7-access list=MANAGE
add interface=Mikrotik-Wireguard list=LAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.34.3/32 comment=LorcanMams interface=\
    Mikrotik-Wireguard public-key=\
    "jLbALqM7akuY5n/pf6BX4KS+M0Cge9/YInS1DuWu0zY="
add allowed-address=192.168.34.4/32 comment=LorcanCEI interface=\
    Mikrotik-Wireguard public-key=\
    "MMiReqkDPxyZXEMQAFcSAgIRixm/t+KHIEvzbI/oDnY="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=*D network=192.168.100.0
add address=192.168.34.1/24 interface=Mikrotik-Wireguard network=192.168.34.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.232 mac-address=00:21:9B:3C:13:ED server=defconf
add address=192.168.88.231 client-id=1:b4:2e:99:16:e1:d0 comment=\
    "Lorcan PC C1" mac-address=B4:2E:99:16:E1:D0 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.209 client-id=1:38:22:e2:9f:d:91 mac-address=\
    38:22:E2:9F:0D:91 server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e comment=\
    "lorcan phone" mac-address=00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.201 client-id=1:0:1f:c1:1c:c4:22 mac-address=\
    00:1F:C1:1C:C4:22 server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.163 client-id=1:34:f6:2d:89:e4:82 mac-address=\
    34:F6:2D:89:E4:82 server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.92 client-id=1:b8:ec:a3:fd:1d:1f mac-address=\
    B8:EC:A3:FD:1D:1F server=defconf
add address=192.168.88.91 client-id=1:b8:ec:a3:fd:1d:1c mac-address=\
    B8:EC:A3:FD:1D:1C server=defconf
add address=192.168.88.192 client-id=1:e0:91:f5:c0:c:88 mac-address=\
    E0:91:F5:C0:0C:88 server=defconf
add address=192.168.88.217 client-id=1:ec:8e:b5:d9:d7:82 comment="Joyce PC" \
    mac-address=EC:8E:B5:D9:D7:82 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 comment=\
    "Backup server" mac-address=00:11:32:B8:2C:31 server=defconf
add address=192.168.88.48 client-id=1:48:2c:a0:79:49:22 comment=\
    "lorcan phone" mac-address=48:2C:A0:79:49:22 server=defconf
add address=192.168.88.104 client-id=1:80:5e:c0:a0:3:a3 comment=\
    "W60B DECT Base station" mac-address=80:5E:C0:A0:03:A3 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Wireguard 13231 port allowed" \
    dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward
add action=accept chain=forward in-interface=Mikrotik-Wireguard \
    out-interface-list=LAN
add action=accept chain=forward in-interface=Mikrotik-Wireguard \
    out-interface-list=WAN
add action=accept chain=input comment="allow all from LAN" in-interface-list=\
    LAN
add action=drop chain=input comment="dropp all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    to-addresses=XX.XX.XX.XX
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX WebGUI" dst-address=\
    XX.XX.XX.XX dst-port=8080 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=5500-5501 \
    protocol=tcp to-addresses=192.168.88.194 to-ports=5500-5501
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=443 \
    protocol=tcp to-addresses=192.168.88.194 to-ports=443
/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I think I will start deleting all the rules from firewall, or factory reset the device and see can it work with basic mikrotik wireguard setup. If it works then I know its a problem with my config
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Thu Oct 13, 2022 8:45 pm

Your requirements are NOT clear with respect to internet.
If you mean that at the client you wish to still access internet at the local site, that is a function of your client setup be it an android phone, ios phone, windows laptop, mt client device etc...........

If you mean you want all client traffic to be able to reach the NAS server AND also reach the internet via the MT Server router, that is different.

Please clarify.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:03 pm

Your requirements are NOT clear with respect to internet.
If you mean that at the client you wish to still access internet at the local site, that is a function of your client setup be it an android phone, ios phone, windows laptop, mt client device etc...........

If you mean you want all client traffic to be able to reach the NAS server AND also reach the internet via the MT Server router, that is different.

Please clarify.
Well, it would be good to have both (as in a choice between them) but to be honest the main reason I am setting this up is so people can access our NAS when working from home or working in a foreign country etc.

So it doesn't really matter, most people won't need to access internet through the MT server so I would say let them access it via their own internet.

Also just to say. I factory reset the device, and followed the steps to set up Mikrotik wireguard. It didn't work and I still have default gateway as 0.0.0.0. I cannot ping the wireguard server (now set to 192.168.32.1). And I lose internet too. In case this was a problem with firewall rules I added two rules:

add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp

Still it won't work.

Thank you for your help, really not sure what is wrong given I factory reset it
# oct/13/2022 19:01:50 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.3/32 interface=Mikrotik-Wireguard public-key=\
    "1v2dly75+mHinTIfBCHuPI4BES4fj7Y2j67SLtYBwEQ="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.32.1/24 interface=Mikrotik-Wireguard network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
#error exporting /ip/ssh
#interrupted
EDIT: Also, this is my wireguard config incase it matters
You do not have the required permissions to view the files attached to this post.
Last edited by TheLorc on Thu Oct 13, 2022 9:05 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:05 pm

Can you also show config from the other side ?
Especially the wireguard part.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:06 pm

Can you also show config from the other side ?
Especially the wireguard part.
I am not 100% sure what you mean but I assume you mean the wireguard windows client info. I have attached it incase that is what you mean. Thank you
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:12 pm

Assumptions (since it is not shown):
- Public key of Mikrotik peer = public key shown on top of PC client - please confirm
- Public key of PC peer = public key used on Mikrotik Wireguard interface - please confirm

If both are correct, do you see packets flowing in status of peer (both TX and RX should move) ?
If not:
Are you SURE your device acting as "WG server" is reachable on that port from outside on the IP address masked in the PC settings ? REALLY SURE ?
How do you know ?

- this one is not needed, Wireguard is UDP only
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:21 pm

Assumptions (since it is not shown):
- Public key of Mikrotik peer = public key shown on top of PC client - please confirm
- Public key of PC peer = public key used on Mikrotik Wireguard interface - please confirm

If both are correct, do you see packets flowing in status of peer (both TX and RX should move) ?
If not:
Are you SURE your device acting as "WG server" is reachable on that port from outside on the IP address masked in the PC settings ? REALLY SURE ?
How do you know ?

- this one is not needed, Wireguard is UDP only
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp
Sorry I probably didnt need to blank out the public key lol

Here is the info attached.

Also, just to say. I removed from the original wireguard windows config the line "AllowedIPs = 0.0.0.0/0"

This has turned ipconfig to say:

Unknown adapter LorcanCEI:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.32.3
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

I am now able to access the internet and ping 192.168.32.1. However I am not currently on a remote PC to test it properly but it might be the problem?

As a side note, can you help me with regards to restoring from an .rsc file?

What do I enter in the command line? I know its a very simple task but I can't see how to do it.

My .rsc file I got today is: export_13oct_no2

To clarify I got this by typing: /export hide-sensitive file=export_13oct_no2

How do I restore? Typing /import file=export_13oct_no2.rsc does not work and returns "failure: already have interface with such name"
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:35 pm

You can not restore from an export with hide-sensitive, too much missing.
But interface definitions etc. are included and since they are already present, you get an error. And the first error makes it stop.

When I restore from rsc, I usually wipe the device to default config, then import with text editor aside, copying/pasting those pieces which are not default present in terminal.

You need an allowed address in the PC client. At the very least the endpoint of your wireguard interface, additionally that NAS you want to have reachable.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Thu Oct 13, 2022 9:44 pm

The order of your firewall rules is important, its a tad messed up will fix it to show you what it should look like.

Also, if the intent is to use wireguard to allow access to the NAS server, and potentially other devices at some time on the subnet,then on the client devices ensure you have
allowed IPs=192.168.34.0/24,192.168.88.0/24

Then on the MT Device,
add action=accept chain=forward in-interface=Wireguard-Mikrotik dst-address=IPofNAS server

from:
/ip firewall filter
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
/ip firewall filter
[INPUT CHAIN]
{default rules}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{admin rules}
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=LAN
add action=drop  chain=input comment="drop all else"
[ FORWARD CHAIN ]
{default rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
{admin rules}
add action=accept chain=forward  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward  in-interface=MIkrotik-Wireguard  dst-address=192.168.88.37
add action=accept chain=forward connection-nat-state=dstnat \
    comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 1:38 pm

The order of your firewall rules is important, its a tad messed up will fix it to show you what it should look like.

Also, if the intent is to use wireguard to allow access to the NAS server, and potentially other devices at some time on the subnet,then on the client devices ensure you have
allowed IPs=192.168.34.0/24,192.168.88.0/24

Then on the MT Device,
add action=accept chain=forward in-interface=Wireguard-Mikrotik dst-address=IPofNAS server

from:
/ip firewall filter
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
/ip firewall filter
[INPUT CHAIN]
{default rules}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{admin rules}
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=LAN
add action=drop  chain=input comment="drop all else"
[ FORWARD CHAIN ]
{default rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
{admin rules}
add action=accept chain=forward  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward  in-interface=MIkrotik-Wireguard  dst-address=192.168.88.37
add action=accept chain=forward connection-nat-state=dstnat \
    comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
Hi Anav,

I have now applied the config you posted above.

I have also added some Firewall NAT rules as I believe they were needed for our phone system, although for some reason the phone system worked despite not having these NAT rules after I factory reset? For example, forwarding ports 5060 to the FreePBX server... Somehow, after factory resetting, this firewall NAT rule was not in place and yet the phone system was working. Still not sure how.

I believe I have set up correctly as I copy pasted your configuration in, only changing the rule

add action=accept chain=forward in-interface=MIkrotik-Wireguard dst-address=192.168.88.37

into

add action=accept chain=forward in-interface=MIkrotik-Wireguard dst-address=192.168.88.194

As this is the IP of the NAS.

On the remote PC, I still can't even ping the IP of the Wireguard (192.168.32.1), nevermind see the server on File explorer.

On my local PC, I am able to ping 192.168.32.1 and 192.168.88.1, etc. I can see the file server on file explorer but thats probably through 192.168.88.1 not 192.168.32.1

I will look back through this thread and see if I am missing any firewall rules. Is the set up more complicated for a remote PC (external to my LAN) to access the local network... I am pretty sure the set up I followed in the youtube video was for this exact use case so it probably should be working

Edit: I have added a picture of wireguard setup on remote PC and my code for mikrotik:
# oct/14/2022 11:39:51 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out2 \
    use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7-access
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out2 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.13/32 comment=LM_WORK interface=\
    Mikrotik-Wireguard public-key=\
    "1v2dly75+mHinTIfBCHuPI4BES4fj7Y2j67SLtYBwEQ="
add allowed-address=192.168.32.14/32 comment=PL_DEGAUSSING interface=\
    Mikrotik-Wireguard public-key=\
    "Ef1ggbDHRWhgBiBfP2NVctEmU9eiJ9VNWd3LV3/aUm4="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.32.1/24 interface=Mikrotik-Wireguard network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=\
    00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 mac-address=\
    00:11:32:B8:2C:31 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=\
    LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.194 in-interface=\
    Mikrotik-Wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    to-addresses=XX.XX.XX.XX
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="NAS access" dst-address=XX.XX.XX.XX \
    dst-port=5500-5501 protocol=tcp to-addresses=192.168.88.194 to-ports=\
    5500-5501
/ip firewall service-port
set sip disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you for your help
You do not have the required permissions to view the files attached to this post.
Last edited by TheLorc on Fri Oct 14, 2022 1:54 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Fri Oct 14, 2022 1:41 pm

please post complete config of MT wireguard server device
/export (minus serial number and any public WANIP info)

And the settings on the remote device you are using.
Also confirm from the remote device that you can ping the MT on the normal WAN side (before attempting a tunnel).
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 1:57 pm

please post complete config of MT wireguard server device
/export (minus serial number and any public WANIP info)

And the settings on the remote device you are using.
Also confirm from the remote device that you can ping the MT on the normal WAN side (before attempting a tunnel).
I have attached a picture of the Wireguard config on the remote device.

Also code is below.

"Also confirm from the remote device that you can ping the MT on the normal WAN side (before attempting a tunnel)."

I believe from this you mean to ping my public IP, without being activated on Wireguard. In command prompt on remote device when I ping the public IP I get a reply.
# oct/14/2022 11:39:51 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out2 \
    use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7-access
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out2 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.13/32 comment=LM_WORK interface=\
    Mikrotik-Wireguard public-key=\
    "1v2dly75+mHinTIfBCHuPI4BES4fj7Y2j67SLtYBwEQ="
add allowed-address=192.168.32.14/32 comment=PL_DEGAUSSING interface=\
    Mikrotik-Wireguard public-key=\
    "Ef1ggbDHRWhgBiBfP2NVctEmU9eiJ9VNWd3LV3/aUm4="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.32.1/24 interface=Mikrotik-Wireguard network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=\
    00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 mac-address=\
    00:11:32:B8:2C:31 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=\
    LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.194 in-interface=\
    Mikrotik-Wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    to-addresses=XX.XX.XX.XX
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="NAS access" dst-address=XX.XX.XX.XX \
    dst-port=5500-5501 protocol=tcp to-addresses=192.168.88.194 to-ports=\
    5500-5501
/ip firewall service-port
set sip disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Fri Oct 14, 2022 3:13 pm

(1) On your Mt router input chain rule modify.
From
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
TO:
EITHER
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=udp
OR
add action=accept chain=input dst-port=13231 in-interface=pppoe-out2 protocol=udp

(2) For Client device DNS setting put in 192.168.32.1

(3) While your at it and assuming all the WAN client stuff for pppoe is done in the PPPOE settings you should remove this.
/ip dhcp-client
add comment=defconf interface=ether1


(3) Disable or get rid of this rule....
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
to-addresses=XX.XX.XX.XX
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 4:20 pm

(1) On your Mt router input chain rule modify.
From
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
TO:
EITHER
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=udp
OR
add action=accept chain=input dst-port=13231 in-interface=pppoe-out2 protocol=udp

(2) For Client device DNS setting put in 192.168.32.1

(3) While your at it and assuming all the WAN client stuff for pppoe is done in the PPPOE settings you should remove this.
/ip dhcp-client
add comment=defconf interface=ether1


(3) Disable or get rid of this rule....
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
to-addresses=XX.XX.XX.XX
It seems that I am now able to get 'Sent' data on the Wireguard remote PC client. I have attached the setup and then an overview which shows traffic data.

As you can see it says 'Transfer: 0B Received, 3.47 KiB sent' previously both of these were zero. However in Mikrotik -> wireguard -> Peers -> Both peers set up say 0 KB Tx and Rx. The Mikrotik-Wireguard interface in Mikrotik -> Interfaces -> Interface list also has no Tx or Rx data sent (i.e. it is zero)

So the data seems to be getting sent somewhere but not Wireguard interface?

Just to note I can't see the NAS on File explorer, or any other devices on the network and I can't ping 192.168.32.1 (Request timed out)
# oct/14/2022 14:12:28 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out2 \
    use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=Mikrotik-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7-access
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out2 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.13/32 comment=LM_WORK interface=\
    Mikrotik-Wireguard public-key=\
    "1v2dly75+mHinTIfBCHuPI4BES4fj7Y2j67SLtYBwEQ="
add allowed-address=192.168.32.14/32 comment=PL_DEGAUSSING interface=\
    Mikrotik-Wireguard public-key=\
    "Ef1ggbDHRWhgBiBfP2NVctEmU9eiJ9VNWd3LV3/aUm4="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.32.1/24 interface=Mikrotik-Wireguard network=192.168.32.0
/ip dhcp-server lease
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=\
    00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 mac-address=\
    00:11:32:B8:2C:31 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=\
    udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=\
    LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.194 in-interface=\
    Mikrotik-Wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    XX.XX.XX.XX dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    XX.XX.XX.XX dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    XX.XX.XX.XX dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    XX.XX.XX.XX dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="NAS access" dst-address=XX.XX.XX.XX \
    dst-port=5500-5501 protocol=tcp to-addresses=192.168.88.194 to-ports=\
    5500-5501
/ip firewall service-port
set sip disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 4:53 pm

(1) On your Mt router input chain rule modify.
From
add action=accept chain=input dst-port=13231 in-interface=ether1 protocol=udp
TO:
EITHER
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=udp
OR
add action=accept chain=input dst-port=13231 in-interface=pppoe-out2 protocol=udp

(2) For Client device DNS setting put in 192.168.32.1

(3) While your at it and assuming all the WAN client stuff for pppoe is done in the PPPOE settings you should remove this.
/ip dhcp-client
add comment=defconf interface=ether1


(3) Disable or get rid of this rule....
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
to-addresses=XX.XX.XX.XX
I just tried it on a different laptop which I had connected to my hotspot and it didn't work either. Might just have to try and get VPN working via a different method like IPsec because im not sure wireguard is going to work
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Fri Oct 14, 2022 5:10 pm

Wireguard WILL work if you get the config right.
Much easier then IPSEC, if you ask me.

The peer will always send. It is only when something comes back, then you will know it works. Which is not the case now.

Are you 500% sure the port you want to use for your wireguard interface is accessible from outside ?
How do you know ?
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 5:16 pm

Wireguard WILL work if you get the config right.
Much easier then IPSEC, if you ask me.

The peer will always send. It is only when something comes back, then you will know it works. Which is not the case now.

Are you 500% sure the port you want to use for your wireguard interface is accessible from outside ?
How do you know ?
I am not sure what IPSec is, but I can see mikrotik has a built in VPN in the section Quick Set. However I have tried that just now and it also doesn't work lol. I am guessing it uses IPSec, since that pops up in the Firewall rules when you enable the VPN in quick set :)

"Are you 500% sure the port you want to use for your wireguard interface is accessible from outside ?
How do you know ?"

I will try it now. Are you talking about port 13231? I am not sure how to check it.

I am able to ping my public IP, however I don't know how to ping a specific port. When I type ping PublicIP:13231 it returns ping request could not find host XX.XX.XX.XX:13231. Please check the name and try again
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard connection won't work

Fri Oct 14, 2022 6:42 pm

I am going to ask something which should already have been asked a while ago...

Can you draw a diagram of your network with Mikrotik device and how it goes to internet ? (paper is ok)
Please include ISP modem, ethernet connections, what subnet is used where etc etc.

I assume there is an ISP modem/router in between ?
Does that device perform a port forward of that UDP 12321 or did you put your Mikrotik device in DMZ ?
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Fri Oct 14, 2022 7:24 pm

I am going to ask something which should already have been asked a while ago...

Can you draw a diagram of your network with Mikrotik device and how it goes to internet ? (paper is ok)
Please include ISP modem, ethernet connections, what subnet is used where etc etc.

I assume there is an ISP modem/router in between ?
Does that device perform a port forward of that UDP 12321 or did you put your Mikrotik device in DMZ ?
Hi, I have attached a network diagram filled out to the best of my ability.

"I assume there is an ISP modem/router in between ?"
Yes. Fibre comes to the building and goes to a Huawei HG8010H optical network terminator. This then goes to the Eir Fibre Box 1A 1.0 via Ethernet cable. Then this goes to the Mikrotik Ethernet Port 1.

This Eir Fibre Box is set to Bridge mode in its settings. Then the Mikrotik router is set to PPPoE with username and password to access the ISP.

"Does that device perform a port forward of that UDP 12321 or did you put your Mikrotik device in DMZ ?"

That device doesn't perform any port forwarding, its just in bridge mode.

I have set up a phone server (FreePBX) which requires port forwarding, and had NAT rules set up to port forward 5060 to the FreePBX server (UDP ports 2000-65000 are forwarded to the server for RTP aswell as SIP). This works perfectly fine. In fact it even worked after I did a factory reset without the NAT rules but still not sure how that worked?

The only subnet I have is 192.168.88.1/24. I have not configured any other devices on any other network other than this. Every device in the building is 192.168.88.1 - 192.168.88.254 - so if we have more than 253 (I believe its 253 max right) it will need to be changed but its only at like 40-50 devices currently.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work  [SOLVED]

Fri Oct 14, 2022 11:44 pm

So the Mikrotik gets a public IP?

Go to a website that tests ports (from behind the router) and see if the sites report the port as open.

The client device doesnt have any funky firewall on it??
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Sat Oct 15, 2022 12:44 am

So the Mikrotik gets a public IP?

Go to a website that tests ports (from behind the router) and see if the sites report the port as open.

The client device doesnt have any funky firewall on it??
Well yes I think so. In Quick set and PPPoE settings it shows a public IP and a gateway.

Also, I can access the NAS via the public IP port 5501.

When I go to this site: https://portchecker.co/checking

It says port 5501 is open (NAS webGUI) but port 13231 is not open.

And no the client device does not that I know of, its just a standard install of windows 10
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Wireguard connection won't work

Sat Oct 15, 2022 3:17 am

Thank you to holvoe and anav, I have now fully accessed the NAS on a remote PC and can ping all of 192.168.32.0/24 and 192.168.88.0/24 - thanks so much!

I believe what got it in the end was changing my listening port from 13231 to 369. In the Firewall -> NAT settings I have UDP ports 2000-65000 forwarded to the FreePBX server, because only forwarding 5060 did not work, as the RTP required some larger range. As soon as I changed wireguard listening port to 369, then firewall rule to 369, and the wireguard client side to 369, it suddenly received data and I can now ping everything and access the NAS

Given that wireguard uses UDP, port 13231 is in this 2000-65000 range so it may have been affecting it. Changing to port 369 has got me able to ping the whole network and access the NAS..

Still not sure why this wouldnt have worked when I factory reset the unit... but anyway its working now so thanks again :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard connection won't work

Sat Oct 15, 2022 4:15 am

That makes sense, the destination port of 13321 was included in the port forwarding which took precedence. The handshake never occurred traffic went to the PBX server and not to the router.

Who is online

Users browsing this forum: anav, Google [Bot], Majestic-12 [Bot], tiklavirus and 13 guests