After a lot of help from you guys here I've managed to get wireguard rolling (viewtopic.php?p=964572#p964572) Things are really looking up and I feel I am close to my goal.
Now, my new question is about persistence of the connection.
I am running a remote backup machine running a vanilla debian 11.5. I want to push my backup to this remote location through the wireguard tunnel.
So, the topology as:
Home peer, mikrotik hAP ac³ [public fixed IP address] [local network 88.0] ----- Internet ----- Remote peer, debian 11.5 [non fixed ip address] [local network 100.0]
And logically, after setting up the wireguard tunnel
Home peer wg peer ip [192.168.89.1] -------------------Wireguard---------------- Remote peer wg peer ip [192.168.89.2]
The tunnel seems to work. My router shows activity in the interface for the remote peer, and I am able to access the remote peer's default web server (port 80). I am however, unable to ping, and unable to ssh into it. Naturally, pushing through rsync does not work either. I am confident this is a problem with my firewall settings, but am just not able to get it right and would really appreciate your help.
Full config:
Code: Select all
/interface bridge
add name=bridge_casa
add name=bridge_domotica
add admin-mac=DC:2C:6E:14:DE:91 auto-mac=no comment=defconf name=\
bridge_oficina
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_oveta
/interface vlan
add interface=ether2 name=vlan50_ether4 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=perfil_casa supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=perfil_domotica supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge \
security-profile=perfil_casa ssid=oficina wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country=paraguay disabled=no distance=\
indoors frequency=auto mode=ap-bridge security-profile=perfil_casa ssid=\
oficina wireless-protocol=802.11
add disabled=no mac-address=DE:2C:6E:14:DE:97 master-interface=wlan2 name=\
wlan_casa_5 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
bridge_oficina wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:96 master-interface=wlan1 name=\
wlan_casa_24 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
bridge_oficina wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:95 master-interface=wlan1 name=\
wlan_domotica security-profile=perfil_domotica ssid=domotica \
wds-default-bridge=bridge_oficina wps-mode=disabled
/interface vlan
add interface=wlan_domotica name=vlan10_domotica vlan-id=10
add interface=wlan2 name=vlan50_casa_5 vlan-id=50
add interface=wlan1 name=vlan50_casa_24 vlan-id=50
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool_domotica ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool_casa ranges=192.168.1.2-192.168.1.254
add comment="Range of ips for backup vpns" name=vpn-pool ranges=\
192.168.89.100-192.168.89.254
/ip dhcp-server
add address-pool=dhcp interface=bridge_oficina name=defconf
add address-pool=dhcp_pool_domotica interface=bridge_domotica name=\
dhcp_domotica
add address-pool=dhcp_pool_casa interface=bridge_casa name=dhcp_casa
/interface bridge port
add bridge=bridge_casa comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge_oficina ingress-filtering=no interface=ether3
add bridge=bridge_domotica ingress-filtering=no interface=ether4
add bridge=bridge_oficina ingress-filtering=no interface=ether5
add bridge=bridge_oficina ingress-filtering=no interface=wlan1
add bridge=bridge_oficina ingress-filtering=no interface=wlan2
add bridge=bridge_domotica ingress-filtering=no interface=vlan10_domotica
add bridge=bridge_domotica ingress-filtering=no interface=wlan_domotica
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_5
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_5
add bridge=bridge_domotica ingress-filtering=no interface=vlan50_ether4
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge_oficina list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg_oveta list=LAN
/interface ovpn-server server
set auth=sha1,sha256,sha512 certificate=*C cipher=\
blowfish128,aes128,aes192,aes256 default-profile=default-encryption \
require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.89.51/32 comment="anguja - 192.168.89.51" \
interface=wg_oveta public-key=\
"Zke0XuOTuSq="
add allowed-address=192.168.89.2/32 comment="tavai - 192.168.89.2" interface=\
wg_oveta public-key="xYNYxh8="
add allowed-address=192.168.89.50/32 comment="iphone - 192.168.89.50" \
interface=wg_oveta public-key=\
"tezEgxDhAX="
/ip address
add address=192.168.88.1/24 comment="Oficina bridge interface" interface=\
bridge_oficina network=192.168.88.0
add address=181.XX.YY.ZZ/24 interface=ether1 network=181.XX.YY.0
add address=10.0.0.1/24 interface=bridge_domotica network=10.0.0.0
add address=192.168.1.1/24 interface=bridge_casa network=192.168.1.0
add address=192.168.89.1/24 comment="Oveta Wireguard" interface=wg_oveta \
network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.138.1.0/24 gateway=192.138.1.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=oveta.lan
add address=192.168.88.5 name=mrroboto.lan
add address=192.168.88.6 name=mandua.lan
add address=10.0.0.5 name=dvr.domotica.lan
add address=192.168.89.2 comment=Tavai@joaquin name=tavai.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward in-interface=bridge_casa out-interface=\
bridge_oficina
add action=drop chain=forward in-interface=bridge_oficina out-interface=\
bridge_domotica
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
bridge_casa
add action=drop chain=forward in-interface=bridge_oficina out-interface=\
bridge_casa
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
bridge_oficina
add action=drop chain=forward in-interface=bridge_casa out-interface=\
bridge_domotica
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Allow traffic between .89 and .88 nets for Wireguard\
\n" dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
dst-port=8000 protocol=tcp to-addresses=10.0.0.5 to-ports=8000
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.XX.YY.ZZ \
dst-port=554 protocol=tcp to-addresses=10.0.0.5 to-ports=554
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=181.94.236.1
add disabled=no dst-address=192.168.90.0/24 gateway=192.168.89.1 \
routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.89.0/24
set ssh address=192.168.88.1/32
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp profile
set *FFFFFFFE bridge=*21 dns-server=8.8.8.8,1.1.1.1 interface-list=LAN \
local-address=192.168.89.1 remote-address=vpn-pool
/system clock
set time-zone-name=America/Asuncion
/system identity
set name=oveta
/system leds
set 0 disabled=yes interface=wlan2 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=wg_oveta leds=led1
set 3 interface=wg_oveta leds=led2 type=interface-receive
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=bridge_oficina name=tmon1 threshold=0