Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Wireguard site to site Hex to UDM

Fri Nov 18, 2022 5:57 pm

I have tried and failed, so I am reaching out again for help from the group.

I have the following:

Site A: Hex
Site B: Hex
Site C: Ubiquiti UDM Pro
Site D: Ubiquiti UDM SE

I would like to be able to have VPN connectivity between all sites always on.

I started with trying to get Sites A and C setup.

I installed Wireguard on the UDMP at site C with the following wg.conf:

[Interface]
PrivateKey = kByyxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = 10.10.200.1/32

[Peer]
PublicKey = xx27xxxxxxxxxxxxxxx
AllowedIPs = 10.10.100.0/24
PersistentKeepalive=20
Endpoint = aaaaa.dyndns.org:51820

I made an ACCEPT firewall rules for all traffic originating from 10.10.0.0/16 to anywhere; and another rule for all traffic from anywhere destined to 10.10.0.0/16


At Site A I have the following in my hex's config:
# nov/18/2022 10:49:26 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
/interface bridge
add name=Bridge-Port3
add admin-mac=bbbbbbbbb auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add endpoint-address=ccccc.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard persistent-keepalive=1h47m44s public-key=\
    "LXHxxxxxxxxxx"
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=forward in-interface=212-Wireguard log=yes
add action=accept chain=forward log=yes out-interface=212-Wireguard
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
How to make it so the sites have an always on VPN connection so that any device (PC) on either network can access any device on the other network?

Thank you!
Last edited by BartoszP on Sat Dec 10, 2022 2:13 am, edited 1 time in total.
Reason: Use proper tags .. quotes for quotting, code for code
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 6:04 pm

Good plan to start small.....

(1) THe problem I see is that the UDM address for wireguard is
10.10.200.1/32

It should be
10.10.100.2/32

(2) Allowed IPs is also a problem on the UDM. The UDM only has 10.10.100/24,
a. are there any subnets on the hex, or future subnets on other devices that the users on the UDM will visit?
b. does any traffic originate on the UDM
c. similarly are there any subnets on the UDM that users on the hex will visit, and if so which subnet are they on the hex........

(3) MISSING allowed IPs on hex.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 6:37 pm

Thank you as always, anav!

I changed wg0.conf on the UDM to:
[Interface]
PrivateKey = kByxxxxxxx
ListenPort = 51820
Address = 10.10.100.2/32

[Peer]
PublicKey = xx2xxxxxxx
AllowedIPs = 10.10.100.0/24
PersistentKeepalive=20
Endpoint = aaaaa.dyndns.org:51820
Is the AllowedIPs above not correct? The Hex's wireguard interface is 10.10.100.1. Should I add 192.168.2/24 (the LAN on the hex)?

The subnets on the hex now is just 192.168.2/24

I might want to add other subnets (192.168.10 or .20).

Yes, I believe traffic would originate on the UDM. I run Home Assistant and I think it monitors data off the UDM.

The UDM has 192.168.0/24 and 192.168.5/24 (IP cameras on a Blue Iris server).

On the Hex, I put in AllowedIPs 10.10.100.0/24 -- is that correct? Should I add 192.168/16?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 6:44 pm

Okay, so to be clear, you have users on the UDM that originate traffic? If so where are they headed ( on the hex and perhaps to the other UDM)?
Identify those subnets as allowed IPs on the UDM.

Same on the hex, are users on the hex visiting any subnets on the UDM as that would need to be added to the wireguard peers for the UDM.

*******keep in mind ---->allowed IPs is for two entities and sometimes they are the same! (destination subnets for local traffic AND remote subnets visiting)

I am assuming the hex is acting as the server for wireguard or do I have that wrong......... ( the hex has a publicly accessible WANIP)??


(its still not clear to me if users are on the first UDM we are trying to connect, or is it just servers/devices. )
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 7:37 pm

Users at all sites need to be able to initiate traffic.

I don’t know which device initiates or creates the vpn.

How is a vpn established between them? With a regular client-server there is an activate or connect button.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 7:53 pm

Well it depends, which device has the publicly accessible WANIP. In other words, a Public IP that can be pinged and private ( not natted (CGNAT, starlink etc.)).

Is each device connected to the net or via an ISP router which provides a private IP to your router?
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 10:09 pm

Each device is at a different location with a public ip provided by the isp (spectrum cable for 3 sites, Fios for the 4th).

The UDMs and the HEXs are the only routers at each location. They can be pinged from the internet as well as from the lan (on the private ip network).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 10:22 pm

Okay, so this can get really complicated or it can be made easy..........
You could have
Scenario1
hex to hex ( wireguard 1 (bi direction initiation)
hex to udm1 (wireguard 2 (bi direction initiation)
hex to udm2 wireguard 3 (bi direction initiation)
udm1-udm2 wireguard 4 (bi direction initiation)
Road warrior X to.......
Road warrior Y to........
Road warrior Z to........

Scenario2
Hex1 is central wireguard server router
ONE WIREGUARD interface/subnet , the three others connect to HEX1 on this interface.

Scenario3
Hex1 is central wireguard server router
3 Wireguard interfaces needed, one for hex2, one for udm1 and one for udm2

In all three scenarios throw in road warrior (could be admins) that need access to one or all devices!!!
Road warrior X to.......
Road warrior Y to........
Road warrior Z to......
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What will help chart a course/path is more detail on REQUIREMENTS!

Requirements identification
a. is there any case here where a subnet on a router or a single user at a router, or home user (road warrior) that will require to access one of the routers internet connection??
These need to be identified!
b. which subnets/users need access to which subnets/user on other devices (aka via tunnel)
c. what does admin need ( how many admins?)
d. Is there any one router that will handle most of the incoming wireguard traffic.............

(which router has the biggest capacity in terms of processing power)
(which router has the biggest internet connectivity to the WWW)
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Nov 18, 2022 11:20 pm

Wow, I love how you laid out the 3 scenarios.

Seems like #1 is the most robust with respect to outages or failures, but I don't know enough to have an opinion on which to choose. An important consideration is that with my limited knowledge, if any one scenario were easier to manage (more difficult to break), then that would be a big vote for that scenario.

I can easily replace the hex at Site A with an RB5009 (already ordered one), so that would be the most powerful processor. Site A has 1gb bidirectional FIOS so Site A wins there also.

a. is there any case here where a subnet on a router or a single user at a router, or home user (road warrior) that will require to access one of the routers internet connection??

Not sure I understand. Do you mean a time when User-1 at Site A would need to use a VPN connection to Site B and then go out the internet connection at Site B? If so, I don't believe so. It would seem to me that if User-a at Site A can reach the router at Site B, then it would have Internet connectivity already. I'm sure I'm missing some scenario where it would be of use, but I can't think of it.

b. which subnets/users need access to which subnets/user on other devices (aka via tunnel)

It would be nice if I (for example) could be at any of the 4 sites (or anywhere, for that matter), and have full access to all the devices on all the subnets at each site.

As it is now configured:

Site A uses 192.168.2/24
Site B uses 192168.88/24
Site C uses 192.168.0/24 and 192.168.5/24
Site D uses 192.168.1/24

c. what does admin need ( how many admins?)

Just me -- what I describe above.

But, I run a Home Assistant server and a Blue Iris server at Site C that need access to devices at Site B and D directly. And, a Home Assistant server at Site A that needs access to devices at all the other sites.

d. Is there any one router that will handle most of the incoming wireguard traffic.............

Site A (upgraded to RB5009) could be considered the main router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 12:19 am

Concur, we can keep it simple for now for sure.....

In term of the this iris server and home assistant server at site C........ do they initiate traffic or do they only respond to traffic incoming from site B and D.......
How does a server start a session is my question I guess........ I am used to simple FTP server which is just dumb and sits there waiting.

Same question for the home assistant server at site A which needs access to sites B, C, D ( again does this server oriiginate traffic??)
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 12:50 am

The Blue Iris and Home Assistant servers both initiate traffic with individual devices (cameras, sensors, etc.) at other sites (as well as cloud-based data sources).

BI uses ONVIF, RTSP and uPnP (possibly other protocols).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 5:18 am

Interesting, if wireguard doesnt work for those services a fall back plan would be to try zerotier.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 1:51 pm

I just looked into Zerotier and it seems like it will not work on the Hex platform (MMIPS).

Amplifi Teleport seems to be popular on the UDM platform.

But, I do like the idea of getting wireguard to work.

Would you be willing to help me some more with getting wireguard to work?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 3:00 pm

You don't seem to understand WG basics, e.g. for simple access between all sites, important parts of site A config can be (and similar for others):
/interface wireguard
add name=WG listen-port=<site A port>
/interface wireguard peers
add interface=WG endpoint-address=<site B public address> endpoint-port=<site B port> public-key=<site B key> allowed-address=192.168.88.0/24
add interface=WG endpoint-address=<site C public address> endpoint-port=<site C port> public-key=<site C key> allowed-address=192.168.0.0/24,192.168.5.0/24
add interface=WG endpoint-address=<site D public address> endpoint-port=<site D port> public-key=<site D key> allowed-address=192.168.1.0/24
/ip route
add dst-address=192.168.88.0/24 gateway=WG
add dst-address=192.168.0.0/24 gateway=WG
add dst-address=192.168.5.0/24 gateway=WG
add dst-address=192.168.1.0/24 gateway=WG
That's assuming that all sites have public addresses. If not, you wouldn't set endpoint-address/port for them and site A would wait for incoming connection from them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sat Nov 19, 2022 8:07 pm

Good start............
Since It was not clear to me the purpose of ether3 and another subnet, I took the liberty of removing the bridge from anything but bridging
and created two vlans for the two subnets. Assuming the etheports 2,3,4,5 are all access ports NOT going to smart devices (managed switches, or APs etc).
Its easy peasy, define vlans as belonging to bridge,
then each vlan gets its IP pool, dhcp server, dhcp server network and Ip address.
Set the /interface bridge ports and /interface bridge vlans as appplicable.
Make necessary wireguard settings
Adjust firewall rules
Adjust routes.

For the RB5009 you will have extra ports so recommend you create/use lets say port 7 ( and dont put it on the bridge). It will be an off bridge emergency access or you can use it to configure the router at all times and the best part is one does not have to worry about any screwups on bridge configuration which can lock people out for a bit.........
explained here - viewtopic.php?t=181718
# model = RB750Gr3/RB5009
/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=vlan2-home vlan-id=2
add interface=bridge name=vlan30-other vlan-id=30
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/ip pool
add name=dhcp-v2 ranges=192.168.2.100-192.168.2.200
add name=dhcp-v30  ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=dhcp-v2 interface=vlan02-home  lease-time=1w3d name=defconf
add address-pool=dhcp-v30 interface=vlan30-other  lease-time=1w3d name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=30
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=2
add bridge=bridge comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=2
/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5  vlan-ids=2
add bridge=bridge tagged=bridge untagged=ether3  vlan-ids=30
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list members
add comment=defconf interface=ether1 list=WAN
add interface=vlan02-home list=LAN
add interface=vlan30-other list=LAN
add interface=212-Wireguard list=LAN
add interface=vlan02-home list=MANAGE
/interface wireguard peers
add interface=212-Wireguard endpoint-address=<site B hex2 public address> endpoint-port=52820 public-key=<site B key> allowed-address=10.10.100.2/32,192.168.88.0 keep-alive=25
add interface=212-Wireguard endpoint-address=<site C udm pro public address> endpoint-port=53820 public-key=<site C key> allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 keep-alive=30
add interface=212-Wireguard endpoint-address=<site D udm se public address> endpoint-port=<54820 public-key=<site D key> allowed-address=10.10.100.4/32,192.168.1.0/24 keep-alive=35
add interface=212-Wireguard public key=() allowed-address=10.10.100.5/32  ( admin windows laptop ) 
add interface=212-Wireguard public key=[] allowed-address=10.10.100.6/32  ( admin iphone/ipad )
/ip address
add address=192.168.2.2/24  interface=vlan02-home network=192.168.2.0
add address=192.168.30.2/24 interface=vlan30-other network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WANIP
add address=adminDesktop 192.168.2.X list=manage
add address=adminLaptop 192.168.2.y  list=manage
add address=adminIphone/Ipad  192.168.2.Z list=manage 
add address=10.10.100.5/32 list=authorized { remote laptop wg } 
add address=10.10.100.6/32 list=authorized  { remote iphone/pad wg } 
add address=192.168.88.A/32 list=authorized { local lan address of admin at site B hex }
add address=192.168.0.B/32 list=authorized { local lan address of admin at site C udm pro }
add address=192.168.1.C/32 list=authorized { local lan address of admin at site C udm se }
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp
add action=accept chain=input dst-port=51820 protocol=udp log=yes
add action=accept chain=input in-interface-list=MANAGE src-address-list=manage
add actio=acccept chain=input in-interface=212-Wireguard src-address-list=authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related hw-offload=\
yes
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24 comment="hairpin nat"
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WANIP dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176 
/ip route
add dst-address=0.0.0.0/0  gwy=WAN gateway IP   table=main  { required if add route not selected at IP DHCP-CLIENT }
add dst-address=192.168.88.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.0.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.5.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.1.0/24 gateway=212-Wireguard table=main
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 4:02 pm

I really am trying to understand and learn -- and (as always) appreciate the help!

With the code below, there appears to be active VPN connections between sites A, B and C, but it's still not completely working.

Using the Ping tool at the Hex at SITE-B I can ping the UDM at SITE-C (192.168.0.1) and devices on the LAN behind the UDM.

Using the same Ping tool at the Hex at SITE-B I cannot ping the Hex at Site-A (192.168.2.1) or any devices behind the Hex.

Using the Ping tool at the Hex at SITE-A I can ping the UDM at SITE-C (192.168.0.1) and devices on the LAN behind the UDM.

Using the same Ping tool at the Hex at SITE-A I cannot ping the Hex at Site-A (192.168.88.1) or any devices behind the Hex.

From the UDM at SITE-C I cannot ping anything at SITE-A or SITE-B

SITE-C UDM
# UDM Pro Site C

Address = 10.10.20.1/32
SaveConfig = true
ListenPort = 51820
PrivateKey = WBj6xxxxx


[Peer]
# SITE A
PublicKey = xx27xxxxx
AllowedIPs = 10.10.10.0/24, 192.168.2.0/24
Endpoint = 22.22.22.22:51820

[Peer]
# SITE B
PublicKey = zoZtixxxxxx
AllowedIPs = 10.10.30.0/24, 192.168.88.0/24
Endpoint = 33.33.33.33:51820

SITE-B Hex
# Hex site B

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=WAN

/interface wireguard peers

add allowed-address=192.168.2.0/24 comment=212 endpoint-address=\
    SITE-A.dyndns.org endpoint-port=51820 interface=wireguard1 public-key=\
    "xx27ccccc"

add allowed-address=192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=SITE-C.dyndns.org endpoint-port=51820 interface=\
    wireguard1 public-key="4HEOxxxxxxxx"

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.30.1/24 interface=wireguard1 network=10.10.30.0

/ip firewall address-list
add address=SITE-C.dyndns.org list=mtdale
add address=SITE-A.dyndns.org list=212

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=51820 log=yes protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1 log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward in-interface=wireguard1 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes src-address-list=mtdale
add action=accept chain=input src-address-list=212
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35

/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no



SITE-A Hex
# Hex site A

/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=212-Wireguard list=WAN

/interface wireguard peers
add allowed-address=192.168.0.0/24 comment=355 endpoint-address=\
    SITE-C.dyndns.org endpoint-port=51820 interface=212-Wireguard \
    persistent-keepalive=1h47m44s public-key=\
    "4HEOBxxxxxx"

add allowed-address=192.168.88.0/24 comment=371 \
    endpoint-address=SITE-B.dydns.org endpoint-port=51820 interface=\
    212-Wireguard persistent-keepalive=30m public-key=\
    "zoZtxxxxxxxx"

/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.10.1/24 interface=212-Wireguard network=10.10.10.0

/ip firewall address-list
add address=jrs212.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN

/ip firewall filter
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=input in-interface=212-Wireguard log=yes
add action=accept chain=forward log=yes out-interface=212-Wireguard
add action=accept chain=input log=yes protocol=udp src-port=51820
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward dst-address=192.168.2.0/24 in-interface=\
    212-Wireguard log=yes
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123

/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 4:19 pm

Cart before the horse LOL.
We need to ensure the three other setups are in step with the first one........
I will have a look................... egads, why have you introduced mangling ?????
I provided the proper hairpin nat rule and showed you how to config the destination (port forwarding rules) argg..........

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24 comment="hairpin nat"
add action=dst-nat chain=dstnat dst-address-list=WANIP dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176

[/b][/color]
(1) Okay, you have not followed anything coherent at all, if you cannot follow the guide, I dont know what to say ???
The config I provided pointed out for example that the IP addresses for wireguard interfaces of the other devices were on the same subnet........
Also that each device with a public IP uses a different listening port to avoid any confusion.

HEXA/RB5009
ip address = 10.0.100.1/24 (wg interface)

Wireguard Peers
/interface wireguard peers
add interface=212-Wireguard endpoint-address=<site B hex2 public address> endpoint-port=52820 public-key=<site B key> allowed-address=10.10.100.2/32,192.168.88.0 keep-alive=25
add interface=212-Wireguard endpoint-address=<site C udm pro public address> endpoint-port=53820 public-key=<site C key> allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 keep-alive=30
add interface=212-Wireguard endpoint-address=<site D udm se public address> endpoint-port=<54820 public-key=<site D key> allowed-address=10.10.100.4/32,192.168.1.0/24 keep-alive=35
add interface=212-Wireguard public key=() allowed-address=10.10.100.5/32 ( admin windows laptop )
add interface=212-Wireguard public key=[] allowed-address=10.10.100.6/32 ( admin iphone/ipad )


Hence the IP addresses for your other devices wireguard should be

hex b - 10.0.100.2/24
udm pro - 10.0.100.3/24
udm se - 10.0.100.4/24
remote admin laptop - 10.0.100.5/32
remote admin iphone/ipad - 10.0.100.6/32


(2) why did you add hexa/rb5009 wg interface to the WAN, its associated with the LAN already........

(3) Back to (1) you failed to add the wireguard addresses of peers to allowed IPs ???

(4) On input chain why did you put SOURCE port for the incoming wireguard handshake/connection??
add action=accept chain=input log=yes protocol=udp src-port=51820

Here is what is on the config I provided which is the correct one................
add action=accept chain=input dst-port=51820 protocol=udp log=yes

Its destination port because external remote devices are looking to connect on their destination port aka aiming to connect to 51820 on the hex A.
The other devices are not coming from port 51820, in fact my understanding is that selection of source port from the source/remote devices is random as its the destination port that matters.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, why are you deviating? If you know what you are doing, then sure by all means but clearly you dont but yet are making stuff up? Why?

I could go on, like why the EFF did you make a hairy disorganized mess of the firewall rules mixing input chain and forward chain........................
Last edited by anav on Sun Nov 20, 2022 5:11 pm, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 5:04 pm

OKAY, this first iteration attempt which is not going well, was to KISS and thus we are doing everything through Router A at the moment SO the peer settings will be different........

For example notice you have routes for 192.168.0.0 and 192.168.5.0 but you also have one for 192.168.1.0 ?? But you have no allowed IPs for 192.168.1.0 ???
So we have to ensure 192.168.1.0 is included in allowed routes.

Vice versa, you have 192.168.5.0/24 in allowed IPs, but its missing from IP routes, so have to add that.......

Hex site B

/interface wireguard
add listen-port=52820 mtu=1420 name=wireguard1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN

/interface wireguard peers

add allowed-address=10.0.100.0/24/192.168.2.0/24,192.168.5.0/24,192.168.0.0/24,192.168.1.0/24 comment=212 endpoint-address=\
SITE-A.dyndns.org endpoint-port=51820 interface=wireguard1 public-key=\
"xx27ccccc" keep alive=40sec

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.0.100.2/24 interface=wireguard1 network=10.0.100.0

/ip firewall address-list
add address=subnet_1 list=external-access
add address=subnet_2 list=external-access
.........
add address=subnet_XX list=external-access
add address=10.0.100.5/32 list=external-access
add address=10.0.100.6/32 list=external-access
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=IP-local-admin-iphone/ipad list=authorized

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp

add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=52820 log=yes protocol=udp
add action=accept chain=input comment="Allow wireguard to router" \
in-interface=wireguard1 src-address-list=external-access log=yes
add action=accept chain=input in-interface-list=LAN src-address-list=authorized
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else"

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow wireguard to subnet" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35

/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
add dst-address=192.168.5.0/24 gateway=wireguard1 table=main
Last edited by anav on Sun Nov 20, 2022 5:18 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 5:16 pm

# UDM Pro Site C

Address = 10.0.100.3/32
SaveConfig = true
ListenPort = 53820
PrivateKey = WBj6xxxxx


[Peer]
# SITE A
PublicKey = xx27xxxxx
AllowedIPs = 10.0.100.0/24, 192.168.2.0/24,192.168.88.0/24,192.168.1.0/24[/b]
Endpoint = SITE-A.dyndns.org endpoint-port=51820
keep alive=35seconds
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 5:24 pm

JUST TO ORIENT YOU ON WHAT IS GOING ON.

We have setup a situation where HexA/RB5009 is the MAIN wireguard server.
In that we start with the assumption that external remote devices will connect to the Hex/RB5009
All wireguard traffic goes between each device to and from the HEX/RB5009.

When traffic needs to go from hexB to UDM PRO, or vice versa it will do it via the Hex/RB5009.

By using different wireguard ports for the three devices, its clear that users on the hexB and UDM Pro can also initiate a connection.

I provide two external wireguard clients .5 and .6, that represent the admin using a laptop remotely and an ipad/iphone remotely (hotel, coffee shop) from anywhere to reach any router.

+++++++++++++++++++++++++++++++++++++++++++++++++

With the above in mind we have to now adjust the firewall rules in the forward chain on the HexA/RB5009
FROM
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN[i/]
***ADD RULES FOR WIREGUARD TRAFFIC HERE***
add action=drop chain=forward comment="drop all else"

TO
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward in-interface=212-wireguard out-interface=212-wireguard { allows cross peer subnet traffic }
add action=accept chain=forward in-interface=212-wireguard out-interface=vlan2 { allow wg peer traffic to local subnet 192.168.2.0/24 }
add action=accept chain=forward in-interface=vlan2 out-interface=212-wireguard { allow local subnet traffic to wireguard peers }

add action=drop chain=forward comment="drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 5:51 pm

Similarly with Hex B, depending on whats coming in and going out......

Thus far we are allowing any remote traffic coming out of the tunnel heading for the local subnet 192.168.88.0/24 to proceed.
Is there any traffic originating on hex B that needs to go to the other routers subnets??? So far I dont think so??
Unless there is an adminIP on 192.168.88.0 that needs to enter the tunnel to possibly config the other two devices??
SO possibly add
add action=accept chain=forward src-address=adminIP out-interface=wireguard1 ????

add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward comment="Allow wireguard to subnet
" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Sun Nov 20, 2022 11:44 pm

I hope you know I'm not trying to frustrate you. In fact, I'm trying hard to get to a point where I am not frustrating the people who are helping me.

1) I don't remember how mangling got in to the config. I see it is in the Site-A config for the hairpin NAT.

I changed the hairpin nat entry as per your post. But, I don't have an dst-address-list WANIP. Is that the same as WAN?
/ip firewall nat

add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" dst-address=\
    192.168.2.0/24 src-address=192.168.2.0/24

add action=masquerade chain=srcnat comment="NEW defconf: masquerade" out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 log=yes protocol=tcp to-addresses=\
    192.168.2.176

add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=WAN dst-port=8123 log=yes \
    protocol=tcp to-addresses=192.168.2.176


2) I went ahead and made the changes according to your first post today and it seems to be working well. I just read your follow up posts that create VPNs between all machines. I am going to take a few days before implementing the changes that allow VPNs directly between all machine. I can see how it would be far more robust/reliable as well as more efficient.

I obviously did not understand a bunch of things:

a) All peers can and should be on the same 10.10.100/24 network
b) Each peer config should allow both the remote LAN IP block (e.g., 192.168.x.x/24) as well as the single 10.10.100.x IP of the remote WG server
c) Each WG server should use a different listening port


3) I did not understand that a firewall rule regarding an incoming WG connection should refer to the WG server's port as the destination port -- but now I understand that the connection request is indeed destined for the WG server's port (5x820).

4) I believe I had found myself that I was missing IP ROUTE entries in various places so that the routers would know where packets in certain networks should be routed.

5) I added "keep alive=40sec" to all peer configs

As far as the 'any site to any site' (ASAS) configuration, I don't understand where "subnet_1" and "subnet_2" are defined (i.e., how does the router know what the values are)?

Also, I see the changes to these firewall rules to include restrictions to allow only traffic on the wireguard1 interface from addresses identified in the 'external-access'. And, only traffic from LAN that originates on addresses including in 'authorized'. I'm so fearful of screwing this up and having to come back for more help. Can I just leave these out for now?

On the Site C (UDM) I see only a single Peer section that contains all the private networks, and only SITE-A.dyndns.org as the endpoint. How would Sites B and D connect to Site C?

When implementing this change to the site C wg-quick up fails because the UDM already has a router to 192.168.5.0/24. I took out the 192.168.5.0 network from the allowedIPs.

But, now I can't ping from the UDM at site C to the hex at site B.

I tried to add these:
add action=accept chain=forward in-interface=212-wireguard out-interface=212-wireguard { allows cross peer subnet traffic }
add action=accept chain=forward in-interface=212-wireguard out-interface=vlan2 { allow wg peer traffic to local subnet 192.168.2.0/24 }
add action=accept chain=forward in-interface=vlan2 out-interface=212-wireguard { allow local subnet traffic to wireguard peers }


but I do not have a vlan2 set up. I used 'out-interface=bridge' instead but it doesn't seem to be working.

I added the above 3 rules in addition to the existing WG rules -- is that correct?

add action=fasttrack-connection chain=forward comment="NEW defconf: fasttrack" connection-state=\
    established,related hw-offload=yes

add action=accept chain=input comment="NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked

add action=drop chain=input comment="NEW defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=icmp

add action=accept chain=forward comment="NEW allow port forwarding" connection-nat-state=dstnat log=yes

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

add action=accept chain=input in-interface=212-Wireguard log=yes

add action=accept chain=forward log=yes out-interface=212-Wireguard

add action=accept chain=input dst-port=51820 log=yes protocol=udp src-port=""

add action=accept chain=forward in-interface=212-Wireguard

add action=accept chain=forward dst-address=192.168.2.0/24 in-interface=212-Wireguard log=yes

add action=accept chain=forward comment="Allows cross peer subnet traffic" in-interface=212-Wireguard log=\
    yes out-interface=212-Wireguard

add action=accept chain=forward comment="Allow WG peer traffic to local subnet (BRIDGE might be incorrect)" \
    in-interface=212-Wireguard log=yes out-interface=bridge

add action=accept chain=input comment=NEW in-interface-list=LAN

add action=drop chain=input comment="NEW drop all else"

add action=accept chain=forward comment="NEW defconf: accept established,related, untracked" \
    connection-state=established,related,untracked

add action=drop chain=forward comment="NEW defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment=NEW

add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers (BRIDGE might be incorrect)" in-interface=bridge log=yes \
    out-interface=212-Wireguard

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:18 am

This is much better!!
What I expected is for you to go line by line on my config and ask a question for everything not understood........
When answers are understood, then make the attempt at the config change......

As for your question yes......... I simply changed your NAME for an address list you created. I hate using WAN because its also an interface name and interface list name and thus horrible to use elsewhere. :-)
I called it.........
/ip firewall address-list
add address=aaaaaa.dyndns.org list=WANIP

so that is what is used on the port forwarding!! Much less confusing when reading a config................. Even better/clearer would be a name like. dynamic-WANIP

add action=dst-nat chain=dstnat dst-address-list=WANIP dst-port=8123 log=yes protocol=tcp to-addresses=\
192.168.2.176
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:20 am

Actually the COnfig I provided and subsequent posts IS THE SIMPLE APPROACH!!

It only connects devices to ONE device. ERGO they all can initiate a tunnel to the hexA/RB5009 or vice versa
Stated differently, they are not all connected by VPN tunnels directly!!

The are connected indirectly through the tunnels to HexA/RB5009
So go ahead and implement this simple approach.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:26 am

a) All peers can and should be on the same 10.10.100/24 network
b) Each peer config should allow both the remote LAN IP block (e.g., 192.168.x.x/24) as well as the single 10.10.100.x IP of the remote WG server
c) Each WG server should use a different listening port


a. I call it a coordinated wireguard subnet structure. Its convenient because it works well.
If you think about it this creates an automatic dynamic IP route on MT devices
<dac> dst-address=10.0.100.0/24 gwy=wireguare-interface-name table=main.

Thus right off the bat any router can ping and receive pings from any router.
One does not have to create IP routes manually for this functionality.

b. Every Routers Peer settings have to be evaluated on the device they are on........
in this case Router A, is best served by the IP address of each peer /32
in this case Router B, is best server by the IP address of the subnet /24 so for example through hex A, any of the other wireguard addresses can be pinged.
etc..............

c. They could have the same listening port but that would drive me crazy in configuring all three routers determining if I am coming or going, its done for sanity. :-)

A good read is this article. - viewtopic.php?t=182340
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:43 am

As far as the 'any site to any site' (ASAS) configuration, I don't understand where "subnet_1" and "subnet_2" are defined (i.e., how does the router know what the values are)?
Yes it should have been individual IP addresses of admins at those sites.........................

I assume you are referring to this:
/ip firewall address-list
add address=subnet_1 list=external-access
add address=subnet_2 list=external-access
.........
add address=subnet_XX list=external-access
add address=10.0.100.5/32 list=external-access
add address=10.0.100.6/32 list=external-access
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=IP-local-admin-iphone/ipad list=authorized


Well what I am getting at there is that you may want as the admiin to acces the router if located at other Devices.
Hence you have the two admin remote wireguard IPs. identified to be able to do that from anywhere........... connect to Router A, then transfer to site B................ over wireguard.

But you are correct it should be more like what I did for HeX A
add address=192.168.88.A/32 list=authorized { local lan address of admin at site B hex }
add address=192.168.0.B/32 list=authorized { local lan address of admin at site C udm pro }
add address=192.168.1.C/32 list=authorized { local lan address of admin at site C udm se }


So in this case if YOU are acting as the admin and are local at site A or Site C or Site D and want to be able to access Site B for config purpose you need to provide something like
add address=192.168.2.A/32 list=external-access{ local lan address of admin at site A hex/rb5009 }
add address=192.168.0.B/32 list=external-access { local lan address of admin at site C udm pro }
add address=192.168.1.C/32 list=external-access { local lan address of admin at site D udm se }

If that is not required then you can remove them but at least keep the remote access via .5/32 and .6/32 admin remote access!!

Also if you do add the above addresses to authorized..........
You have to make sure an IP route covers that which in this case already there...........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:52 am

Dont be afraid, I will be here to help at every turn............

On the Site C (UDM) I see only a single Peer section that contains all the private networks, and only SITE-A.dyndns.org as the endpoint. How would Sites B and D connect to Site C?

EXACTLY, the reason is you need to identify all the subnets on all devices youu need access to from site C AND all the subnets that are remote that need access to Site C.
We do this through the single peer because that is your connection to router A.

AT ROUTER A all the magic happens, the process is simple.
Site C needs to go to Site B for example.

The setup we have will have local users/device at Site C that have Site B destination addresses in their requests which are processed by firewall rules, allowed IPs and IP routers and the traffic headed for site B traffic enter the wireguard tunnel at Site C.
It will travel and exit the tunnel at Site A.
It will then re-enter the tunnel at Site A and travel to Site B. because it matches local firewall rules, allowed IPs and IP routes at Site A.
It will then exit the tunnel at Site B and due to firewall rules reach the destination.

And then the reverse.......
Due to IP routes on site B, the router will know to send the traffic back through the wireguard tunnel.
Since this is return traffic the traffic at Router A will exit the tunnel and the router will know to send that traffic back into the tunnel for site C.
The return traffic will exit the tunnel at Site C and head back to the originator.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:57 am

I dont understand what you are saying here.........
When implementing this change to the site C wg-quick up fails because the UDM already has a router to 192.168.5.0/24. I took out the 192.168.5.0 network from the allowedIPs.


Here is the config I provided for site C, UDM PRO. You will note there is NO mention in allowed IPs, nor should there be of 192.168.5.0/24 as that is a local subnet on Site C.
Allowed IPs is for two things and both consider the remote end. (1 - destination addresses at the remote end, local user want to reach over the tunnel and 2 - remote users/subnets that will be arriving and attempting to exit the local tunnel)

# UDM Pro Site C
Address = 10.0.100.3/32
SaveConfig = true
ListenPort = 53820
PrivateKey = WBj6xxxxx
[Peer]
# SITE A
PublicKey = xx27xxxxx
AllowedIPs = 10.0.100.0/24, 192.168.2.0/24,192.168.88.0/24,192.168.1.0/24
Endpoint = SITE-A.dyndns.org endpoint-port=51820
keep alive=35seconds
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 1:59 am

If you want to use the bridge and not vlan 2 give me a few minutes to rejig............
Dont start changing the config in pieces it has to be done as a coherent package etc...........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Mon Nov 21, 2022 2:23 am

Latest site A............
Only two of the rules needed changing in the forward firewall chain rules........... from v02 to bridge as you surmized.
See below. Note ether3 is NOT part of the bridge!!
/interface bridge
add name=bridge
/interface vlan
add interface=ether3 name=vlan30-other vlan-id=30
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
add name=dhcp-v30  ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
add address-pool=dhcp-v30 interface=ether3  lease-time=1w3d name=v30-server
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list members
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=ether3 list=LAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface wireguard peers
add interface=212-Wireguard endpoint-address=<site B hex2 public address> endpoint-port=52820 public-key=<site B key> allowed-address=10.10.100.2/32,192.168.88.0 keep-alive=25
add interface=212-Wireguard endpoint-address=<site C udm pro public address> endpoint-port=53820 public-key=<site C key> allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 keep-alive=30
add interface=212-Wireguard endpoint-address=<site D udm se public address> endpoint-port=<54820 public-key=<site D key> allowed-address=10.10.100.4/32,192.168.1.0/24 keep-alive=35
add interface=212-Wireguard public key=() allowed-address=10.10.100.5/32  ( admin windows laptop ) 
add interface=212-Wireguard public key=[] allowed-address=10.10.100.6/32  ( admin iphone/ipad )
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=aaaaaa.dyndns.org list=DynamicWANIP
add address=(admin_Desktop) 192.168.2.X list=manage
add address=(admin_Laptop) 192.168.2.y  list=manage
add address=(admin_Iphone/Ipad)  192.168.2.Z list=manage 
add address=10.10.100.5/32 list=authorized { remote laptop wg } 
add address=10.10.100.6/32 list=authorized  { remote iphone/pad wg } 
add address=192.168.88.A/32 list=authorized { local lan address of admin at site B hex }
add address=192.168.0.B/32 list=authorized { local lan address of admin at site C udm pro }
add address=192.168.1.C/32 list=authorized { local lan address of admin at site C udm se }
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input accept ICMP" protocol=icmp
add action=accept chain=input dst-port=51820 protocol=udp log=yes
add action=accept chain=input in-interface-list=MANAGE src-address-list=manage
add actio=acccept chain=input in-interface=212-Wireguard src-address-list=authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related hw-offload=\
yes
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=212-wireguard out-interface=212-wireguard { allows cross peer subnet traffic }
add action=accept chain=forward in-interface=212-wireguard out-interface=bridge { allow wg peer traffic to local subnet 192.168.2.0/24 }
add action=accept chain=forward in-interface=bridge out-interface=212-wireguard { allow local subnet traffic to wireguard peers }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24 comment="hairpin nat"
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=DynamicWANIP dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176 
/ip route
add dst-address=0.0.0.0/0  gwy=WAN gateway IP   table=main  { required if add route not selected at IP DHCP-CLIENT }
add dst-address=192.168.88.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.0.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.5.0/24 gateway=212-Wireguard table=main
add dst-address=192.168.1.0/24 gateway=212-Wireguard table=main
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
........................

Key changes are pulled out.............. besides changing the v2 back to bridge......

/interface list members
add comment=defconf interface=ether1 list=WAN

add interface=bridge list=LAN
add interface=ether3 list=LAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE


add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0


add action=accept chain=forward in-interface=212-wireguard out-interface=bridge { allow wg peer traffic to local subnet 192.168.2.0/24 }
add action=accept chain=forward in-interface=bridge out-interface=212-wireguard { allow local subnet traffic to wireguard peers }

/ip firewall address-list
add address=aaaaaa.dyndns.org list=DynamicWANIP

add action=dst-nat chain=dstnat dst-address-list=DynamicWANIP dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Tue Nov 22, 2022 11:13 am

Anav,

I belive everything is working now.

But, I'm not sure if all vpn traffic is going through Site-A.

I need a couple of days to work this through, but I wanted to get back to you with the good news and to thank you yet again.

I'm sure I screwed some things up -- I'll post the configs soon.

Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Tue Nov 22, 2022 2:19 pm

Sounds like a plan, keep at it and testing everything is the way it is expected to work, and when you are ready for it to be reviewed again (having problems) post all the pertinent configs
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Wed Dec 07, 2022 11:13 pm

I'm back for more help.

I've been trying to figure this out myself, but have been unsuccessful.

From Site-B to Site-A I can ping from the router to either 192.168.2.2 or 10.10.100.1

But, from Site-A to Site-B I can ping only 10.10.100.2

If I try pinging 192.168.88.1, I get:

2 lines for each ping:
timeout 161 (no error information)
10.10.100.1 .700 85 63 host unreachable

I have checked routes on both:

On Site-A:

/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \

On Site-B:

/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no


I have check the peer allowed-ips on both:

Site-A:

/interface wireguard peers
add allowed-address=192.168.88.0/24,10.10.100.2/32 comment="371 SITE B" \
    endpoint-address=cccccc.dydns.org endpoint-port=52820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "yyyyyy"

Site-B:

/interface wireguard peers
add allowed-address=192.168.2.0/24,10.10.100.1/32 comment=212 \
    endpoint-address=vvvvv.dyndns.org endpoint-port=51820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "xxxxxxxxxxx"



I have checked the firewall entries on both:

On Site-A:

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 log=yes protocol=udp src-port=""
add action=accept chain=input comment="Allow WG to router" in-interface=\
    212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward out-interface=212-Wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow WG peer traffic to local subnet" in-interface=212-Wireguard log=\
    yes out-interface=bridge
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" in-interface=bridge \
    out-interface=212-Wireguard
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop all else" log=yes
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 log=yes \
    protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    dynamic-WANIP dst-port=8123 log=yes protocol=tcp to-addresses=\
    192.168.2.176

On Site-B:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=52820 log=yes protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1 log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 log=yes protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes src-address-list=mtdale
add action=accept chain=input src-address-list=212
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35

What have I missed?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Wed Dec 07, 2022 11:47 pm

If I told you once............
I will look at the config when you fix your firewall rules for both, ie put the chains together so they are easily legible.
Also on any config, If I see an entry where there is double quotes with no entry I get rid of it........

pref-src=""
src-port=""

Also when you state you are pinging X from Y, also clarify if coming from which subnet.....
For example if you were coming from subnet 192.168.3.5 on router A, trying to reach 192.168.88.1 on router B, it wouldnt work.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 12:05 am

I removed any route or firewall entries with double-quotes (empty fields) and reordered the rules to keep all the chains first, then the forwards:

Site-B:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" log=yes protocol=\
    icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=52820 log=yes protocol=udp
add action=accept chain=input comment="Alow wireguard to router" in-interface=\
    wireguard1 log=yes
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes src-address-list=mtdale
add action=accept chain=input src-address-list=212
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 log=yes protocol=udp
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35

Site-A:
/ip firewall filter
add action=drop chain=input comment="NEW defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=accept chain=input comment="Allow WG to router" in-interface=212-Wireguard
add action=accept chain=input comment="Allow incoming WG connections" dst-port=51820 log=yes protocol=udp
add action=drop chain=input comment="drop all else" log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WG to subnet" dst-address=192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward out-interface=212-Wireguard
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG peer traffic to local subnet" in-interface=212-Wireguard log=yes out-interface=bridge
add action=accept chain=forward comment="Allow local subnet traffic to WG peers" in-interface=bridge out-interface=212-Wireguard
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connection for hairpin NAT" dst-address-list=WAN new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 log=yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=dynamic-WANIP dst-port=8123 log=yes protocol=tcp to-addresses=192.168.2.176
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 4:39 am

Site B.
These should be the first two firewall forward chain rules....... you have them halfway down.?

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked


Overall forward chain should look like....
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow wireguard to subnet" \
in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment="Allow subnet to enter wireguard" \
in-interface-list=LAN out-interface=wireguard
add action=drop chain=forward comment="Drop all else"



Site A.
This one should be second rule not first, in the input chain (or third)
add action=drop chain=input comment="NEW defconf: drop invalid" connection-state=invalid

Your forward chain is a hot mess.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WG to subnet" dst-address=192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward out-interface=212-Wireguard
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG peer traffic to local subnet" in-interface=212-Wireguard log=yes out-interface=bridge
add action=accept chain=forward comment="Allow local subnet traffic to WG peers" in-interface=bridge out-interface=212-Wireguard
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment=NEW


Lets try and rationalize it......... Also the established connected rule should be the second rule not at the bottom !

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked[/i]
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG peer traffic to local subnet" in-interface=212-Wireguard log=yes out-interface-list=LAN
add action=accept chain=forward comment="Allow local subnet traffic to WG peers" in-interface-list=LAN out-interface=212-Wireguard
add action=drop chain=forward comment=NEW
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 4:40 am

Once those changes are made and still no luck, then I will need to see the full configs
/export file=anynameyouwish (minus router serial# and any public WANIP information)
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 9:25 am

I reordered the input and forward rules as instructed (hopefully I did it correctly).

In doing so, I found some differences:

Site-B has this rule that Site-A does not:

add action=accept chain=input src-address-list=212


Looks like this allows the public IP of Site-A through the firewall. I would guess this is both unnecessary because of the Wireguard VPN and a security issue.

Should I remove it?


Site-A has this rule that Site-B does not:

add action=accept chain=input in-interface-list=LAN


This looks like it allows all LAN traffic through. I don't know why LAN traffic not destined for the WAN would need to be let through the firewall.

Site-B has the CAPsMAN rule. I don't use CAPsMAN -- should I remove it?

Site-B has a "defcon: drop all not coming from LAN" rule" and Site-A does not.

Here are the input and forward chains for each:

Site-A:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="Allow incoming WG connections" dst-port=\
    51820 log=yes protocol=udp
add action=accept chain=input comment="Allow WG to router" in-interface=\
    212-Wireguard
add action=drop chain=input comment="drop all else" log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward in-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" in-interface=bridge out-interface=\
    212-Wireguard
add action=accept chain=forward out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG peer traffic to local subnet" \
    in-interface=212-Wireguard log=yes out-interface=bridge
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN new-connection-mark=\
    "Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 log=yes \
    protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    dynamic-WANIP dst-port=8123 log=yes protocol=tcp to-addresses=192.168.2.176


Site-B:



/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes protocol=\
    icmp
add action=accept chain=input src-address-list=212
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=52820 log=yes protocol=udp
add action=accept chain=input comment="Alow wireguard to router" in-interface=\
    wireguard1 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow subnet to enter WG" \
    in-interface-list=LAN out-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 log=yes protocol=udp
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35


I made these changes and still couldn't ping from router to router (i.e., /tools ping) from A to B's 192.168.88.x address.

I watched the bytes and packets counts on the firewall rules and it looked like traffic was passing.

Used Torch and traffic seems to be passing.

So I went back to the WG setup and sure enough on Site-A's peer config for Site-B the first "n" was missing from dyndns.org (dydns.org). Fixed that and now it works!

But, as you can see, I don't think I have the WG config set up to use Site-A as the central WG hub (for Sites B, C and D to pass traffic through on its way to other non-Site-A destinations).

Site-A:

/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard

/interface wireguard peers
add allowed-address=192.168.2.0/24,10.10.100.8/32 comment="JRS Laptop" \
    endpoint-port=58820 interface=212-Wireguard persistent-keepalive=40s \
    public-key="aaaaa"
add allowed-address=192.168.88.0/24,10.10.100.2/32 comment="371 SITE B" \
    endpoint-address=bbb.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "aaaaa"
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
    endpoint-address=bbb.dyndns.org endpoint-port=54820 interface=\
    212-Wireguard persistent-keepalive=25s public-key=\
    "aaaaa"
add allowed-address=192.168.0.0/24,192.168.5.0/24,10.10.100.3/32 comment=\
    "355 Site C" endpoint-address=bbb.dyndns.org endpoint-port=53820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "aaaaa"
add allowed-address=10.10.100.9/32,192.168.2.0/24 comment="JRS iPhone" \
    endpoint-port=59820 interface=212-Wireguard persistent-keepalive=40s \
    public-key="aaaaa"

/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

Site-B:

/interface wireguard
add listen-port=52820 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=192.168.2.0/24,10.10.100.1/32 comment=212 \
    endpoint-address=aaa.dyndns.org endpoint-port=51820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "aaaaa"
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment=255 \
    endpoint-address=aaa.dyndns.org endpoint-port=54820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "aaaaa"
add allowed-address=192.168.0.0/24,192.168.5.0/24,10.10.100.3/32 comment=355 \
    endpoint-address=aaa.dyndns.org endpoint-port=53820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "aaaaa"
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
    "WG client on BI PC" disabled=yes endpoint-address=aaa.dyndns.org \
    endpoint-port=51820 interface=wireguard1 persistent-keepalive=40s \
    public-key="aaaaa"
add allowed-address=10.10.100.8/32 comment=Laptop interface=wireguard1 \
    public-key="aaaaa"

/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 3:01 pm

Wed Dec 07, 2022 10:40 pm
Once those changes are made and still no luck, then I will need to see the full configs
/export file=anynameyouwish (minus router serial# and any public WANIP information)

Without knowing which subnets are on which devices its too confusing to just see snippet.s
For example I see a number of allowed peers on site A, as one would expect, one that includes 192.168.2.0/24 and another peer that has 192.168.88.0/24

All fine and good but can I really assume that neither of those subnets exists on Router A, and thus shouldnt be there...............
And do I really believe that an IPHONE has a subnet and a wireguard IP????

Also I cleaned up the firewall rules and you should have noted got rid of some of them that made no sense.

IN any case full configs please. for HUB, and site B.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 5:26 pm

The problem was a typo in the endpoint URL that includes "dyndns." That fixed the inability to ping problem.

I'll return another time to work on the central WG hub issue.

I see you composed corrected firewall rules, but I am not sure I can delete all other rules without messing something up.

Are you able to tell me if these rules are necessary without reviewing the entire config:


Site-A (HUB) but not Site-B:
add action=accept chain=input in-interface-list=LAN


Site-B but not Site-A (HUB):
add action=accept chain=input src-address-list=212


Site-B but not Site-A:
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1


Site-B but not Site-A:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Thank you!
Last edited by BartoszP on Thu Dec 08, 2022 7:47 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 9:28 pm

Not that critical at this point.
I replaced the rules appropriately so you should not have issues.

The full config is what I need to see for site A, B, and for sites C, D (non MT, their wireguard settings and for sites C,D the subnets on those devices that are either being visited by others or need to enter the wg tunnel.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 11:25 pm

I attached the files -- maybe that would make it a tiny bit easier for you to work with? If not, let me know and I'll paste them as code.

Site-C IP network is 192.168.0.0/24 and 192.168.5.0/24

Site-D is 192.168.1.0/24
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 11:32 pm

(1) It took me 3 secs lookin at first hex to find an issue.........sigh.....

/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
/interface wireguard peers
add allowed-address=192.168.2.0/24,10.10.100.8/32 comment="JRS Laptop" \
AND on the other laptop as well!!!

Why would you put your own local address on the settings for an allowed peer?????

(2) Please spend some time reading this...............
viewtopic.php?t=182340

(3) Why are you putting two different IPs on the bridge.......... purpose ?? Did you mean to put bridge-port3 for the second one????
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=192.168.30.2/24 interface=bridge network=192.168.30.0


(4) Told you once, bad idea to name a firewall address list the same as an interface list, too confusing.

/ip firewall address-list
add address=xxx.dyndns.org list=WAN { remove }
add address=192.168.2.0/24 list=LAN
add address=xxx.dyndns.org list=dynamic-WANIP
{better}

(5) Looking at input chain rules. there is no difference in the ones in GREEN, they all say the same thing or are already covered by the other rules......

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow incoming WG connections" \
dst-port=51820 log=yes protocol=udp

add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="Allow WG to router" in-interface=\
{ not required since your LAN interface includes WG already }
212-Wireguard

add action=drop chain=input comment="drop all else" log=yes

What you need to do is DECIDE who actually needs access to your ROUTER............... For config purposes.............
I would say its some private LANIPS (admin on ROuter A, desktop, laptop, iphone ) AND any remote admin wireguard IPs coming in that are related to the admin connecting.
SO CREATE A FIREWALL LIST OF AUTHORIZED USERS.........
and replace the two rules above with these below.....

add action=accept chain=input in-interface-list=MANAGED src-address-list=AUTHORIZED
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp


******* JUST MAKE SURE YOU DISABLE THE DROP RULE AT THE END FIRST, then change the rules and then as last step after double checking your work, enable the drop rule at the end.

(6) Forward rules like I said a hot mess and you refuse to fix.........or learn........

add action=accept chain=forward comment="Allows cross peer subnet traffic" \ { GOOD, allows peers to visit other peers }
in-interface=212-Wireguard log=yes out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\ { GOOD, allows peers to visit your local subnet }
192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward in-interface=212-Wireguard { WHY where is the purpose }
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" in-interface=bridge out-interface=212-Wireguard { OKAY, allows local subnet to go out wireguard tunnel to other sites, but why use bridge here and not 192.168.2.0/24 just looking for consistency LOL }

Note: Conceptually speaking with the three rules above you have allowed peer to peer traffic, tunnel to local subnet traffic, local subnet to tunnel traffic. Its covered, especially as you only have one subnet. If you had more then there would be more discussion.

add action=accept chain=forward out-interface=212-Wireguard { WHY where is the purpose }
add action=accept chain=forward comment=\
"Allow WG peer traffic to local subnet" in-interface=212-Wireguard log=\ { { WHY, you already have allowed peers to visit your subnet - is redundant!! }
yes out-interface=bridge
Last edited by anav on Thu Dec 08, 2022 11:55 pm, edited 2 times in total.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Thu Dec 08, 2022 11:53 pm

1) My thinking was that the laptop when connecting at home gets an ip in the 192.168.2.x pool. Should I leave only 10.10.100.8 as allowed IP in the peer section for the laptop on the hex? I don't under what you mean by "and on the other laptop as well?"

2) Ok

3) The bridge having a 192.168.30.x IP is a leftover from my playing around. I understand it is incorrect, but that's for another time. I've disabled it now.

4) I do have dynamic-WANIP already. Should I just remove the firewall list named WAN? Do I need to change all occurrences of WAN in the firewall and nat rules to dynamic-WANIP?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 12:01 am

1. Makes no sense, if you are at home on Router A and wish to go elsewhere you will be using the HEX wireguard settings, NOT THE PC WIREGUARD settings.
In other words you will just be a normal user on the hex, in the 192.1268.2.0/24 subnet and will follow all the rules for such..........

This is where we will later discuss site B, C, D, where the authorized list on the input chain for those sites would contain the IP of you coming in remotely 10.10.100.X ( pc using wireguard on the road) or 192.168.2.xx as admin on router A.

Hence I suggested an authorized list at Router A, to include any remote wireguard IPs coming in, and any local admin login needs..........

(4) Yes just remove firewall address list name of WAN, dont touch WAN elsewhere as those are different. Firewall address list and interface list are two different entities with different functions.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 12:08 am

(1) Remove mangle for hairpin nat not required.
If you have servers on 192.168.2.0/24 that local users on the same subnet need access to,
You have three options.

a. put server on a different subnet
b. use LANIP of server to reach it.
c. want users to use wanip and thus need src nat hairpin nat rule as such......

LOOK you already have the rule...........so just get rid of that mangle stuff.
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN

(2) FIx your dst nat rules.....
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8123 log=yes \
protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\ { disabled and missing dst-address-list=dynamic-WANIP }
192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \ disabled and missing dst-address-list=dynamic-WANIP }
protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \ disabled and missing dst-address-list=dynamic-WANIP }
protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD: 8123" dst-address-list=\
dynamic-WANIP dst-port=8123 log=yes protocol=tcp to-addresses=\
192.168.2.176

(3) IP Routes: Get rid of pref-src="" if you can.......... not sure if the router creates that or not on export On other IP routes.

(4) Missing a route, a way to double check is allowed IP subnets should all be identified, guess which subnet is missing ?????
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 12:09 am

don't under what you mean by "and on the other laptop as well?"
OTHER DEVICE, same issue, was an iphone!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 12:10 am

Now, hopefully getting a better feel for the setup.
GO back and look at your hex B and make any changes you think are necessary.
And repost ...............
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 2:26 am

It's all going too fast for me.

I implemented some of the changes and now this is showing up in my log, coming from the "drop all else" input chain rule:
Screenshot 2022-12-08 192600.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 4:23 am

Not sure what you are saying but i work from configs not jpegs of parts of winbox LOL.

Post configs for review if something is not working.....
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 12:28 pm

Of course (just trying to make things as easy as possible for you).

I removed the "" in pref-src but the router puts back the empty field.

I have tried to implement the changes -- I'm sure I've failed at some.

With this config, it seems hairpin is not working: If (from my LAN) I go to http://mypublicIPaddress:8123 I get "This site can’t be reached"

Thank you!

# dec/09/2022 05:17:19 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = Hxxxxx
/interface bridge
add name=Bridge-Port3
add admin-mac=1xxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxx"
add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371 SITE B" \
    endpoint-address=xxx.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "zxxxxxxx"
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
    endpoint-address=xxx.dyndns.org endpoint-port=54820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxk="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 Site C" endpoint-address=xxx.dyndns.org endpoint-port=53820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "4xxxxxxx"
add allowed-address=10.10.100.9/32,192.168.2.0/24 comment="JRS iPhone" \
    endpoint-port=59820 interface=212-Wireguard persistent-keepalive=40s \
    public-key="xxxxx"
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 disabled=yes interface=bridge network=\
    192.168.30.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.100 mac-address=78:6A:1F:8D:F9:C8 server=defconf
add address=192.168.2.102 mac-address=78:6A:1F:8D:FC:B4 server=defconf
add address=192.168.2.101 mac-address=78:6A:1F:8D:FC:0F server=defconf
add address=192.168.2.103 mac-address=A0:68:7E:4D:D0:4B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.30.2 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=LAN
add address=xxxx.dyndns.org list=dynamic-WANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN log=yes
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" out-interface=212-Wireguard \
    src-address-list=192.168.2.0/24
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" disabled=yes dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    log=yes protocol=tcp to-addresses=192.168.2.176
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name="212 Hex"
/system ntp client
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:06 pm

- Clean up the config, you still have that bridgeport 3 still kicking around like dirty underwear.. ;-)

- didnt remove the 192.168.2.0/24 from the allowed IPs on iphone.........

- didnt remove the two settings for bridge from two IP address, still have the .30 address there...............

- while your at it, get rid of that static DNS setting you have for .30 as well........

- told you many times get rid of the mangle rules for hairpin nat, they are NOT required.

- you can get rid of the other firewall address list entry for LAN, for two reasons.
a. the lan is described in many ways already, by bridge and by the address of it, no need for any single subnet in a firewall address (its for groups of things)
b. using the name LAN is confusing with the rest of the config......

- get rid of this IP route that is disabled and serves no purpose....
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
Last edited by anav on Fri Dec 09, 2022 1:18 pm, edited 3 times in total.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:13 pm

Done.
# dec/09/2022 06:09:50 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = Hxxxxxx
/interface bridge
add admin-mac=1xxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxx/xxxxxx="
add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371 SITE B" \
    endpoint-address=xxx.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxx="
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
    endpoint-address=xxxx.dyndns.org endpoint-port=54820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxx+xxxxxx="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 Site C" endpoint-address=xxx.dyndns.org endpoint-port=53820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxx/xxxx="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxx/xxx/xx="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.100 mac-address=78:6A:1F:8D:F9:C8 server=defconf
add address=192.168.2.102 mac-address=78:6A:1F:8D:FC:B4 server=defconf
add address=192.168.2.101 mac-address=78:6A:1F:8D:FC:0F server=defconf
add address=192.168.2.103 mac-address=A0:68:7E:4D:D0:4B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.2.0/24 list=LAN
add address=xxx.dyndns.org list=dynamic-WANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" out-interface=212-Wireguard
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" disabled=yes dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    log=yes protocol=tcp to-addresses=192.168.2.176
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.2.1
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:14 pm

- told you many times get rid of the mangle rules for hairpin nat, they are NOT required.
Do you mean the "special dummy" rules?

I already disabled the "Mark connection for hairpin NAT" mangle rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:19 pm

- told you many times get rid of the mangle rules for hairpin nat, they are NOT required.
Do you mean the "special dummy" rules?

I already disabled the "Mark connection for hairpin NAT" mangle rule.
This remove............ why do you insist on keeping garbage config elements floating around.....
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin NAT" disabled=yes dst-address-list=WAN \
new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:21 pm

With the changes made can you reach your server from your cell phone? Showing external access works........
There is nothing I see that will stop internal access working.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:30 pm

With the changes made can you reach your server from your cell phone? Showing external access works........
There is nothing I see that will stop internal access working.
Yes.

Cell phone (no wifi, just cellular), enable WG VPN and I get the proper response from http://<mypublicIP>:8123

Still doesn't work from inside the LAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 1:54 pm

Did you get rid of the second IP addresses for the bridge ie the .30 address???
You used the same dydndn name:port externally as you are doing internally?

Did you get rid of mangle rules.............. AND this little bit which is probably killing your connectivity.
If you dont understand how something you have added to the config works, why add it ?? Its not part of the standard mangle rule...............


/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
dst-address=192.168.2.0/24 src-address=192.168.2.0/24
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 2:41 pm

I believe I've done all the things you instructed.

Below is the current config.

Please note that I've been playing around this morning trying to accomplish this with this connectivity.

I am currently at Site-A. At Site-B I had a non-technical person install an IP camera.

The camera is set to it's default IP of 192.168.1.108 and the only way to configure it is via a desktop application.

So, I am trying to gain access to 192.168.1.108 via VPN to run the app where I am.

I've made some progress by adding the IP address 192.168.1.0/24 and a route it them to the Site-B router. I also added that network to the WG peer allowed ips at Site-A.

From Site-B's router I can ping 192.168.1.108.

From Site-A's router I can ping Site-B's 192.168.1.10 IP address, but I can't ping 192.168.1.108.

So that's why things are a little changed.

# dec/09/2022 07:32:17 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w3d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxx/xxx="
add allowed-address=10.10.100.2/32,192.168.88.0/24,192.168.1.0/24 comment=\
    "371 SITE B" endpoint-address=xxx.dyndns.org endpoint-port=52820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxx="
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
    disabled=yes endpoint-address=xxx.dyndns.org endpoint-port=54820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xx+xxx="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 Site C" endpoint-address=xxxx.dyndns.org endpoint-port=53820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxx/xxxxx="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxx/xxx/ZBIFY="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.100 mac-address=78:6A:1F:8D:F9:C8 server=defconf
add address=192.168.2.102 mac-address=78:6A:1F:8D:FC:B4 server=defconf
add address=192.168.2.101 mac-address=78:6A:1F:8D:FC:0F server=defconf
add address=192.168.2.103 mac-address=A0:68:7E:4D:D0:4B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=xxxx.dyndns.org list=dynamic-WANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN log=yes \
    out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard log=yes
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" log=yes out-interface=\
    212-Wireguard
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
/ip route
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 4:08 pm

YOu need to send me both configs if you are interested in fixing camera issues....
Does the port forwarding now work at site A?

You had this rule correct??
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard \
src-address-list=192.168.2.0/24


Why did you change it to this............... ????????
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" log=yes out-interface=\
212-Wireguard

Always better to define where traffic is coming from and where it is going,............ the rule is too open ended and does not change any facts or any traffic flow into the tunnel.........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 4:13 pm

in terms of traffic wireguard, everything looks fine at site A. so do need to see latest site B config.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 4:47 pm

This is Site-B's config:

# dec/09/2022 09:43:42 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = xxxx
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireguard
add listen-port=52820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.2.0/24,10.10.100.1/32 comment=212 \
    endpoint-address=xxx.dyndns.org endpoint-port=51820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "xxxx/xxx="
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment=255 \
    endpoint-address=xxx.dyndns.org endpoint-port=54820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "xxx+xxxx="
add allowed-address=192.168.0.0/24,192.168.5.0/24,10.10.100.3/32 comment=355 \
    endpoint-address=xxx.dyndns.org endpoint-port=53820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "xxx/xxx="
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
    "WG client on BI PC" endpoint-address=xxx.dyndns.org endpoint-port=\
    51820 interface=wireguard1 persistent-keepalive=40s public-key=\
    "xxxx/xxxxx="
add allowed-address=10.10.100.8/32 comment=Laptop interface=wireguard1 \
    public-key="xxxx+xxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.100.2/24 interface=wireguard1 network=10.10.100.0
add address=192.168.1.10/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxx.dyndns.org list=mtdale
add address=xxxxx.dyndns.org list=212
add address=subnet_1 list=external-access
add address=subnet_2 list=external-access
add address=subnet_XX list=external-access
add address=10.0.100.5 list=external-access
add address=10.0.100.6 list=external-access
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=xxxx.dyndns.org list=dynamic-WANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=212
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=52820 protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.1.0/24 in-interface=wireguard1 log=yes
add action=accept chain=forward comment="Allow subnet to enter WG" \
    in-interface-list=LAN log=yes out-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 protocol=udp
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip ssh
set forwarding-enabled=both
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 5:24 pm

Site B
(1) ERROR or different wireguard network???
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
"WG client on BI PC" endpoint-address=xxx.dyndns.org endpoint-port=\
51820 interface=wireguard1 persistent-keepalive=40s public-key=\
"xxxx/xxxxx=
"

(2) What is the purpose of two IP addresses attached to the same bridge..................

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

add address=10.10.100.2/24 interface=wireguard1 network=10.10.100.0
add address=192.168.1.10/24 interface=bridge network=192.168.1.0


(3) Same error as in site A.
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment=255 \
endpoint-address=xxx.dyndns.org endpoint-port=54820 interface=\
wireguard1 persistent-keepalive=40s public-key=\
"xxx+xxxx="


add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
"WG client on BI PC" endpoint-address=xxx.dyndns.org endpoint-port=\
51820 interface=wireguard1 persistent-keepalive=40s public-key=\
"xxxx/xxxxx="


/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.100.2/24 interface=wireguard1 network=10.10.100.0
add address=192.168.1.10/24 interface=bridge network=192.168.1.0


It is clear now that you are not making any effort and have not bothered to read the material or attempt to understand it.
Where i have pointed out that allowed IPs are not for local addresses.

Thus I am done here.............. The lack of effort to apply new knowledge or read the information providing is very discouraging.
I hope someone else takes over as I am done. It seems you want all the answers and none of the work.
I was
Last edited by anav on Fri Dec 09, 2022 5:47 pm, edited 1 time in total.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 5:47 pm

1) "WG on BI PC" stands for Wireguard on BlueIris Personal Computer. This is a PC at Site-C, set up with WG.

2) Adding 192.168.1.10/24 to the heXr at Site-B was done so that the heX could talk to the new camera (at 192.168.1.108)

3) 10.10.100.4 is Site-D

To summarize:

From Site-B's heX I can ping 192.168.10.108 (the camera). I cannot ping 192.168.2.2 (heX at Site-A) or 10.10.100.2 (heX at Site-A) or any lan address in 192.168.2.x

From Site-A's heX I can ping 192.168.1.10 (Site-B's heX) and 10.10.100.2 and 192.168.88.1 (Site-B's heX) and 192.168.88.x. But, I cannot ping 192.168.1.108
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Fri Dec 09, 2022 6:29 pm

I just saw that you are done.

I'm sorry you feel that I am not trying. I am. While working and taking care of a family and doing other things.

I do thank you for your help so far -- you've been very generous.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: Wireguard site to site Hex to UDM

Mon Dec 12, 2022 2:08 pm

Update:

1) I was able to configure the routers an WG up to allow me to fully access and configure the remote camera.

2) I was able to configure the routers and WG so that all devices at all sites can ping any device at any of the other sites.

3) I have been working to try to understand the environment better (routes, firewalls, WG setting, scripting, etc.)

4) I just ordered a hap AC3 for another location (to replace the stock Spectrum router/AP) so I will add another WG location to the mix.

5) No progress on VLANs, but learning it is on my to do.

6) Still would like to separate the traffic associated with the cable set top boxes and FIOS router performing only MOCA bridging (ip traffic from CatX to coax cable).

Who is online

Users browsing this forum: No registered users and 41 guests