Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard VPN could not connect VLAN clients on RB3011UiAS

Post Reply
 
hrishi
just joined
Topic Author
Posts: 5
Joined: Wed Jan 20, 2021 6:36 pm

Wireguard VPN could not connect VLAN clients on RB3011UiAS

Fri Dec 09, 2022 1:35 pm

Hi,

I have Mikrotik Router RB3011UiAS. On ETH 3 I have 3 VLANs VLAN ID 6,7 and 8. Two WAN Internet PPPoE links on ETH 2 and ETH 4 respectively. DHCP is configured for all 3 VLANs. ETH 3 is connected to the Trunk port of Cisco CBS 350 Switch. On that switch only 3 same VLANs configured and assigned access ports to the clients. This switch in L2 mode only routing is disabled. On Mikrotik Router Firewall rule is configured to block any traffic between all 3 VLANs. All clients in 3 VLANs gets internet access properly.

I have setup Wireguard, Wireguard interface IP is 10.66.67.1/24. VPN client can able to connect to the router. But he cannot access any host in the VLAN. VPN client can ping only VLAN interface IP lets say 192.168.8.1 but cannot ping 192.168.8.9, 10 etc.
Below is the config for your reference, please help.
Also attached Network Diagram.
Code: Select all
# nov/18/2022 18:02:51 by RouterOS 7.6
# software id = WR5M-DGW6
#
# model = RB3011UiAS
# serial number = 
/interface ethernet
set [ find default-name=ether1 ] name=ether1_HATH
set [ find default-name=ether2 ] name=ether2_BSNL
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_BSNL_ILL_WAN
set [ find default-name=ether5 ] name=ether5_BSNL_ILL_LAN
set [ find default-name=ether6 ] name=ether6_BSNL_ILL_Static
set [ find default-name=ether7 ] name=ether7_JIO_ILL
set [ find default-name=ether8 ] name=ether8_JIO_STATIC
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2_BSNL name=pppoe-out1 \
    service-name=smphi5 use-peer-dns=yes user=
add add-default-route=yes disabled=no interface=ether4_BSNL_ILL_WAN name=\
    pppoe-out2 user=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether3_LAN name=vlan1 vlan-id=8
add interface=ether3_LAN name=vlan2 vlan-id=7
add interface=ether3_LAN name=vlan3 vlan-id=6
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.7.101-192.168.7.126
add name=dhcp_pool2 ranges=192.168.8.70-192.168.9.200
add name=dhcp_pool3 ranges=192.168.7.50-192.168.7.62
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan3 name=dhcp1
add address-pool=dhcp_pool2 interface=vlan1 name=dhcp3
add address-pool=dhcp_pool3 interface=vlan2 name=dhcp2
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_BSNL
add fib name=to_ILL
/user-manager user
add attributes=Framed-Pool:dhcp_pool1 name=sonicwall
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-source-route=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.66.67.2/32 interface=wireguard1 public-key=\
    ""
/ip address
add address=10.66.67.1/24 interface=wireguard1 network=10.66.67.0
add address=192.168.8.1/23 interface=vlan1 network=192.168.8.0
add address=192.168.7.1/26 interface=vlan2 network=192.168.7.0
add address=192.168.7.65/26 interface=vlan3 network=192.168.7.64
/ip dhcp-server network
add address=192.168.7.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.7.1
add address=192.168.7.64/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.7.65
add address=192.168.8.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.8.0/23 list=LAN
add address=x.x.x.x list=WAN
add address=x.x.x.x list=WAN
/ip firewall filter
add action=accept chain=input icmp-options=8:0-255 protocol=icmp
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=forward dst-address=192.168.7.0/26 src-address=\
    192.168.8.0/23
add action=drop chain=forward dst-address=192.168.8.0/23 src-address=\
    192.168.7.0/26
add action=drop chain=forward dst-address=192.168.7.0/26 src-address=\
    192.168.7.64/26
add action=drop chain=forward dst-address=192.168.7.64/26 src-address=\
    192.168.7.0/26
add action=drop chain=forward dst-address=192.168.7.64/26 src-address=\
    192.168.8.0/23
add action=drop chain=forward dst-address=192.168.8.0/23 src-address=\
    192.168.7.64/26
add action=drop chain=output protocol=tcp src-port=80
add action=drop chain=output protocol=tcp src-port=443
/ip firewall mangle
add action=accept chain=prerouting in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=pppoe-out2
add action=mark-connection chain=prerouting comment=\
    "New Conn Mark: ILL_conn Per conn classifier 8/0 to 8/1" \
    dst-address-type=!local new-connection-mark=BSNL_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=ILL_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=BSNL_conn \
    new-routing-mark=to_BSNL passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ILL_conn \
    new-routing-mark=to_ILL passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=WAN \
    new-connection-mark=NAT-SSH passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hair-Pin NAT" connection-mark=\
    NAT-SSH
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=2022 log=yes \
    protocol=tcp to-addresses=192.168.8.50 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=2023 log=yes \
    protocol=tcp to-addresses=192.168.8.2 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=63797 log=yes \
    protocol=udp to-addresses=192.168.8.2 to-ports=63797
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=7000-7005 log=\
    yes protocol=tcp to-addresses=192.168.8.50 to-ports=7000-7005
add action=masquerade chain=srcnat disabled=yes src-address=10.66.67.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
    0.0.0.0 routing-table=to_BSNL scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 pref-src=\
    0.0.0.0 routing-table=to_ILL scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.66.68.0/24 gateway=192.168.8.2 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip smb
set enabled=yes
/lcd
set enabled=no touch-screen=disabled
/ppp profile
set *FFFFFFFE bridge=*C dns-server=8.8.8.8 local-address=192.168.12.1 \
    remote-address=dhcp_pool2
/radius
add address=127.0.0.1 service=login,dhcp
/radius incoming
set accept=yes
/snmp
set enabled=yes trap-generators=interfaces
/system clock
set time-zone-name=Asia/Kolkata
/system logging
add topics=event
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/tool graphing interface
add interface=ether2_BSNL
add interface=ether4_BSNL_ILL_WAN
add interface=ether7_JIO_ILL
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=127.0.0.1 name=Sonicwall
add address=192.168.7.201 name=router1
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Fri Dec 09, 2022 6:23 pm

Too bad your text and diagram have nothing in common

will the real ether 2, ether3 etc standup...............

YOu also have the butt ugly config that uses the same vlan subnet for two differnt vlans........
vlan6 192.168.7.0/24 and vlan7 192.168.7.0/24
Not interested in such a horrid setup.

Hopefully someone who can work with that and a useless firewall is willing to help.
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 989
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Fri Dec 09, 2022 8:52 pm

Are these clients all Windows PC's / servers ?
Sure there is no host-based firewall at play here ?

Remember, a Windows machine will drop pings if not sources from the local network-range. For sure 10.66.67.x is outside any 192.168..x.x range here.
Top
 
hrishi
just joined
Topic Author
Posts: 5
Joined: Wed Jan 20, 2021 6:36 pm

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Sat Dec 10, 2022 9:35 am

Too bad your text and diagram have nothing in common

will the real ether 2, ether3 etc standup...............

YOu also have the butt ugly config that uses the same vlan subnet for two differnt vlans........
vlan6 192.168.7.0/24 and vlan7 192.168.7.0/24
Not interested in such a horrid setup.

Hopefully someone who can work with that and a useless firewall is willing to help.
Hi,
I have attached corrected Network Diagram. Sorry for the inconvinience.
Thanks
You do not have the required permissions to view the files attached to this post.
Top
 
hrishi
just joined
Topic Author
Posts: 5
Joined: Wed Jan 20, 2021 6:36 pm

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Sat Dec 10, 2022 9:38 am

Are these clients all Windows PC's / servers ?
Sure there is no host-based firewall at play here ?

Remember, a Windows machine will drop pings if not sources from the local network-range. For sure 10.66.67.x is outside any 192.168..x.x range here.
Hi,

Mixed Windows as well Ubuntu as well Apple MAC
What could be the souution.

Thanks
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 989
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

AB

Sat Dec 10, 2022 11:14 am

We'll, it seems that your VLAN setup works OK, as clients on these VLAN's can effectively go out to Internet etc
It sounds also promising that from your wireguard-peers/clients you can already ping L3-VLAN IP's on the Mikrotik.

Can you on the top of the "forward chain" , above the "drops" for intervlan-traffic, add a rule where you explicitly allow the wireguard IP-range ? And have LOGGING activated ? Do you see ANYTHING there ? Do the "counters" increase ?

You really need to further "isolate" this issue, using logging & counters to get a clue IF packets traverse in the first place.
Top
 
hrishi
just joined
Topic Author
Posts: 5
Joined: Wed Jan 20, 2021 6:36 pm

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Mon Dec 12, 2022 5:14 pm

Hi,

I have added firewall allow rules on the top of Drop rules.
After adding I could not able to ping 192.168.8.1 also and other hosts on that subnet.
But I could able to login to Mikrotik router from 192.168.8.1
Even could not able to ping 10.66.67.1


Wireguard peer config:
[Interface]
PrivateKey = GKuHzQom5Ta/lybBUNfHSqNqdS6dB00PF8ELA3yilU4=
ListenPort = 13231
Address = 10.66.67.2/24
DNS = 192.168.8.1

[Peer]
PublicKey = ****
PresharedKey = 3nM4daZZIUzhlfvWHIbkFHlD6i57+Esw64lOyWn4BKU=
AllowedIPs = 192.168.8.0/23, 10.66.67.0/24
Endpoint = ****:13231
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: Benzebub and 68 guests
  4. RouterOS
  5. General