Community discussions

MikroTik App
 
h4kuy4
just joined
Topic Author
Posts: 3
Joined: Sat Mar 04, 2023 7:02 am

Can not access to the remote LAN through wireguard

Sat Mar 04, 2023 8:32 am

I have a network like image below.
Image
I peered my phone and my router at home with WireGuard.

Now my phone can access to my router successfully with address 172.16.0.1, and I can ping my phone success at router using wireguard interface.
But I can't access my computer in LAN of home such as 172.16.0.10, also my computer can't access to my phone.

Here is my config. The wireguard interface wg4 is for phone to peering, others is for site to site tunnel which is not configed yetl.
# mar/04/2023 14:15:19 by RouterOS 7.5
# software id = IURD-U9F3
#
# model = RB750Gr3

/interface bridge
add name=LAN_Bridge
add name=lo
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-wan
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] name=ether5-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-wan name=pppoe-out4 \
    user=**********
/interface vrrp
add interface=ether1-wan name=vrrp1
add interface=ether1-wan name=vrrp2 vrid=2
add interface=ether1-wan name=vrrp3 vrid=3

/interface pppoe-client
add disabled=no interface=vrrp1 name=pppoe-out1 user=**********
add disabled=no interface=vrrp2 name=pppoe-out2 user=**********
add disabled=no interface=vrrp3 name=pppoe-out3 user=**********

/interface wireguard
add listen-port=42232 mtu=1420 name=wg0
add listen-port=42233 mtu=1420 name=wg1
add listen-port=42234 mtu=1420 name=wg2
add listen-port=42235 mtu=1420 name=wg3
add listen-port=42236 mtu=1420 name=wg4
add listen-port=42237 mtu=1420 name=wg5

/routing table
add fib name=PCC_ROUT1
add fib name=PCC_ROUT2
add fib name=PCC_ROUT3
add disabled=no fib name=PCC_ROUT4
add disabled=no fib name=WG_ENTRY

/interface bridge port
add bridge=LAN_Bridge ingress-filtering=no interface=ether3-lan
add bridge=LAN_Bridge ingress-filtering=no interface=ether4-lan
add bridge=LAN_Bridge ingress-filtering=no interface=ether5-lan

/interface wireguard peers
add allowed-address=172.16.129.2/32 comment=Laptop interface=wg4 \
    public-key="********"
add allowed-address=172.16.129.3/32 comment=Phone interface=wg4 \
    public-key="********"
add allowed-address=0.0.0.0/0 endpoint-address=******** endpoint-port=\
    59980 interface=wg2 public-key=\
    "********"
add allowed-address=0.0.0.0/0 endpoint-address=******** endpoint-port=\
    42333 interface=wg3 public-key=\
    "********"
add allowed-address=0.0.0.0/0 endpoint-address=******** \
    endpoint-port=65535 interface=wg0 public-key=\
    "********"
add allowed-address=0.0.0.0/0 endpoint-address=******** endpoint-port=\
    47417 interface=wg1 public-key=\
    "********"
add allowed-address=0.0.0.0/0 endpoint-address=******** endpoint-port=\
    45679 interface=wg5 public-key=\
    "********"
    
/ip address
add address=172.16.0.192/26 interface=ether1-wan network=172.16.0.192
add address=172.16.0.193/26 interface=vrrp1 network=172.16.0.192
add address=172.16.0.194/26 interface=vrrp2 network=172.16.0.192
add address=172.16.0.195/26 interface=vrrp3 network=172.16.0.192
add address=172.16.0.196/26 interface=ether2-wan network=172.16.0.192
add address=172.16.0.1/25 interface=LAN_Bridge network=172.16.0.0
add address=172.16.255.1 interface=lo network=172.16.255.0
add address=172.16.128.1/24 interface=wg0 network=172.16.128.0
add address=172.16.128.2/24 interface=wg1 network=172.16.128.0
add address=172.16.128.3/24 interface=wg2 network=172.16.128.0
add address=172.16.128.4/24 interface=wg3 network=172.16.128.0
add address=172.16.129.1/24 interface=wg4 network=172.16.129.0
add address=172.16.128.6/24 interface=wg5 network=172.16.128.0

/ip firewall filter
add action=accept chain=forward in-interface=wg4
add action=accept chain=forward out-interface=wg4
add action=accept chain=input comment="allow WireGuard" dst-port=42232 \
    protocol=udp
add action=accept chain=input dst-port=42233 protocol=udp
add action=accept chain=input dst-port=42234 protocol=udp
add action=accept chain=input dst-port=42235 protocol=udp
add action=accept chain=input dst-port=42236 protocol=udp
add action=accept chain=input dst-port=42237 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=\
    wg0
add action=accept chain=input in-interface=wg1
add action=accept chain=input in-interface=wg2
add action=accept chain=input in-interface=wg3
add action=accept chain=input in-interface=wg4
add action=accept chain=input in-interface=wg5

/ip firewall mangle
add action=change-mss chain=forward comment="MSS Change" new-mss=\
    clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment=PCC1 dst-address-type=\
    !local in-interface=LAN_Bridge new-connection-mark=PCC1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-routing chain=prerouting connection-mark=PCC1 in-interface=\
    LAN_Bridge new-routing-mark=PCC_ROUT1 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC2 dst-address-type=\
    !local in-interface=LAN_Bridge new-connection-mark=PCC2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-routing chain=prerouting connection-mark=PCC2 in-interface=\
    LAN_Bridge new-routing-mark=PCC_ROUT2 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC3 dst-address-type=\
    !local in-interface=LAN_Bridge new-connection-mark=PCC3 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-routing chain=prerouting connection-mark=PCC3 in-interface=\
    LAN_Bridge new-routing-mark=PCC_ROUT3 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC4 dst-address-type=\
    !local in-interface=LAN_Bridge new-connection-mark=PCC4 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=PCC4 in-interface=\
    LAN_Bridge new-routing-mark=PCC_ROUT4 passthrough=yes
add action=mark-connection chain=input comment=WG_ENTRY_IO disabled=yes \
    in-interface=wg4 new-connection-mark=WG_ENTRY passthrough=yes
add action=mark-routing chain=output connection-mark=WG_ENTRY disabled=yes \
    new-routing-mark=WG_ENTRY passthrough=yes
add action=mark-connection chain=input comment=PCC_IO1 in-interface=\
    pppoe-out1 new-connection-mark=PCC1 passthrough=yes
add action=mark-routing chain=output connection-mark=PCC1 new-routing-mark=\
    PCC_ROUT1 passthrough=yes
add action=mark-connection chain=input comment=PCC_IO2 in-interface=\
    pppoe-out2 new-connection-mark=PCC2 passthrough=yes
add action=mark-routing chain=output connection-mark=PCC2 new-routing-mark=\
    PCC_ROUT2 passthrough=yes
add action=mark-connection chain=input comment=PCC_IO3 in-interface=\
    pppoe-out3 new-connection-mark=PCC3 passthrough=yes
add action=mark-routing chain=output connection-mark=PCC3 new-routing-mark=\
    PCC_ROUT3 passthrough=yes
add action=mark-connection chain=input comment=PCC_IO4 in-interface=\
    pppoe-out4 new-connection-mark=PCC4 passthrough=yes
add action=mark-routing chain=output connection-mark=PCC4 new-routing-mark=\
    PCC_ROUT4 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=PPPoE out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=masquerade chain=srcnat out-interface=pppoe-out4
add action=masquerade chain=srcnat comment=Wireguard disabled=yes \
    dst-address=172.16.129.0/24 src-address=172.16.0.0/25
add action=masquerade chain=srcnat disabled=yes dst-address=172.16.0.0/25 \
    src-address=172.16.129.0/24
    
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=\
    PCC_ROUT1
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=\
    PCC_ROUT2
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-table=\
    PCC_ROUT3
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out4 \
    routing-table=PCC_ROUT4 suppress-hw-offload=no
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=pppoe-out4 \
    routing-table=main suppress-hw-offload=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can not access to the remote LAN through wireguard

Sat Mar 04, 2023 9:06 pm

Why on earth would you want to access your smartphone from your PC,,,,,,,,,, just asking?

Secondly your simple explanation/request does not reflect a very complex multiple wireguard interface setup evidenced in the diagram and config.
If you want help then you need to explain the setup more fully.

Why is your WAN network the same as your WAN network and the same as your Bridge network ????
Nothing makes sense.
/ip address
add address=172.16.0.192/26 interface=ether1-wan network=172.16.0.192
add address=172.16.0.193/26 interface=vrrp1 network=172.16.0.192
add address=172.16.0.194/26 interface=vrrp2 network=172.16.0.192
add address=172.16.0.195/26 interface=vrrp3 network=172.16.0.192
add address=172.16.0.196/26 interface=ether2-wan network=172.16.0.192
add address=172.16.0.1/25 interface=LAN_Bridge network=172.16.0.0
add address=172.16.255.1 interface=lo network=172.16.255.0
add address=172.16.128.1/24 interface=wg0 network=172.16.128.0
add address=172.16.128.2/24 interface=wg1 network=172.16.128.0
add address=172.16.128.3/24 interface=wg2 network=172.16.128.0
add address=172.16.128.4/24 interface=wg3 network=172.16.128.0
add address=172.16.129.1/24 interface=wg4 network=172.16.129.0
add address=172.16.128.6/24 interface=wg5 network=172.16.128.0




Your firewall rules are severely lacking for a router.

As to the question.
Nothing in firewall rules is preventing traffic to your PC
add action=accept chain=forward in-interface=wg4 Good!

Routing is automagical due to IP address of WG4. Covered!

Assuming your phone as allowed IPs of 0.0.0.0/0 (and router has fixes wg IP address of phone ) Good!

Possibilities.. They key is you can ping but no traffic why are you not getting return traffic

a. your are forcing ALL traffic from PC out the WAN and thus never gets to wireguard tunnel.
b. traffic from PC ( originating and return as in A, is forced out a different WAN than the WAN used to establish the tunnel)??

hence its probably due to routing/mangling and not accounting for wireguard traffic.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Can not access to the remote LAN through wireguard

Sat Mar 04, 2023 9:17 pm

Use srcnat ! wg peer - allowed address=0.0.0.0/0
 ip fi n add chain=srcnat src-address=172.16.129.0/24 dst-address=172.16.0.0/24 action=src-nat to-addresses=172.16.0.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can not access to the remote LAN through wireguard

Sat Mar 04, 2023 9:42 pm

Yeah but WHY??? Where is the logic!
Come On JTravolta, if your going to throw things out there, at least have the decency to explain!!!!


The peer allowed IP is correct already 172.16.129.3

No sourcenatting is required. The Wireguard IP address, subnet already exists on the router.
This is a simple case of PHONE to router Wireguard, no third party involvement, not even going out the WAN, just needs to get to LAN device.
 
h4kuy4
just joined
Topic Author
Posts: 3
Joined: Sat Mar 04, 2023 7:02 am

Re: Can not access to the remote LAN through wireguard

Sun Mar 05, 2023 7:16 am

Why on earth would you want to access your smartphone from your PC,,,,,,,,,, just asking?

Secondly your simple explanation/request does not reflect a very complex multiple wireguard interface setup evidenced in the diagram and config.
If you want help then you need to explain the setup more fully.

Why is your WAN network the same as your WAN network and the same as your Bridge network ????
Nothing makes sense.
/ip address
add address=172.16.0.192/26 interface=ether1-wan network=172.16.0.192
add address=172.16.0.193/26 interface=vrrp1 network=172.16.0.192
add address=172.16.0.194/26 interface=vrrp2 network=172.16.0.192
add address=172.16.0.195/26 interface=vrrp3 network=172.16.0.192
add address=172.16.0.196/26 interface=ether2-wan network=172.16.0.192
add address=172.16.0.1/25 interface=LAN_Bridge network=172.16.0.0
add address=172.16.255.1 interface=lo network=172.16.255.0
add address=172.16.128.1/24 interface=wg0 network=172.16.128.0
add address=172.16.128.2/24 interface=wg1 network=172.16.128.0
add address=172.16.128.3/24 interface=wg2 network=172.16.128.0
add address=172.16.128.4/24 interface=wg3 network=172.16.128.0
add address=172.16.129.1/24 interface=wg4 network=172.16.129.0
add address=172.16.128.6/24 interface=wg5 network=172.16.128.0




Your firewall rules are severely lacking for a router.

As to the question.
Nothing in firewall rules is preventing traffic to your PC
add action=accept chain=forward in-interface=wg4 Good!

Routing is automagical due to IP address of WG4. Covered!

Assuming your phone as allowed IPs of 0.0.0.0/0 (and router has fixes wg IP address of phone ) Good!

Possibilities.. They key is you can ping but no traffic why are you not getting return traffic

a. your are forcing ALL traffic from PC out the WAN and thus never gets to wireguard tunnel.
b. traffic from PC ( originating and return as in A, is forced out a different WAN than the WAN used to establish the tunnel)??

hence its probably due to routing/mangling and not accounting for wireguard traffic.
Thanks for your reply, I was new for learning network.
I also asked my friend for help too. He point out the mistakes you said above.
And he told me the reason why my wireguard not work is here
address=172.16.129.1/24 interface=wg4 network=172.16.129.0
, I should set this to
address=172.16.129.1/32 interface=wg4 network=172.16.129.3
, then the traffic will know where to go.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can not access to the remote LAN through wireguard

Sun Mar 05, 2023 2:52 pm

Your friend is wrong............... he got you into this mess in the first place LOL.

If you are talking about IP address and the WG server is this router then
add address=172.16.129.1/24 interface=wg4 network=172.16.129.0 is a perfectly good config line.

Keep this address as stated and go check your IP Routes. You will see an entry
<dac> dst-address=172.16.129.0/24 gwy=wg4 routing-table=main

Having a proper address and an automatically router created ip route means that whenever a remote user comes to the router, their return traffic either from the router WAN( using the router for internet traffic ) or from subnets on the router, will have a path back into the tunnel to return to the remote user. One still needs to make firewall rules permit this and wireguard settings also permit this.

You havent told us about the remote device but for example using an iphone......

DEFINE INTERFACE
Name: Remote WG
Public Key: from device to give to ROUTER, to use on its peer settings for this remote device.
Addresses (The WG address of the device on the wg4 network): 172.16.129.3
MTU: match the setting on the router (1420)
DNS servers ( any will do): 1.1.1.2,9.9.9.9

PEER SETTINGS
Public Key - Received from Router ( from its interface settings )
Endpoint: FIXEDWANIP:port# OR dyndnsname:port# (for dynamic WANIP, one can use iP cloud name as well )
Allowed IPs: Two entries possible.
a. 172.16.129.0/24,172.16.0.0/24 ( to be able to ping router entities and access subnet )
OR
b. 0.0.0.0/0 ( to access internet through router, which by the way includes both entries in A ! )
Persistent Keep Alive: anything like 35 secs
 
h4kuy4
just joined
Topic Author
Posts: 3
Joined: Sat Mar 04, 2023 7:02 am

Re: Can not access to the remote LAN through wireguard

Sun Mar 05, 2023 7:57 pm

I forget one thing to say is that I'm trying to running a ospf over wireguard with my friend and build a small network, so I let wireguard interface address to be /32, and using ospf to set route table.

And just now, I found where the real wrong is. I use pcc to manage my traffic to Internet, but I forget to filter the address in the network of wireguard, and traffics from or into wireguard will marked with a PCC mark, then go to the wan directly. Now I add the filter and the problem was solved.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can not access to the remote LAN through wireguard

Sun Mar 05, 2023 10:31 pm

Good to hear!!!

Who is online

Users browsing this forum: No registered users and 66 guests