Community discussions

MikroTik App
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Wireguard Issue | ROS v7.7

Sun May 21, 2023 11:01 am

Hi Team,

We're having a strange issue with Wireguard settings for MikroTik CCR-12G-4S. The wireguard configuration is as below:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-SKA
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard-SKA public-key=\
    "o3cQUJ1cf7Ss5YOtvwU3cRPyorLrqtFE1s570E7wCgE="
	

/interface list member add interface=wireguard-SKA list=LAN
/ip address add address=192.168.100.1/24 interface=wireguard-SKA network=192.168.100.0
/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard-SKA protocol=udp
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard-SKA log=yes src-address=192.168.100.0/24
/ip firewall mangle add action=mark-routing chain=prerouting comment=WG in-interface=wireguard-SKA new-routing-mark=Group-A passthrough=no src-address=192.168.100.0/24

The same configuration works fine with version 7.3.1. But, whenever we're trying to upgrade to the latest ros version, it stops working. Reconfiguring from scratch also doesn't work. Is it some kind of firmware issue we're not aligned with? Please help.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 2:30 pm

Netinstall and apply same config.
Have seen it in the past as well.

If that does not help, create supout and contact support.
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Jun 03, 2015 12:03 am

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 2:49 pm

/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard-SKA protocol=udp
This makes no sense. You will have connections coming in on port 13231 on your WAN interface, not on the wireguard interface.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 3:29 pm

Logical if other devices need to come in to initiate the connection.
At that point there is no wireguard interface yet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:00 pm

holvoe 0 fezzfest 1

Fezzfest is absolutely correct!
The initial handshake is done outside the tunnel. Stop drinking that crappy Belgium wine and get some real wine from rextended.

/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard-SKA protocol=udp
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard-SKA log=yes src-address=192.168.100.0/24


Note: it would be acceptable to put in in-interface=WAN interface but not really needed and rarely do I see it.


Fezzfest is indeed correct the two rules should be
/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp { handshake }
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard-SKA \ { admin to be able to config router remotely }
log=yes src-address=192.168.100.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:02 pm

However, I dont understand why the OP has any mangle rule.
Please explain!

/ip firewall mangle add action=mark-routing chain=prerouting comment=WG in-interface=wireguard-SKA new-routing-mark=Group-A passthrough=no src-address=192.168.100.0/24
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:25 pm

However, I dont understand why the OP has any mangle rule.
Please explain!

/ip firewall mangle add action=mark-routing chain=prerouting comment=WG in-interface=wireguard-SKA new-routing-mark=Group-A passthrough=no src-address=192.168.100.0/24
Mangle rules are for Wireguard tunnel to have internet from a specific ISP. We have 3 different ISPs going through 3 different subnets.
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:27 pm

/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard-SKA protocol=udp
This makes no sense. You will have connections coming in on port 13231 on your WAN interface, not on the wireguard interface.
The in-interface=wireguard-SKA was to specify from which interface the connection was established. Since there's no firewall to block ports yet, this rules didn't have any impact. But I could see the traffic flow after I connect Wiregurad.
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:28 pm

Netinstall and apply same config.
Have seen it in the past as well.

If that does not help, create supout and contact support.
Exactly my thought right now. I've tried with netinstall and tried v7.7, 7.8 and 7.9 to be precise.
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 4:29 pm

holvoe 0 fezzfest 1

Fezzfest is absolutely correct!
The initial handshake is done outside the tunnel. Stop drinking that crappy Belgium wine and get some real wine from rextended.

/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=wireguard-SKA protocol=udp
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard-SKA log=yes src-address=192.168.100.0/24


Note: it would be acceptable to put in in-interface=WAN interface but not really needed and rarely do I see it.


Fezzfest is indeed correct the two rules should be
/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp { handshake }
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard-SKA \ { admin to be able to config router remotely }
log=yes src-address=192.168.100.0/24
Actually the filter rules were just to see the traffic flow and block if necessary. Even without the rules, the wireguard would connect at v7.3.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 5:58 pm

Without a network diagram and a complete config, not more one can assist with.
Too many details hidden

/export file=anynameyouwish (minus router serial number and any public WANIP info).
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 9:21 pm

Damn... that's what you get when reviewing config from smartphone...
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 9:46 pm

Damn... that's what you get when reviewing config from smartphone...
I've created supout and contacted support. Let's see what happens. Till then sticking to 7.3.1
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 9:47 pm

Without a network diagram and a complete config, not more one can assist with.
Too many details hidden

/export file=anynameyouwish (minus router serial number and any public WANIP info).
/interface bridge
add name=bridge_ER
add fast-forward=no name=bridge_LAN priority=0x2000
add name=bridge_SKA priority=0x2000
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no name=ER_sfp1
set [ find default-name=ether1 ] name=WAN1_ether1_acc
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full \
    auto-negotiation=no name=WAN2-sfp2-adn
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full \
    auto-negotiation=no name=WAN3_sfp3_ISNL
set [ find default-name=ether2 ] comment=ER
set [ find default-name=ether3 ] comment="MGH Public Port"
set [ find default-name=ether4 ] comment=Peyala full-duplex=no
set [ find default-name=ether5 ] comment="OBHAI NVR"
set [ find default-name=ether7 ] comment="7th Floor R2"
set [ find default-name=ether8 ] comment="7th Floor R1-Cafe"
set [ find default-name=ether10 ] comment=6th-R1-Obhai&GBL
set [ find default-name=ether11 ] comment=6th-R2-YML
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full \
    auto-negotiation=no disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-SKA
/interface list
add comment=WAN-List name=WAN
add comment=LAN-List name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_SKA_Mgt ranges=192.168.222.161-192.168.222.190
add name=dhcp_pool_SKA_CCR ranges="192.168.48.65-192.168.48.250,192.168.49.35-\
    192.168.49.250,192.168.50.61-192.168.50.250,192.168.51.35-192.168.51.250"
/ip dhcp-server
add address-pool=dhcp_pool_SKA_Mgt disabled=yes interface=bridge_LAN \
    lease-time=3d name=dhcp_SKA
add address-pool=dhcp_pool_SKA_CCR interface=bridge_SKA lease-time=2d name=\
    dhcp_mgh
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=dhcp_pool_SKA_Mgt \
    name=profile-mgmt remote-address=dhcp_pool_SKA_Mgt
/queue simple
add max-limit=15M/15M name="queue_OBHAI NVR" target=192.168.222.58/32 time=\
    0s-21h59m,sun,mon,tue,wed,thu
add disabled=yes max-limit=10M/10M name=1 target=192.168.48.188/32 time=\
    0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add disabled=yes max-limit=10M/10M name=2 target=192.168.50.213/32 time=\
    0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add disabled=yes max-limit=10M/10M name=3 target=192.168.48.226/32 time=\
    0s-23h59m,sun,mon,tue,wed,thu,fri,sat
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=Group-Acc
add fib name=Group-Adn
add fib name=Group-ISNL
/user group
set read policy="winbox,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,\
    !test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface bridge port
add bridge=bridge_LAN ingress-filtering=no interface=ether5
add bridge=bridge_LAN ingress-filtering=no interface=ether3
add bridge=bridge_LAN ingress-filtering=no interface=ether4
add bridge=bridge_SKA ingress-filtering=no interface=ether10
add bridge=bridge_SKA ingress-filtering=no interface=ether11
add bridge=bridge_SKA ingress-filtering=no interface=ether7
add bridge=bridge_SKA ingress-filtering=no interface=ether8
add bridge=bridge_SKA ingress-filtering=no interface=ether6
add bridge=bridge_ER ingress-filtering=no interface=ER_sfp1
add bridge=bridge_ER ingress-filtering=no interface=ether2
add bridge=bridge_SKA ingress-filtering=no interface=ether12
add bridge=bridge_LAN ingress-filtering=no interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set default-profile=profile-mgmt enabled=yes use-ipsec=yes
/interface list member
add comment=ISP interface=WAN1_ether1_acc list=WAN
add interface=WAN2-sfp2-adn list=WAN
add comment=Local interface=bridge_LAN list=LAN
add interface=bridge_SKA list=LAN
add interface=WAN3_sfp3_ISNL list=WAN
add interface=wireguard-SKA list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=*1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=profile-mgmt
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard-SKA public-key=\
    "o3cQUJ1cf7Ss5YOtvwU3cRPyorLrqtFE1s570E7wCgE="
/ip address
add address=3.3.3.3/30 interface=WAN2-sfp2-adn network=3.3.3.4
add address=2.2.2.2/30 interface=WAN1_ether1_acc network=\
    2.2.2.192
add address=192.168.222.1/24 interface=bridge_LAN network=192.168.222.0
add address=192.168.50.1/22 interface=bridge_SKA network=192.168.48.0
add address=4.4.4.4/30 interface=WAN3_sfp3_ISNL network=\
    4.4.4.248
add address=192.168.100.1/24 interface=wireguard-SKA network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.48.0/22 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.50.1
add address=192.168.222.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.222.1
/ip dns
set cache-max-ttl=12w6d cache-size=700000KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS

add address=192.168.222.0/24 list=LAN_IP
add address=192.168.48.0/22 list=LAN_IP
add address=192.168.100.0/24 list=LAN_IP

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    in-interface=wireguard-SKA protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=\
    wireguard-SKA log=yes src-address=192.168.100.0/24
add action=drop chain=input comment=DNS_Spoofing_Protect connection-state=new \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_TCP \
    connection-state="" dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_UDP \
    dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward src-address-list=BOGONS
add action=drop chain=forward dst-address-list=BOGONS
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1_ether1_acc \
    new-connection-mark=conn_1 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_1 new-routing-mark=\
    Group-Acc passthrough=yes
add action=mark-connection chain=input in-interface=WAN2-sfp2-adn \
    new-connection-mark=conn_2 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_2 new-routing-mark=\
    Group-Adn passthrough=yes
add action=mark-connection chain=input in-interface=WAN3_sfp3_ISNL \
    new-connection-mark=conn_4 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_4 new-routing-mark=\
    Group-ISNL passthrough=yes
add action=mark-routing chain=prerouting comment=Management \
    in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
    src-address=192.168.222.0/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.32/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Acc passthrough=no src-address=192.168.222.64/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.96/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.128/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.160/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.192/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.224/27
add action=mark-routing chain=prerouting comment=Management_7th \
    in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
    src-address=192.168.48.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.192/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.192/26
add action=mark-routing chain=prerouting comment=Management_6th \
    in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
    src-address=192.168.50.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.192/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-ISNL passthrough=no src-address=192.168.51.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
    new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.192/26
add action=mark-routing chain=prerouting comment=WG in-interface=\
    wireguard-SKA new-routing-mark=Group-Adn passthrough=no src-address=\
    192.168.100.0/24
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN1_ether1_acc to-addresses=\
    2.2.2.2
add action=src-nat chain=srcnat out-interface=WAN2-sfp2-adn to-addresses=\
    3.3.3.3
add action=src-nat chain=srcnat out-interface=WAN3_sfp3_ISNL to-addresses=\
    4.4.4.4

/ip firewall raw
add action=drop chain=prerouting src-address-list=blacklisted-ip
add action=drop chain=prerouting src-address-list=PPTP_Attack
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address-list=LAN_IP \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "Drop local if not from default IP range" dst-address=!255.255.255.255 \
    in-interface-list=LAN src-address=!0.0.0.0 src-address-list=!LAN_IP
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.0.0.1 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
    no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
    no target-scope=15
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
    no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    1.0.0.1 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
    no target-scope=15
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=202.51.181.5
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    175.29.161.193
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    203.188.250.249
add disabled=no dst-address=1.0.0.1/32 gateway=2.2.2.2 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=3.3.3.3 scope=10
add disabled=no dst-address=9.9.9.9/32 gateway=4.4.4.4 scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 pref-src="" routing-table=Group-ISNL scope=30 \
    suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=Group-ISNL scope=30 \
    suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    1.0.0.1 pref-src="" routing-table=Group-ISNL scope=30 \
    suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
    no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
    no target-scope=15
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2213
set api disabled=yes
set winbox port=10662
set api-ssl disabled=yes

/system clock
set time-zone-name=Asia/Dhaka
/system health settings
set cpu-overtemp-threshold=90C
/system identity
set name=MikroTik_SKA
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes reformat-hold-button=1m reformat-hold-button-max=2m
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Issue | ROS v7.7

Sun May 21, 2023 11:44 pm

You have one Wireguard client correct?

(1) THis is WRONG, as stated above,
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface=wireguard-SKA protocol=udp

For the last time, the initial handshake comes via the ISP connection. You have some options,
You know the specific WANIP ( users using domain name )
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface=ETHERX protocol=udp


or you dont or from a catchall perspective.
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface-list=WAN protocol=udp


(2) It would seem by your sourcenat rules that your 3 ISPs give FIXED/STATIC IPs . Assuming you are getting static public IPs.
Just to note if you are actually getting private IPs, the ISP is using modem/routers, and you will have to port forward the wireguard listening port from the correct router to the MT.
 
mahfuzazam
newbie
Topic Author
Posts: 37
Joined: Sat Aug 08, 2020 7:59 pm
Location: Usa
Contact:

Re: Wireguard Issue | ROS v7.7

Mon May 22, 2023 5:19 am

You have one Wireguard client correct?

(1) THis is WRONG, as stated above,
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface=wireguard-SKA protocol=udp

For the last time, the initial handshake comes via the ISP connection. You have some options,
You know the specific WANIP ( users using domain name )
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface=ETHERX protocol=udp


or you dont or from a catchall perspective.
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface-list=WAN protocol=udp


(2) It would seem by your sourcenat rules that your 3 ISPs give FIXED/STATIC IPs . Assuming you are getting static public IPs.
Just to note if you are actually getting private IPs, the ISP is using modem/routers, and you will have to port forward the wireguard listening port from the correct router to the MT.
- I had 4 wireguard peers before the upgradation, and now only one for testing versions.

- I've 3 ISPs which are giving me static public IPs. I don't use the domain name as many users do, I use direct fixed public IP and mentioned port 132131 for wireguard.

- Also to mention, all are working just fine whenever I'm using the 7.3.1 version. I've tried all versions after this, i.e. 7.4.1, 7.5 ... etc., but whenever I upgrade the firmware from 7.3.1, wireguard doesn't work. I've reported it to MikroTik Support as well. Let's see their response as well.
 
ivicask
Member
Member
Posts: 417
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Wireguard Issue | ROS v7.7

Mon May 22, 2023 9:51 am

At this point it doesn't matter why it worked for you on older versions, as you where told multiple times, you need to allow UDP port on WAN interface or wireguard wont work no matter what, thats the same response you will get from Mikrotik support.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], Renfrew and 68 guests