Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

my dilemma in wireguard that no one solve.

Mon May 22, 2023 9:08 pm

Hello My friends..!
so to put my proplem in simple yet easy to understand.

the short story:
in this scenario the Mikrotik router represent the WG server and my Windows machine represent the WG client.
now here is the story:
i have a LAN network with IP range as : 192.168.42.1/24 the gateway for this LAN is ether5 on my MT -(mikrotik)- router. the gateway is 192.168.42.1.
this MT router is the the DHCP in this network so he is the DHCP server.
this MT router get the internet access from a dlink router connected to it through ether1 and it has a Public ip address -(this is the public ip that i used to setup my wireguard tunnel)-
now in the same network i connect a dlink router with no dhcp but the ip for it is 192.168.42.254. so notice now that i have two gateway..! i have a PBX device that have the IP 192.168.42.170 and the Gateway for it is 192.168.42.254 well you may now my problem..actually i can'r access this PBX device from my WG tunnel yet i try alot.

the long story
well before i tell you it i am waiting from you friends if you have any suggestion that related to such issue.
so what i try to do:
1- i try to create to create a route rule in it i put the Dist add as the PBX ip and the Gateway as 192.168.42.254 but that's didn't work
2-i try to create to create a route rule in it i put the Dist add as the PBX ip and the Gateway as the wireguard interface but that's also didn't work
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Mon May 22, 2023 9:32 pm

What do you use wireguard for.

a. external user ( admin to config router )?
b. extnenal users ( to access MT LAN )
c. external users ( to access DLINK MAIN router LAN )

I am confused, so the Main DLINK router has one flat subnet, WHAT IS THE STRUCTURE OF THIS SUBNET and what is the IP of the MT its private so no reason to not disclose.

WHY does the second DLINK have the same IP structure as the MT LAN ??

Draw a fricken diagram cause your explanation is lacking?
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Tue May 23, 2023 8:12 pm

What do you use wireguard for.

a. external user ( admin to config router )?
b. extnenal users ( to access MT LAN )
c. external users ( to access DLINK MAIN router LAN )

I am confused, so the Main DLINK router has one flat subnet, WHAT IS THE STRUCTURE OF THIS SUBNET and what is the IP of the MT its private so no reason to not disclose.

WHY does the second DLINK have the same IP structure as the MT LAN ??

Draw a fricken diagram cause your explanation is lacking?
well so it seems that i have to tell the long story..
But First to answer your questions

What do you use wireguard for.
well i didn't ask such a question before but for my current situation i can access all the LAN devices also all the Router devices -(Dlink routers)- that connect to MT as out interface.

for your second question the diagram below will explain more

WHY does the second DLINK have the same IP structure as the MT LAN ??
well i want to create a natting rule for some devices inside my LAN -(so this devices have IPs from 192.168.42.1/24 range)- 1- without changing its IPs 2- from a different Router so no congestion or any delay due to alot of traffic from other router that engaged into this network. so for that purpose i introduce this new router that have the IP 192.168.42.254 as i mentioned above.

here is a diagram explain my network:
as you can see i have
3 Dlink router two of them engaged inside MT router.
ether3 interface in MT go to VPN router -(to WAN interface in it)-
ether4 internet came from VPN Router -(from VPN Lan interface)-
ether5 for WAN .
side note : i duplicated the VPN router image for more clarification to show you that i have a link going to VPN router and link came from same VPN router to Mikrotik
also here is my router config
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Wed May 24, 2023 3:35 am

The question I have is why do you need VPN router working separately like that.......... I have seen it before where the VPN allows up to 5 countries of choice, assuming your VPN is to a third party.
The logic goes something like,

The VPN router simply uses VLAN30 (and gets a private IP from the MT, this is the VPNs router NORMAL local WAN connection to the internet.
Through this connection, the vpn router established a 3rd Party VPN tunnel .

Then users on the Mikrotik need to be able to use this tunnel.
Solution create VLAN40 on th MT. Take an unused port and then hook into the VLAN router on a different port on the VPN router ( its a LAN subnet on the VPN router ).
Private WANIP address on the MT WAN2 so to speak associated with interface as vlan40.

Now on the MT you can force users to the vpn router as required.
Close??

So depending lets say MT has three subnets/vlans one is vlan42
We can force users in vlan42 out the VPN WAN so to speak.

++++++++++++++++++++++++++++++++++++++++++++++++++++

Okay quite separately you have a local wireguard on the MT device, for the purposes lets say of the admin to
a. reach and config MT
b. reach and config VPN router
c. reach and config dlink routers?
d. access MT LAN
e. use MT internet?
f. use vpn router internet??


++++++++++++++++++++++++++++++
As long as the dlink router gets a public IP address and you can forward the listening port to the MT, you should be able to conduct wireguard.

Okay I note you have TWO WANS already on the MT via dlink routers. You have not noted how these are supposed to be setup.
That will influence the wireguard setup, and I imagine which WAN the VPN router uses through the MT to establish a VPN.

There should be no duplication of subnet structure between the two dlink routers and the MT router ( or the VPN router for that matter )
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Wed May 24, 2023 8:52 am

The question I have is why do you need VPN router working separately like that.......... I have seen it before where the VPN allows up to 5 countries of choice, assuming your VPN is to a third party.
The logic goes something like,

The VPN router simply uses VLAN30 (and gets a private IP from the MT, this is the VPNs router NORMAL local WAN connection to the internet.
Through this connection, the vpn router established a 3rd Party VPN tunnel .

Then users on the Mikrotik need to be able to use this tunnel.
Solution create VLAN40 on th MT. Take an unused port and then hook into the VLAN router on a different port on the VPN router ( its a LAN subnet on the VPN router ).
Private WANIP address on the MT WAN2 so to speak associated with interface as vlan40.

Now on the MT you can force users to the vpn router as required.
Close??

So depending lets say MT has three subnets/vlans one is vlan42
We can force users in vlan42 out the VPN WAN so to speak.

++++++++++++++++++++++++++++++++++++++++++++++++++++

Okay quite separately you have a local wireguard on the MT device, for the purposes lets say of the admin to
a. reach and config MT
b. reach and config VPN router
c. reach and config dlink routers?
d. access MT LAN
e. use MT internet?
f. use vpn router internet??


++++++++++++++++++++++++++++++
As long as the dlink router gets a public IP address and you can forward the listening port to the MT, you should be able to conduct wireguard.

Okay I note you have TWO WANS already on the MT via dlink routers. You have not noted how these are supposed to be setup.
That will influence the wireguard setup, and I imagine which WAN the VPN router uses through the MT to establish a VPN.

There should be no duplication of subnet structure between the two dlink routers and the MT router ( or the VPN router for that matter )
sorry anav but really didn't understand what you want to deliver through this scenario :from The VPN router simply uses VLAN30....to....vlan42 out the VPN WAN so to speak.

this VPN router support more than 20 countries -(its a linksys WRT router with an expressVPN account on it)-

so as an update and as l said realier that my WG tunnel is working and i have access to all my devices except the devices that have the Gateway 192.168.42.254 which represent the
Dlink-3 ip address.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Wed May 24, 2023 2:10 pm

Okay I never saw that DLINK hiding in the corner behind the switch LOL. My bad.

To reach the DLINK from the MT it would appear you need an ip route.
lets say the LAN subnet was 10.20.30.1/24 behind the dlink,
Have you tried this on the MT?

dst-address=10.20.30.0/24 gatewy=192.168.42.254 table=main
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Wed May 24, 2023 7:29 pm

Okay I never saw that DLINK hiding in the corner behind the switch LOL. My bad.

To reach the DLINK from the MT it would appear you need an ip route.
lets say the LAN subnet was 10.20.30.1/24 behind the dlink,
Have you tried this on the MT?

dst-address=10.20.30.0/24 gatewy=192.168.42.254 table=main
well i try this rule:

dst-address=192.168.42.170 gatewy=192.168.42.254 table=main as 192.168.42.170 represent the device that i want to reach through the 192.168.42.254 gateway
but what you mean by this ip10.20.30.0/24..? what represent..?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Wed May 24, 2023 11:38 pm

I told you,,,,,,,,,,, the subnet behind the dlink that you are trying to reach.........
You need to tell the MT that to send traffic to that subnet (since the router doesnt know about it) through the .254 address.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Thu May 25, 2023 6:02 am

I told you,,,,,,,,,,, the subnet behind the dlink that you are trying to reach.........
You need to tell the MT that to send traffic to that subnet (since the router doesnt know about it) through the .254 address.
in my case the LAN subnet behind the dlink is 192.168.42.1/24 and yes i create such rule but its not work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Thu May 25, 2023 2:22 pm

Post your latest config for review please.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Thu May 25, 2023 3:01 pm

Post your latest config for review please.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Thu May 25, 2023 9:47 pm

This is different again from the current thread and from your other Thread and diagram.
Can you please stop changing your config as it is not helpful.

Do you or do you not have two ISPs?
Do you or do you not have two WG connections one for each ISP.

I understand the change of eliminating subnet .30 on the mikrotik as you will attempt to use the .42 subnet for this purpose.
I actually like the separate .30 subnet for this purpose much better, clear and not messy but it may be just personal preference.

In any case there should be no issue with providing the VPN router a fixed WANIP on the .42 local MT subnet.
It will make things interesting when we attempt to route users but willing to cross that bridge later.

Understand that THAT ether 3,5 WIFI will be hooked to the local subnet .42. ( before it was just 5+wifi, with ether 5 going to switch and the natted router after the switch!
However your use of ETHER4 makes no sense here.

i change my MT config its now like this:
ether1: out interface from Dlink router with ip address 192.168.95.254/24
ether2: out interface from VPN router with ip address 192.168.30.100/24
ether3+ether4+ether5 now represent the LAN interface with IP range: 192.168.42.1/24

If you want users to access the VPN router for internet you still need an extra port dedicated back to the VPN router remembe ( for MT local users )
It can be any private subnet on the VPN router lets say 10.20.50.0/24, of which lets say 10.20.50.2 is a fixed IP for another WAN input on the MT router.

++++++++++++++++++++++++++++++

So before continuing help on either thread, you need to clarify truth,
how manY ISPs?
how many wg interfaces?
use of ether4?
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Thu May 25, 2023 11:23 pm

This is different again from the current thread and from your other Thread and diagram.
Can you please stop changing your config as it is not helpful.

Do you or do you not have two ISPs?
Do you or do you not have two WG connections one for each ISP.

I understand the change of eliminating subnet .30 on the mikrotik as you will attempt to use the .42 subnet for this purpose.
I actually like the separate .30 subnet for this purpose much better, clear and not messy but it may be just personal preference.

In any case there should be no issue with providing the VPN router a fixed WANIP on the .42 local MT subnet.
It will make things interesting when we attempt to route users but willing to cross that bridge later.

Understand that THAT ether 3,5 WIFI will be hooked to the local subnet .42. ( before it was just 5+wifi, with ether 5 going to switch and the natted router after the switch!
However your use of ETHER4 makes no sense here.

i change my MT config its now like this:
ether1: out interface from Dlink router with ip address 192.168.95.254/24
ether2: out interface from VPN router with ip address 192.168.30.100/24
ether3+ether4+ether5 now represent the LAN interface with IP range: 192.168.42.1/24

If you want users to access the VPN router for internet you still need an extra port dedicated back to the VPN router remembe ( for MT local users )
It can be any private subnet on the VPN router lets say 10.20.50.0/24, of which lets say 10.20.50.2 is a fixed IP for another WAN input on the MT router.

++++++++++++++++++++++++++++++

So before continuing help on either thread, you need to clarify truth,
how manY ISPs?
how many wg interfaces?
use of ether4?
Please anav to know -(and let's agree on something)- that this thread is entirly different from the other thread.
also you will notice that the config is different..!
yes both of them have a VPN router.
and both of them have the ip range 192.168.42.1/24 as LAN IP but its to different site.

in this site the WG work..there...the WG doesn't work
the problem here is that i can not access 192.168.42.170 through the WG tunnel ...there .... the WG tunnel doesn't work at all
here i have 3 ISP
ether1--> ISP-1 with ip=192.168.2.2/24
ether2-->ISP-2 with ip=192.168.10.2/24
ether-4-->ISP-4 -(WAN comming from VPN)- with ip=192.168.40.1/24

there only two : ether-1 represent ISP-1 and have the ip 192.168.95.254/24
ether-2 represent ISP-2 -(WAN comming from VPN)- and have the ip 192.168.30.1/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Fri May 26, 2023 3:04 am

Okay, well good luck, tis too bad you posted for help on two configs so eerily similar, as its confusing for me to deal with at the moment.
Both are very solvable on their own, I know you can do it. Just use logic all traffic needs
a. to be permitted to flow (firewall rules and allowed IPs)
b. needs a path to get there ( and watch out for when you force traffic ).
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: my dilemma in wireguard that no one solve.

Fri May 26, 2023 8:07 am

Okay, well good luck, tis too bad you posted for help on two configs so eerily similar, as its confusing for me to deal with at the moment.
Both are very solvable on their own, I know you can do it. Just use logic all traffic needs
a. to be permitted to flow (firewall rules and allowed IPs)
b. needs a path to get there ( and watch out for when you force traffic ).
you begain to use a blackhole route method in your answer . mmm well i understand..! thanks..!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: my dilemma in wireguard that no one solve.

Fri May 26, 2023 6:43 pm

use blackhole at your own risk, normally not required.

Who is online

Users browsing this forum: No registered users and 39 guests