Community discussions

MikroTik App
 
alxdan
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 4:14 pm

Wireguard on Hap ac2 v7.9

Mon May 22, 2023 10:28 pm

Hello,

Just updated my hap ac2 to 7.9 for this wireguard new functionality but I don't have internet/lan access from the VPN clients:

1. my hap ac2 is behind the ISP GPON (dual nat: ISP 192.168.0.1 mikrotik 192.168.88.1)
2. did the wireguard setup from here: https://systemzone.net/wireguard-vpn-se ... indows-os/
3. set up the client config and I can connect to the mkrotik VPN server but I have no internet access on the client
4. forwarded port 443 UDP from the ISP GPON -> to the local mikrotik ip 192.168.0.111

do I need to open port 443 somehow on mikrotik?
or any other ideeas

tks a lot.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on Hap ac2 v7.9

Mon May 22, 2023 10:54 pm

Dont understand.
You go to system zone to setup your wireguard, so why dont you go there to ask for help on their config suggestions........

If you want to learn about wireguard instead of blindly copying......
https://help.mikrotik.com/docs/display/ROS/WireGuard
viewtopic.php?t=182340
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on Hap ac2 v7.9

Mon May 22, 2023 11:00 pm

Port 443 is rarely used and ONLY necessary if your ISP blocks all kinds of other ports.
Most folks use something in the 13-15,000 range.

Post your config to see what you have done.
/export file=anynameyouwish ( minus router serial # and any PUBLIC wanip information )


On the note, you stated your ISP provides a Private IP, so its a modem/router. and your WANIP is fixed/static of 192.168.0.X its private so why you hide it makes no sense??
The subnet on the MT is 192.168.88.0/24

If this is the case then you cannot use Wireguard.
NEED PUBLICLY accessible WANIP.
a. MT is connected to the ISP MODEM and gets a public IP.
b. MT is connected to another ROUTER which gets a public IP and then and then port forwards the listening port to a LANIP ( in this case the LANIP of the MT router on the ISP LAN --> also is the WANIP of the MT ).
c. MT is connected to the ISP modem/router which gives the MT a private IP address on the LAN subnet of the ISP router and then port forwards the listening port to the MT.

In other words you either
a. get a public IP
b. get an upstream router to port forward the listening port to your MT router.

It seems to be you dont any of the above.........
 
alxdan
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 4:14 pm

Re: Wireguard on Hap ac2 v7.9

Tue May 23, 2023 4:34 pm

cfg.rsc
Did again the wireguard setup as per https://help.mikrotik.com/docs/display/ ... uardtunnel
Still no traffic on the client.

MT is behind the ISP Gpon but I have a static/public IP available and I can port forward on the ISP Gpon.
The forwarding is done like: UDP EXT port & INT port 13231 to MT local adress (Eg 192.168.0.111)
Screenshot 2023-05-23 164315.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on Hap ac2 v7.9

Tue May 23, 2023 4:46 pm

(1) Some small minor error is indicated here but not sure what...
add bridge=bridge ingress-filtering=no interface=*9

(2) Major error,
from
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

TO
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
 
alxdan
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 4:14 pm

Re: Wireguard on Hap ac2 v7.9

Tue May 23, 2023 4:56 pm

(1) Some small minor error is indicated here but not sure what...
add bridge=bridge ingress-filtering=no interface=*9

(2) Major error,
from
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

TO
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
I'll change this.Tks.
 
alxdan
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 4:14 pm

Re: Wireguard on Hap ac2 v7.9

Sat May 27, 2023 9:36 pm

Did the above mentioned update and redone the config all the way from scratch and now the MT Wireguard server works and also a windows 11 client.
Another client on IOS also works but with with intermitence - I'll open another thread for that issue to keep these apart.
Thanks for the help.

Who is online

Users browsing this forum: No registered users and 48 guests