Community discussions

MikroTik App
 
projectja
just joined
Topic Author
Posts: 2
Joined: Wed May 24, 2023 9:30 pm

Wireguard & MICROTIK & double NAT

Wed May 24, 2023 9:49 pm

Hi,

I am going crazy trying to configure Wireguard.
Wireguard on Microtik OS 7 with Wireguard available

Double NAT (in my router) and also I am trying to set port forwarding for WIREGUARD. I did the same for pptp and it did work.
My network is quite simple given it is a lab.
ISP router (public IP ) => Microtik => LAN
ISP router configured with port forwarding source port 13231 To Microtik target on interface192.168.0.10 13231

Trying to connect from wg client on windows 10, also from android, etc according to Wireguard configuration

My first step is trying t o test UDP port . 13231 from internet to my ISP pulbic IP.
I have to say I have other configuration for PPTP vpn (only for traffic tests purpose) from windows and it works ok, the VPN works.
However, trying to test this UDP port -13231- it is seems to be not open or filtered. I have used for these these any online tools for UDP port testing.
I want to discard any problem with the client configuration so I went to a simple way to test it. I know it is udp therefore no telnet could be used for this.
Also I tried the client but obviosly it does not work.

This is my configuration. I tried different configuration but the port seems to be closed


# may/24/2023 20:34:19 by RouterOS 7.8
# software id = 8ZPX-EMTR
#
# model = RB750Gr3
# serial number = HCQ08DAEQFK
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether3 name=vlan1 vlan-id=1
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether3 name=vlan20 vlan-id=20
add interface=ether3 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.1.10.2-10.1.10.254
add name=dhcp_pool1 ranges=10.1.0.2-10.1.0.254
add name=dhcp_pool2 ranges=10.3.0.2-10.3.0.254
add name=dhcp_pool3 ranges=10.10.0.2-10.10.0.254
add name=dhcp_pool4 ranges=10.20.0.2-10.20.0.254
add name=dhcp_pool5 ranges=10.10.0.2-10.10.0.254
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
add name=PPTP ranges=172.20.1.2-172.20.1.100
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan10 lease-time=30m name=dhcp1
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool5 interface=vlan1 name=dhcp3
add address-pool=dhcp_pool6 interface=vlan30 name=dhcp4
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.0.10 name=PPTP remote-address=PPTP use-encryption=\
required
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap2 default-profile=PPTP enabled=yes
/interface wireguard peers
add allowed-address=::/0 endpoint-address=172.20.1.4 endpoint-port=13231 \
interface=wireguard1 public-key=\
"AtjHxi2RaQXpE/AfSrdoxTVCqJEraLH6F7RNOqrrvUs="
add allowed-address=::/0 endpoint-port=13231 interface=wireguard1 public-key=\
"EPLh6pVel06dND8cE4Prix9GP4hGLYNhQhn5mSN2yzM="
/ip address
add address=10.10.0.1/24 interface=vlan10 network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20 network=10.20.0.0
add address=10.1.10.1/24 interface=vlan1 network=10.1.10.0
add address=192.168.10.1/24 interface=vlan30 network=192.168.10.0
add address=192.168.30.11/24 interface=wireguard1 network=192.168.30.0
/ip dhcp-client
add interface=ether2
/ip dhcp-server lease
add address=192.168.10.99 disabled=yes mac-address=00:0D:A3:17:0D:02 server=\
dhcp4
add address=192.168.10.98 mac-address=9C:53:22:3E:BD:4C server=dhcp4
/ip dhcp-server network
add address=10.1.0.0/24 gateway=10.1.0.1
add address=10.1.10.0/24 gateway=10.1.10.1
add address=10.3.0.0/24 gateway=10.3.0.1
add address=10.10.0.0/24 dns-server=4.4.4.4 gateway=10.10.0.1
add address=10.20.0.0/24 dns-server=4.4.4.4 gateway=10.20.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,4.4.4.4 gateway=192.168.10.1
/ip firewall filter
add action=drop chain=forward comment="bloquear VLAN10" disabled=yes \
out-interface=vlan10
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" disabled=yes
add action=accept chain=forward dst-port=1723 protocol=tcp src-port=1723
add action=accept chain=forward disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=output disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=forward in-interface=vlan10 out-interface=vlan30
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list="" out-interface=ether2
add action=accept chain=input in-interface=ether2 protocol=tcp src-port=1723
add action=accept chain=input dst-address=192.168.30.11 dst-port=13231 \
in-interface=ether2 protocol=udp src-address=192.168.0.10 src-port=13231
/ppp secret
add name=usuario-pptp profile=PPTP service=pptp
/system clock
set time-zone-name=Europe/Madrid

Could you please give me a hand? I have been trying to configure this several hours. Probably it could be a silly question and could have a basic solution.

Who is online

Users browsing this forum: No registered users and 64 guests