Community discussions

MikroTik App
 
projectja
just joined
Topic Author
Posts: 2
Joined: Wed May 24, 2023 9:30 pm

Double NAT microtik and Wirteguard

Thu May 25, 2023 10:16 am

HI, I'm going crazy.
Trying to configure Wireguard tunnel with Microtik. RouterOS Version 7.6
I created a wireguard configuration according to the documentation but it does not work. Tested udp port 13231 from outside, it does not work. Obvisoly Wireguard clients are not able to connnect neither.

This is just a lab for testing porpose and lean about Microtik before going to prod
I find that is not possible to access port from outside. IN my ISP provider router I created a port forwarding rule for 13231 to 13231 192.168.0.10 in my lan and from there there is other nat to the IP addresss I have created for Wireguard. I created firewall rules and NAT rules in MT but it doesn`t work.

Cand you please, give me a clue? By the way I configured a pptp vpn just for testing in order to see the behaviour with double nat and it does work when configuring nat and port forwarding however with wireguard I am not able to make this configuration to work

Please, you can find below the configuration file.

# may/24/2023 20:34:19 by RouterOS 7.8
# software id = 8ZPX-EMTR
#
# model = RB750Gr3
# serial number = HCQ08DAEQFK
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether3 name=vlan1 vlan-id=1
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether3 name=vlan20 vlan-id=20
add interface=ether3 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.1.10.2-10.1.10.254
add name=dhcp_pool1 ranges=10.1.0.2-10.1.0.254
add name=dhcp_pool2 ranges=10.3.0.2-10.3.0.254
add name=dhcp_pool3 ranges=10.10.0.2-10.10.0.254
add name=dhcp_pool4 ranges=10.20.0.2-10.20.0.254
add name=dhcp_pool5 ranges=10.10.0.2-10.10.0.254
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
add name=PPTP ranges=172.20.1.2-172.20.1.100
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan10 lease-time=30m name=dhcp1
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool5 interface=vlan1 name=dhcp3
add address-pool=dhcp_pool6 interface=vlan30 name=dhcp4
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.0.10 name=PPTP remote-address=PPTP use-encryption=\
required
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap2 default-profile=PPTP enabled=yes
/interface wireguard peers
add allowed-address=::/0 endpoint-address=172.20.1.4 endpoint-port=13231 \
interface=wireguard1 public-key=\
"AtjHxi2RaQXpE/AfSrdoxTVCqJEraLH6F7RNOqrrvUs="
add allowed-address=::/0 endpoint-port=13231 interface=wireguard1 public-key=\
"EPLh6pVel06dND8cE4Prix9GP4hGLYNhQhn5mSN2yzM="
/ip address
add address=10.10.0.1/24 interface=vlan10 network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20 network=10.20.0.0
add address=10.1.10.1/24 interface=vlan1 network=10.1.10.0
add address=192.168.10.1/24 interface=vlan30 network=192.168.10.0
add address=192.168.30.11/24 interface=wireguard1 network=192.168.30.0
/ip dhcp-client
add interface=ether2
/ip dhcp-server lease
add address=192.168.10.99 disabled=yes mac-address=00:0D:A3:17:0D:02 server=\
dhcp4
add address=192.168.10.98 mac-address=9C:53:22:3E:BD:4C server=dhcp4
/ip dhcp-server network
add address=10.1.0.0/24 gateway=10.1.0.1
add address=10.1.10.0/24 gateway=10.1.10.1
add address=10.3.0.0/24 gateway=10.3.0.1
add address=10.10.0.0/24 dns-server=4.4.4.4 gateway=10.10.0.1
add address=10.20.0.0/24 dns-server=4.4.4.4 gateway=10.20.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,4.4.4.4 gateway=192.168.10.1
/ip firewall filter
add action=drop chain=forward comment="bloquear VLAN10" disabled=yes \
out-interface=vlan10
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" disabled=yes
add action=accept chain=forward dst-port=1723 protocol=tcp src-port=1723
add action=accept chain=forward disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=output disabled=yes dst-port=13231 protocol=udp \
src-port=13231
add action=accept chain=forward in-interface=vlan10 out-interface=vlan30
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list="" out-interface=ether2
add action=accept chain=input in-interface=ether2 protocol=tcp src-port=1723
add action=accept chain=input dst-address=192.168.30.11 dst-port=13231 \
in-interface=ether2 protocol=udp src-address=192.168.0.10 src-port=13231
/ppp secret
add name=usuario-pptp profile=PPTP service=pptp
/system clock
set time-zone-name=Europe/Madrid

Who is online

Users browsing this forum: donkeyKong, ItchyAnkle and 80 guests