Dear Community.
I know, have much more topics for Wireguard and LAN theme, but I not found the solution for my challenge.... :/
So I would like to use WG clients on Mikrotik, with routing to LAN.
My config short:
Mikrotrik IP 192.168.0.1/21
DHCPD are 192.168.0.50-192.168.0.200
For wireguard are 192.168.7.1, then clients I want to 7.10-7.50 (I try netmask 21/24/32, not have solution)
I have Hotspot wireless on 192.168.154.0/24, every client connections are OK, and routing to WAN without problem, this clients can't access my LAN, it's good and working.
In the firewall accept wireguard clients, (default firewall rule, from WAN to WG) the connection are OK, (with a few config schema) are routing to WAN, and the WG are in the bridge.
So I try many more configuration tips from this forum, but I not have solution to routing between LAN & WG clients.
On the last week I read here same problem, someone wrote to topic to change netmask from 24 to 20. For me enough from 0.0-7.254, and I would like to use WG in 7.0 (with routing to LAN).
Please, help me, what I do it wrong....?
Thank you.
Re: Wireguard & LAN
No idea, very little information provided.
Need full export.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..)
Also Read this.
viewtopic.php?t=182340
Need full export.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..)
Also Read this.
viewtopic.php?t=182340
Re: Wireguard & LAN
Thank you. Here is my config: https://pastebin.com/wRZ7E9pZ (hide-sensitive)No idea, very little information provided.
Need full export.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..)
Also Read this.
viewtopic.php?t=182340
Re: Wireguard & LAN
Observations:
1. You have two subnets one for bridge and one for WLAN but you have them both on the bridge,
Therefore you need to change your approach. It would appear you need two vlans, one for home and wlan1 and wlan2
and one for wlan3 so to speak. If not keen on using vlans recommending you keep the bridge as is, and ensure you identify the WLAN3 as the second subnet.
EDIT: Exactly what you have done, excellent!!
2. Remove this entry....
/interface list members
add disabled=yes interface=*9 list=WAN
3. Your wireguard setting for peer are incorrect.................
/interface wireguard peers
add endpoint-address=192.168.7.10 interface=wg-server public-key=\
"Wl6x8diLwOibFRdjOU1ma3hSypeqiHXS5EeABFaVlio="
The format should be
add allowed-ips=192.168.7.10/32 etc................... ( not endpoint ).
Think about the logic why would you need to reach the endpoint of the client, this is the server device!
The function of allowed-ips for a peer in general is two-fold
a. to tell the wireguard code, the legitimate destination addresses for any traffic originating from users on the router heading outbound and entering the tunnel.
(if not listed, will not go)
b. to tell the wireguard code, the legitimate source addresses for any traffic originating remotely and inbound on the tunnel and wanting to exit the tunnel at the local device.
In your case its only B.
4. Stick the input chain rule as further down the line, not critical just no reason for it to be first.....
like here
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard bej\F6v\F5" dst-port=15231 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
5. Security wise: Consider that you allow all the LAN full access to the router whereas it should only be you. The users need access to DNS services only.
SO recommend taking the single line in input chain { add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN } and replacing it with the below:
/firewall address-list (using statically set leases)
add address=192.168.0.XX list=Authorized comment="admin PC"
add address=192.168.0.YY list=Authorized comment="admin wifi connection"
add address=192.168.7.10 list=Authorized comment=Remote admin wireguard"
add action=accept chain=input comment="LAN DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="LAN DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
6. Similarly its much more efficient in the forward chain to remove this rule { "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN } remove the two drop rules you added and replace with the below.......
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
7. ONLY need the single source nat rule! Remove the others.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
8. Any reason why you really need upnp ??
Especially because that *9 error also incurs here!
9. Should be set to NONE as the mac-server entry is not secure ( the mac-winbox method is secure )
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
+++++++++++++++++++++++++++
In summary the biggest issue was missing allowed IPs in wireguard settings.
1. You have two subnets one for bridge and one for WLAN but you have them both on the bridge,
Therefore you need to change your approach. It would appear you need two vlans, one for home and wlan1 and wlan2
and one for wlan3 so to speak. If not keen on using vlans recommending you keep the bridge as is, and ensure you identify the WLAN3 as the second subnet.
EDIT: Exactly what you have done, excellent!!
2. Remove this entry....
/interface list members
add disabled=yes interface=*9 list=WAN
3. Your wireguard setting for peer are incorrect.................
/interface wireguard peers
add endpoint-address=192.168.7.10 interface=wg-server public-key=\
"Wl6x8diLwOibFRdjOU1ma3hSypeqiHXS5EeABFaVlio="
The format should be
add allowed-ips=192.168.7.10/32 etc................... ( not endpoint ).
Think about the logic why would you need to reach the endpoint of the client, this is the server device!
The function of allowed-ips for a peer in general is two-fold
a. to tell the wireguard code, the legitimate destination addresses for any traffic originating from users on the router heading outbound and entering the tunnel.
(if not listed, will not go)
b. to tell the wireguard code, the legitimate source addresses for any traffic originating remotely and inbound on the tunnel and wanting to exit the tunnel at the local device.
In your case its only B.
4. Stick the input chain rule as further down the line, not critical just no reason for it to be first.....
like here
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard bej\F6v\F5" dst-port=15231 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
5. Security wise: Consider that you allow all the LAN full access to the router whereas it should only be you. The users need access to DNS services only.
SO recommend taking the single line in input chain { add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN } and replacing it with the below:
/firewall address-list (using statically set leases)
add address=192.168.0.XX list=Authorized comment="admin PC"
add address=192.168.0.YY list=Authorized comment="admin wifi connection"
add address=192.168.7.10 list=Authorized comment=Remote admin wireguard"
add action=accept chain=input comment="LAN DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="LAN DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
6. Similarly its much more efficient in the forward chain to remove this rule { "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN } remove the two drop rules you added and replace with the below.......
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
7. ONLY need the single source nat rule! Remove the others.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
8. Any reason why you really need upnp ??
Especially because that *9 error also incurs here!
9. Should be set to NONE as the mac-server entry is not secure ( the mac-winbox method is secure )
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
+++++++++++++++++++++++++++
In summary the biggest issue was missing allowed IPs in wireguard settings.
Re: Wireguard & LAN
Thank you for this help.
Soon I can try to this modifications and I write here.
Soon I can try to this modifications and I write here.
Who is online
Users browsing this forum: smx52 and 17 guests