Hello everyone,
Unfortunately, I'm currently having a problem setting up a WireGuard network. The connection between SiteA<->SiteB<->SiteC works. The only problem I have is that I can only access the router via the tunnel IP or lan IP. However, communication from Lan<->Lan is not possible. I checked my config according to various instructions, but unfortunately I couldn't identify the problem.
Maybe one of you can show me the error in my config.
Kind regards,
NightWolf
Translated with Google
WireGuard - no lan connection
You do not have the required permissions to view the files attached to this post.
Re: WireGuard - no lan connection
Which Router (wireguard) acts as a server for handshake?
Do any of the routers have a public IP address, or an upstream router that can port forward?
Also why does router A have three wireugard two disabled but a hodgepodge of peers.
Clean up before asking us to review........
Do any of the routers have a public IP address, or an upstream router that can port forward?
Also why does router A have three wireugard two disabled but a hodgepodge of peers.
Clean up before asking us to review........
Re: WireGuard - no lan connection
Site-A is preceded by a FritzBox 7530 AX which dyndns forwards port 52812.
Site-B and Site-C can be reached via a public IP.
The other peers were for later configurations. But these were deactivated. Unfortunately nothing changed after deleting.
Site-B and Site-C can be reached via a public IP.
The other peers were for later configurations. But these were deactivated. Unfortunately nothing changed after deleting.
You do not have the required permissions to view the files attached to this post.
Re: WireGuard - no lan connection
Okay the assumptions will be as follows.
1. Router A is the server for handshake purposes...... Routers B and C will connect to Router A.
2. For redundancy, in case Router A is not available for whatever reason, will create secondary WG between Router B and C, with Router B being server for handshake.
1. Router A is the server for handshake purposes...... Routers B and C will connect to Router A.
2. For redundancy, in case Router A is not available for whatever reason, will create secondary WG between Router B and C, with Router B being server for handshake.
Re: WireGuard - no lan connection
RouterA
(1) Remove pre-shared keys from wireguard. I have not ever seen it used, so for this testing remove.
Once we get a good working config, feel free to play with it at your leisure.
(2) Remove ether1 from Bridge, WAN is not part of LAN bridge.
(3) Modify as follows:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
add interface="WireGuard - Cloud" list=LAN
(3) Modify so only this shows in your Allowed IPs.....
/interface wireguard peers
add allowed-address=10.0.1.2/32,192.168.222.0/24 Comment="To Router B" \
interface="WireGuard - Cloud" public-key= "HK----="
add allowed-address=10.0.1.3/32,192.168.233.0/24 Comment="To Router C" \
"WireGuard - Cloud" public-key="UD-------2I="
add allowed-address=10.0.1.5/32 Comment=" Admin Remote Laptop" \
interface="WireGuard - Cloud" public-key="HH-------2I=" [/i]
add allowed-address=10.0.1.6/32 Comment=" Admin Remote smartphone/ipad" \
interface="WireGuard - Cloud" public-key="ZZ-------2I="[/i]
(4) Remove all IPV6 noise, firewall filter, address list etc..... since its disabled..
(5) Simply routes: You do not need routes for wireguard peers, as the route is created automagically by the WG IP address. YOu do need routes for all remote subnets, also identified in allowed IPs.
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.222.0/24 gateway="WireGuard - Cloud" \
routing-table=main
add dst-address=192.168.233.0/24 gateway="WireGuard - Cloud" \
routing-table=main
(6) Fix Firewall Rules.........
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin local desktop wired"
add address=192.168..4.Y list=Authorized comment="admin laptop wired/wifi"
add address=192.168.222.A list=Authorized comment="admin remote desktop router B"
add address=192.168.223.B list=Authorized comment="admin remote desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard handshake" dst-port=52810 protocol=udp
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface="WireGuard - Cloud" src-address=192.168.4.0/24 \
comment="allow local RA users to access wg tunnel"
add action=accept chain=forward in-interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.222.0/24 Comment="allow RB users access to local LAN"
add action=accept chain=forward interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.233.0/24 Comment="allow RC users access to local LAN"
add action=accept chain=forward in-interface="WireGuard - Cloud" out-interface="WireGuard - Cloud" \
comment=" Relay rule if you want RB users and RC users to be able to reach each other"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
NOTE: My preference is to be flexible on entering the wg tunnel and being specific as to where users can land. For example if you dont want RC users to access local LAN simply remove the rule.
(7) Ensure this rule is ENABLED!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=no \
ipsec-policy=out,none out-interface-list=WAN
(1) Remove pre-shared keys from wireguard. I have not ever seen it used, so for this testing remove.
Once we get a good working config, feel free to play with it at your leisure.
(2) Remove ether1 from Bridge, WAN is not part of LAN bridge.
(3) Modify as follows:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
add interface="WireGuard - Cloud" list=LAN
(3) Modify so only this shows in your Allowed IPs.....
/interface wireguard peers
add allowed-address=10.0.1.2/32,192.168.222.0/24 Comment="To Router B" \
interface="WireGuard - Cloud" public-key= "HK----="
add allowed-address=10.0.1.3/32,192.168.233.0/24 Comment="To Router C" \
"WireGuard - Cloud" public-key="UD-------2I="
add allowed-address=10.0.1.5/32 Comment=" Admin Remote Laptop" \
interface="WireGuard - Cloud" public-key="HH-------2I=" [/i]
add allowed-address=10.0.1.6/32 Comment=" Admin Remote smartphone/ipad" \
interface="WireGuard - Cloud" public-key="ZZ-------2I="[/i]
(4) Remove all IPV6 noise, firewall filter, address list etc..... since its disabled..
(5) Simply routes: You do not need routes for wireguard peers, as the route is created automagically by the WG IP address. YOu do need routes for all remote subnets, also identified in allowed IPs.
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.222.0/24 gateway="WireGuard - Cloud" \
routing-table=main
add dst-address=192.168.233.0/24 gateway="WireGuard - Cloud" \
routing-table=main
(6) Fix Firewall Rules.........
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin local desktop wired"
add address=192.168..4.Y list=Authorized comment="admin laptop wired/wifi"
add address=192.168.222.A list=Authorized comment="admin remote desktop router B"
add address=192.168.223.B list=Authorized comment="admin remote desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard handshake" dst-port=52810 protocol=udp
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface="WireGuard - Cloud" src-address=192.168.4.0/24 \
comment="allow local RA users to access wg tunnel"
add action=accept chain=forward in-interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.222.0/24 Comment="allow RB users access to local LAN"
add action=accept chain=forward interface="WireGuard - Cloud" dst-address=192.168.4.0/24 \
src-address=192.168.233.0/24 Comment="allow RC users access to local LAN"
add action=accept chain=forward in-interface="WireGuard - Cloud" out-interface="WireGuard - Cloud" \
comment=" Relay rule if you want RB users and RC users to be able to reach each other"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
NOTE: My preference is to be flexible on entering the wg tunnel and being specific as to where users can land. For example if you dont want RC users to access local LAN simply remove the rule.
(7) Ensure this rule is ENABLED!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=no \
ipsec-policy=out,none out-interface-list=WAN
Re: WireGuard - no lan connection
Router B - remember this is the backup wireguard in case B is down so B and C can still reach each other and so that the admin can reach both routers remotely.
Besides all the fixes noted for Router A, they are all applicable here as well,
1. Add the extra wireguard items:
/interface wireguard
add listen-port=52810 mtu=1420 name=WireGuard
add listen-port=52910 mtu=1420 name=WG-B
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=WireGuard list=LAN
add interface=WG-B list=LAN
add interface=WireGuard list=WG-LAN
add interface=WG-B list=WG-LAN
/interface list
add name=WAN
add name=LAN
add name=WG-LAN
/ip address
add address=195.123.123.99/22 disabled=yes interface=*1 network=195.123.123.0
add address=192.168.222.10/24 interface=ether2 network=192.168.222.0
add address=10.0.1.2/24 interface=WireGuard network=10.0.1.0
add address=10.2.1.1/24 interface=WG-B network=10.2.1.0
2.) Fix and modify allowed IPs:
/interface wireguard peers
add allowed-address=10.0.1.0/24,192.168.4.0/24,192.168.233.0/24 comment="To Router A" \
endpoint-address=xxx.myfritz.net endpoint-port=52810 interface=WireGuard \
persistent-keepalive=25s public-key="iD-------------------QY="
add allowed-address=10.2.1.2/32,192.168.233.0/24 comment=Backup to Router C" \
interface=WG-B public-key="nC---------------------RM="
add allowed-address=10.2.1.5/32 Comment=" Admin Remote Laptop" \
interface=WG-B public-key="KK------2I="
add allowed-address=10.2.1.6/32 Comment=" Admin Remote smartphone/ipad" \
interface=WG-B public-key="LL------2I="
(5)Routes:
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.4.0/24 gateway=WireGuard \
routing-table=main
add dst-address=192.168.233.0/24 gateway=WireGuard \
routing-table=main
add distance=2 dst-address=192.168.233.0/24 gateway=WG-B \
routing-table=main
(6) Fix Firewall Rules.........
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin remote router A"
add address=192.168..4.Y list=Authorized comment="admin remote laptop router A"
add address=192.168.222.A list=Authorized comment="admin local desktop router B"
add address=192.168.223.B list=Authorized comment="admin remote desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
{ added list items for backup access to Routers B, C by remote admin }
add address=10.2.1.5/32 list=Authorized comment="admin laptop remote for backup wireguard"
add address=10.2.1.6/32 list=Authorized comment="admin smartphone/ipad remote for backup wireguard"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard handshake" dst-port=52910 protocol=udp
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=WG-LAN src-address=192.168.222.0/24 \
comment="allow local RB users to access to both wg tunnels"
add action=accept chain=forward in-interface=WireGuard dst-address=192.168.222.0/24 \
src-address=192.168.4.0/24 Comment="allow RA users access to local LAN"
add action=accept chain=forward in-interface-list=WG-LAN dst-address=192.168.222.0/24 \
src-address=192.168.233.0/24 Comment="allow RC users access to local LAN via both tunnels"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
NOTE: My preference is to be flexible on entering the wg tunnel and being specific as to where users can land. For example if you dont want RC users to access local LAN simply remove the rule.
(7) SourceNAT fixed.... no need to sourcenat wireguard in your situation.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
Besides all the fixes noted for Router A, they are all applicable here as well,
1. Add the extra wireguard items:
/interface wireguard
add listen-port=52810 mtu=1420 name=WireGuard
add listen-port=52910 mtu=1420 name=WG-B
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=WireGuard list=LAN
add interface=WG-B list=LAN
add interface=WireGuard list=WG-LAN
add interface=WG-B list=WG-LAN
/interface list
add name=WAN
add name=LAN
add name=WG-LAN
/ip address
add address=195.123.123.99/22 disabled=yes interface=*1 network=195.123.123.0
add address=192.168.222.10/24 interface=ether2 network=192.168.222.0
add address=10.0.1.2/24 interface=WireGuard network=10.0.1.0
add address=10.2.1.1/24 interface=WG-B network=10.2.1.0
2.) Fix and modify allowed IPs:
/interface wireguard peers
add allowed-address=10.0.1.0/24,192.168.4.0/24,192.168.233.0/24 comment="To Router A" \
endpoint-address=xxx.myfritz.net endpoint-port=52810 interface=WireGuard \
persistent-keepalive=25s public-key="iD-------------------QY="
add allowed-address=10.2.1.2/32,192.168.233.0/24 comment=Backup to Router C" \
interface=WG-B public-key="nC---------------------RM="
add allowed-address=10.2.1.5/32 Comment=" Admin Remote Laptop" \
interface=WG-B public-key="KK------2I="
add allowed-address=10.2.1.6/32 Comment=" Admin Remote smartphone/ipad" \
interface=WG-B public-key="LL------2I="
(5)Routes:
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.4.0/24 gateway=WireGuard \
routing-table=main
add dst-address=192.168.233.0/24 gateway=WireGuard \
routing-table=main
add distance=2 dst-address=192.168.233.0/24 gateway=WG-B \
routing-table=main
(6) Fix Firewall Rules.........
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin remote router A"
add address=192.168..4.Y list=Authorized comment="admin remote laptop router A"
add address=192.168.222.A list=Authorized comment="admin local desktop router B"
add address=192.168.223.B list=Authorized comment="admin remote desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
{ added list items for backup access to Routers B, C by remote admin }
add address=10.2.1.5/32 list=Authorized comment="admin laptop remote for backup wireguard"
add address=10.2.1.6/32 list=Authorized comment="admin smartphone/ipad remote for backup wireguard"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard handshake" dst-port=52910 protocol=udp
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=WG-LAN src-address=192.168.222.0/24 \
comment="allow local RB users to access to both wg tunnels"
add action=accept chain=forward in-interface=WireGuard dst-address=192.168.222.0/24 \
src-address=192.168.4.0/24 Comment="allow RA users access to local LAN"
add action=accept chain=forward in-interface-list=WG-LAN dst-address=192.168.222.0/24 \
src-address=192.168.233.0/24 Comment="allow RC users access to local LAN via both tunnels"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
NOTE: My preference is to be flexible on entering the wg tunnel and being specific as to where users can land. For example if you dont want RC users to access local LAN simply remove the rule.
(7) SourceNAT fixed.... no need to sourcenat wireguard in your situation.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
Last edited by llamajaja on Wed Apr 17, 2024 9:01 pm, edited 2 times in total.
Re: WireGuard - no lan connection
Router C......... Same issues as Router A, need to be fixed.......
1. Changes for backup wireguard
/interface wireguard
add listen-port=52810 mtu=1420 name=WireGuard
add listen-port=52910 mtu=1420 name=WG-C
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=WireGuard list=LAN
add interface=WG-C list=LAN
add interface=Wireguard list=WG-LAN
add interface=WG-C list=WG-LAN[/i]
/interface list
add name=WAN
add name=LAN
add name=WG-LAN
/ip address
add address=195.234.234.88/22 disabled=yes interface=*1 network=195.234.234.0
add address=10.0.1.3/24 interface=WireGuard network=10.0.1.0
add address=10.2.1.2/24 interface=WG-C network=10.2.1.0
add address=192.168.233.10/24 interface=ether2 network=192.168.233.0
2. Allowed IPs.
/interface wireguard peers
add allowed-address=10.0.1.0/24,192.168.4.0/24,192.168.222.0/24 comment=To Router A" \
endpoint-address=XXX.myfritz.net endpoint-port=52810 interface=WireGuard \
persistent-keepalive=25s public-key="iD------------------QY="
add allowed-address=10.2.1.0/24,192.168.222.0/24 comment="Backup wireguard to Router B"
endpoint-address=PUBLIC-IP-Router-B endpoint-port=52910 interface=WG-C \
persistent-keepalive=45s public-key="HK-----------------------A8="
3. Firewall list
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin remote router A"
add address=192.168..4.Y list=Authorized comment="admin remote laptop router A"
add address=192.168.222.A list=Authorized comment="admin remote desktop router B"
add address=192.168.233.B list=Authorized comment="admin local desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
{ added list items for backup access to Routers B, C by remote admin }
add address=10.2.1.5/32 list=Authorized comment="admin laptop remote for backup wireguard"
add address=10.2.1.6/32 list=Authorized comment="admin smartphone/ipad remote for backup wireguard"
4. FW rules:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=WG-LAN src-address=192.168.233.0/24 \
comment="allow local RC users to access to both wg tunnels"
add action=accept chain=forward in-interface=WireGuard dst-address=192.168.233.0/24 \
src-address=192.168.4.0/24 Comment="allow RA users access to local LAN"
add action=accept chain=forward in-interface-list=WG-LAN dst-address=192.168.233.0/24 \
src-address=192.168.222.0/24 Comment="allow RB users access to local LAN via both tunnels"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
5. ROUTES
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.4.0/24 gateway=WireGuard \
routing-table=main
add dst-address=192.168.222.0/24 gateway=WireGuard \
routing-table=main
add distance=2 dst-address=192.168.222.0/24 gateway=WG-C \
routing-table=main
1. Changes for backup wireguard
/interface wireguard
add listen-port=52810 mtu=1420 name=WireGuard
add listen-port=52910 mtu=1420 name=WG-C
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=WireGuard list=LAN
add interface=WG-C list=LAN
add interface=Wireguard list=WG-LAN
add interface=WG-C list=WG-LAN[/i]
/interface list
add name=WAN
add name=LAN
add name=WG-LAN
/ip address
add address=195.234.234.88/22 disabled=yes interface=*1 network=195.234.234.0
add address=10.0.1.3/24 interface=WireGuard network=10.0.1.0
add address=10.2.1.2/24 interface=WG-C network=10.2.1.0
add address=192.168.233.10/24 interface=ether2 network=192.168.233.0
2. Allowed IPs.
/interface wireguard peers
add allowed-address=10.0.1.0/24,192.168.4.0/24,192.168.222.0/24 comment=To Router A" \
endpoint-address=XXX.myfritz.net endpoint-port=52810 interface=WireGuard \
persistent-keepalive=25s public-key="iD------------------QY="
add allowed-address=10.2.1.0/24,192.168.222.0/24 comment="Backup wireguard to Router B"
endpoint-address=PUBLIC-IP-Router-B endpoint-port=52910 interface=WG-C \
persistent-keepalive=45s public-key="HK-----------------------A8="
3. Firewall list
/ip firewall address-list { use static dhcp leases where applicable }
add address=192.168..4.X list=Authorized comment="admin remote router A"
add address=192.168..4.Y list=Authorized comment="admin remote laptop router A"
add address=192.168.222.A list=Authorized comment="admin remote desktop router B"
add address=192.168.233.B list=Authorized comment="admin local desktop router C"
add address=10.0.1.5/32 list=Authorized comment="admin laptop remote"
add address=10.0.1.6/32 list=Authorized comment="admin smartphone/ipad remote"
{ added list items for backup access to Routers B, C by remote admin }
add address=10.2.1.5/32 list=Authorized comment="admin laptop remote for backup wireguard"
add address=10.2.1.6/32 list=Authorized comment="admin smartphone/ipad remote for backup wireguard"
4. FW rules:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward out-interface-list=WG-LAN src-address=192.168.233.0/24 \
comment="allow local RC users to access to both wg tunnels"
add action=accept chain=forward in-interface=WireGuard dst-address=192.168.233.0/24 \
src-address=192.168.4.0/24 Comment="allow RA users access to local LAN"
add action=accept chain=forward in-interface-list=WG-LAN dst-address=192.168.233.0/24 \
src-address=192.168.222.0/24 Comment="allow RB users access to local LAN via both tunnels"
add action=accept chain=forward comment-="port forwarding" connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment="Drop All else"
5. ROUTES
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
add dst-address=192.168.4.0/24 gateway=WireGuard \
routing-table=main
add dst-address=192.168.222.0/24 gateway=WireGuard \
routing-table=main
add distance=2 dst-address=192.168.222.0/24 gateway=WG-C \
routing-table=main
Re: WireGuard - no lan connection
Hello llamajaja,
Thank you for your extensive help.
Sorry, my late reply was a bit poorly timed.
Your suggestion was very helpful. After two small changes, the WireGuard connection also worked.
When the time is better again I will present the working config.
Kind regards
Michael
Thank you for your extensive help.
Sorry, my late reply was a bit poorly timed.
Your suggestion was very helpful. After two small changes, the WireGuard connection also worked.
When the time is better again I will present the working config.
Kind regards
Michael
Who is online
Users browsing this forum: No registered users and 14 guests