Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard - Cant Ping from inside a network

Post Reply
 
piotrchm93
newbie
Topic Author
Posts: 27
Joined: Mon Feb 13, 2023 8:53 pm

Wireguard - Cant Ping from inside a network

Mon Nov 11, 2024 4:21 pm

Hello,
I probably have a stupid problem, but I don't know how to deal with it.

I have set up a Wireguard Site to Site connection between two locations. [ROS 7.16.1]

One has a public IP address, the other one uses LTE from Huawei.

10.0.0.1 - Wireguard Address (for Public IP site)
192.168.77.1 Gate for Mikrotik in the middle of the network
192.168.77.x/24 computer inside this network.

10.0.0.3 Wireguard address for LTE
192.168.50.3 - mikrotik inside this network (exposes Wireguard interface)
192.168.50.1 Huawei as a gateway for the network (+ LTE).

And so the tunnel is set up correctly. At the moment, there are no restrictions on network access, i.e. "allowed addresses" is set as 0.0.0.0/0 on both sides.

And yes,
Routers can ping both wireguard interfaces and devices within the network.
Computers on both sides can ping the interfaces of wireguard 10.0.0.X. However, computers inside these networks CANNOT ping devices inside the network and gateways, i.e. a 77.x computer cannot ping 50.1, 50.3, 50.x and vice versa.

50.3 has no firewall rules.

I tried with masquerade and srcnat but something doesn't work. Please give me tips :)


50.3 Config
Code: Select all
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XYZ.sn.mynetname.net \
    endpoint-port=13231 interface=wireguard1 name=peer-wawa \
    persistent-keepalive=30s public-key=\
    "KEY"
    
/ip address
add address=192.168.50.3/24 interface=bridge network=192.168.50.0
add address=10.0.0.3/24 interface=wireguard1 network=10.0.0.0

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 out-interface=\
    wireguard1 src-address=192.168.50.0/24
add action=masquerade chain=srcnat out-interface=bridge

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.50.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

add disabled=no distance=1 dst-address=192.168.77.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
77.1 Config

Code: Select all

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard

/interface wireguard peers

add allowed-address=0.0.0.0/0 endpoint-address=ZZZ.sn.mynetname.net \
    interface=wireguard name=peer-slu persistent-keepalive=30s public-key=\
    "KEY"

/ip firewall nat

add action=accept chain=srcnat comment=WG dst-address=\
    10.0.0.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat dst-address=192.168.50.0/24 out-interface=\
    wireguard src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21897
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Cant Ping from inside a network

Mon Nov 11, 2024 5:54 pm

This could be a problem --> And so the tunnel is set up correctly. At the moment, there are no restrictions on network access, i.e. "allowed addresses" is set as 0.0.0.0/0 on both sides.

Will look at both configs
So as to understand one MT gets a public IP directly
The other MT is connected behind the h router and gets a WANIP on the private LAN of the h router.

However unable to comment on snippets since the configs are not isolated in function
please post both configs
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc. )

By the way, why do your allowed IP setting seem almost identical........... do you understand wireguard or just copied from somewhere...........
Top
 
piotrchm93
newbie
Topic Author
Posts: 27
Joined: Mon Feb 13, 2023 8:53 pm

Re: Wireguard - Cant Ping from inside a network

Mon Nov 11, 2024 7:27 pm

anav,
Thank you very much for your reply and your time :)
By the way, why do your allowed IP setting seem almost identical........... do you understand wireguard or just copied from somewhere...........
This is my first WG configuration in home lab, so I used some guide on YT. If I gave restrictions, e.g. on page 77.1

allowed addresses:
10.0.0.0/24
192.168.77.0/24

the ping wasn't even coming from the routers.
Only setting 0.0.0.0/0 resulted in any response.

Will look at both configs
So as to understand one MT gets a public IP directly
The other MT is connected behind the h router and gets a WANIP on the private LAN of the h router.
In the first case, yes (77.1)

eth1 = Public IP
bridge + vlan 77 = 192.168.77.1 as gate and main network

In the second case

H_LTE is the main router with the address 192.168.50.1

However, mikrotik on the bridge has the address set to 192.168.50.3. It does not receive addressing on the WAN port. It is simply part of the network behind H_LTE.

Regards,
Peter

77.1
Code: Select all
# 2024-11-11 18:00:20 by RouterOS 7.16.1

# model = RB4011iGS+5HacQ2HnD

/caps-man channel
add band=5ghz-onlyac control-channel-width=20mhz name=ch_5180 \
    skip-dfs-channels=no
add band=2ghz-g/n control-channel-width=20mhz name=ch_2422
/interface bridge
add admin-mac=XX:XX:31:1F:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5785/20-eeCe/ac(27dBm)+5210/80(14dBm), SSID: MT_SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=no_country_set distance=indoors frequency-mode=\
    superchannel installation=indoor mode=ap-bridge name=wlan1_5ghz \
    skip-dfs-channels=all ssid=ssidname1 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT_SSID_2, CAPsMAN forwarding
set [ find default-name=wlan1 ] distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=wlan2_2ghz ssid=ssidname2 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether3 ] name=ether3_CAM_74
set [ find default-name=ether4 ] name=ether4_usffx_76
set [ find default-name=ether5 ] name=ether5_PVEnas_TAG
set [ find default-name=ether7 ] loop-protect=off
set [ find default-name=ether8 ] name=ether8_USG_TAG
set [ find default-name=ether9 ] name=ether9_TAG_77.2
set [ find default-name=ether10 ] name=ether10_POE_AP

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard

/interface vlan
add arp=proxy-arp interface=bridge name=vlan_74_CAM vlan-id=74
add arp=proxy-arp interface=bridge name=vlan_75_IOT vlan-id=75
add arp=proxy-arp interface=bridge loop-protect=off name=vlan_76_PVE vlan-id=\
    76
add arp=proxy-arp interface=bridge name=vlan_77_LAN vlan-id=77
add arp=proxy-arp interface=bridge name=vlan_78_goscie vlan-id=78
add interface=bridge name=vlan_79_LAB vlan-id=79
add interface=bridge name=vlan_80_unifi0 vlan-id=80
add interface=bridge name=vlan_81_unifi1 vlan-id=81
add interface=bridge name=vlan_82_unifi2 vlan-id=82

/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=dp_vlan_77_LAN \
    vlan-id=77 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes name=dp_vlan_78_GUEST \
    vlan-id=78 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes name=dp_vlan_74_CAM \
    vlan-id=74 vlan-mode=use-tag
	
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_77_LAN
add authentication-types=wpa2-psk encryption=aes-ccm name=security_78_GOSCIE
add authentication-types=wpa2-psk encryption=aes-ccm name=security_74_cam

/caps-man configuration
add channel=ch_5180 datapath=dp_vlan_77_LAN mode=ap name=cfg_vlan77_LAN_5GHZ \
    security=security_77_LAN ssid=MT_1
add channel=ch_5180 datapath=dp_vlan_78_GUEST mode=ap name=\
    cfg_vlan78_GUEST_5GHZ security=security_78_GOSCIE ssid=MT_2
add channel=ch_2422 datapath=dp_vlan_77_LAN mode=ap name=cfg_vlan77_LAN_2GHZ \
    security=security_77_LAN ssid=MT_3
add channel=ch_2422 datapath=dp_vlan_78_GUEST mode=ap name=\
    cfg_vlan78_GUEST_2GHZ security=security_78_GOSCIE ssid=MT_4
add channel=ch_2422 country=poland datapath=dp_vlan_74_CAM hide-ssid=yes \
    mode=ap name=cfg_vlan74_CAM_2GHZ security=security_74_cam ssid=MT_5
	
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=group-hq-branch
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256 hash-algorithm=sha256 name=profile-b-c
/ip ipsec peer
add address=C.sn.mynetname.net exchange-mode=ike2 name=\
    peer-C port=500 profile=profile-b-c
add disabled=yes exchange-mode=ike2 name=peer-b-sl passive=yes profile=\
    profile-C
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-C \
    pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_77_LAN ranges=192.168.77.50-192.168.77.100
add name=pool_76_PVE ranges=192.168.76.50-192.168.76.100
add name=pool_75_IOT ranges=192.168.75.50-192.168.75.100
add name=pool_78_GGOSCIE ranges=192.168.78.50-192.168.78.100
add name=pool_74_CAM ranges=192.168.74.50-192.168.74.100

/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf
add address-pool=pool_77_LAN interface=vlan_77_LAN lease-time=1h name=\
    dhcp_77_LAN
add address-pool=pool_75_IOT interface=vlan_75_IOT lease-time=1h name=\
    dhcp_75_LAN
add address-pool=pool_76_PVE interface=vlan_76_PVE lease-time=1h name=\
    dhcp_76_PVE
add address-pool=pool_78_GGOSCIE interface=vlan_78_goscie lease-time=1h name=\
    dhcp_78_LAN
add address-pool=pool_74_CAM interface=vlan_74_CAM lease-time=1h name=\
    dhcp_74_CAM
	
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=bridge bridge-learning=yes local-address=192.168.77.1 name=\
    profile-ovpn remote-address=pool_77_LAN use-encryption=required use-ipv6=\
    no
add local-address=192.168.77.1 name=profile-l2tp-forLTE remote-address=\
    pool_77_LAN
add bridge-learning=yes local-address=192.168.222.1 name=profile-l2tp \
    use-compression=yes use-encryption=required use-ipv6=no use-upnp=no
/snmp community
add addresses=192.168.7.13/32 name=community
/system logging action
set 0 memory-lines=1500
add name=remotebranch remote=192.168.76.61 target=remote
add name=remoteAlienVaultOSSIM remote=192.168.76.20 target=remote
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=ZTNUMBER
	
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment=rb4011_5ghz master-configuration=\
    cfg_vlan77_LAN_5GHZ name-format=prefix-identity radio-mac=\
    YY:YY:YY:1F:A1:YY slave-configurations=cfg_vlan78_GUEST_5GHZ
add action=create-dynamic-enabled comment=rb4011_2ghz master-configuration=\
    cfg_vlan77_LAN_2GHZ name-format=prefix-identity radio-mac=\
    YY:YY:YY:C4:YY:YY slave-configurations=\
    cfg_vlan78_GUEST_2GHZ,cfg_vlan74_CAM_2GHZ
	
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3_CAM_74 internal-path-cost=\
    10 path-cost=10 pvid=74
add bridge=bridge comment=defconf interface=ether4_usffx_76 \
    internal-path-cost=10 path-cost=10 pvid=76
add bridge=bridge comment=defconf interface=ether5_PVEnas_TAG \
    internal-path-cost=10 path-cost=10 pvid=76
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10 pvid=74
add bridge=bridge comment=defconf interface=ether8_USG_TAG \
    internal-path-cost=10 path-cost=10 pvid=80
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether9_TAG_77.2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether10_POE_AP \
    internal-path-cost=10 path-cost=10 pvid=80
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge comment=defconf interface=wlan1_5ghz internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wlan2_2ghz internal-path-cost=10 \
    path-cost=10
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether4_usffx_76 vlan-ids=77
add bridge=bridge tagged=bridge,ether9_TAG_77.2,ether5_PVEnas_TAG vlan-ids=78
add bridge=bridge tagged=bridge,ether9_TAG_77.2,ether10_POE_AP,ether6 \
    vlan-ids=76
add bridge=bridge tagged=bridge,ether9_TAG_77.2,ether5_PVEnas_TAG vlan-ids=75
add bridge=bridge tagged=\
    bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether4_usffx_76 vlan-ids=74
add bridge=bridge tagged=bridge,ether9_TAG_77.2,ether5_PVEnas_TAG vlan-ids=79
add bridge=bridge tagged=\
    bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether4_usffx_76,ether6 vlan-ids=\
    80
add bridge=bridge tagged="bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether8_USG_\
    TAG,ether10_POE_AP,ether4_usffx_76" vlan-ids=81
add bridge=bridge tagged="bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether8_USG_\
    TAG,ether10_POE_AP,ether4_usffx_76" vlan-ids=82
add bridge=bridge tagged="bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether8_USG_\
    TAG,ether10_POE_AP,ether4_usffx_76" vlan-ids=200
add bridge=bridge tagged="bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether8_USG_\
    TAG,ether10_POE_AP,ether4_usffx_76" vlan-ids=201
add bridge=bridge tagged="bridge,ether9_TAG_77.2,ether5_PVEnas_TAG,ether8_USG_\
    TAG,ether10_POE_AP,ether4_usffx_76" vlan-ids=202
/interface l2tp-server server
set default-profile=profile-l2tp enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add comment=defconf interface=vlan_77_LAN list=LAN
add interface=wireguard list=LAN

/interface ovpn-server server
set auth=sha512 certificate=SERV-CERT-BRANCH cipher=aes256-gcm \
    default-profile=profile-ovpn enabled=yes require-client-certificate=yes
	
	
/interface wireguard peers
add allowed-address=10.0.0.2/32 disabled=yes endpoint-address=\
    A.sn.mynetname.net endpoint-port=13231 interface=wireguard \
    is-responder=yes name=peer-c public-key=\
    "KEY="

add allowed-address=10.0.0.0/24,192.168.77.0/24 endpoint-address=\
    B.sn.mynetname.net interface=wireguard name=peer-sl \
    persistent-keepalive=30s public-key=\
    "KEY="
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes \
    interfaces=wlan1_5ghz,wlan2_2ghz
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.77.1/24 interface=vlan_77_LAN network=192.168.77.0
add address=192.168.78.1/24 interface=vlan_78_goscie network=192.168.78.0
add address=192.168.75.1/24 interface=vlan_75_IOT network=192.168.75.0
add address=192.168.76.1/24 interface=vlan_76_PVE network=192.168.76.0
add address=192.168.74.1/24 interface=vlan_74_CAM network=192.168.74.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server config
set store-leases-disk=1h


/ip dhcp-server network
add address=192.168.74.0/24 dns-server=192.168.74.1,1.1.1.1,8.8.8.8 gateway=\
    192.168.74.1
add address=192.168.75.0/24 dns-server=192.168.75.1,1.1.1.1,8.8.8.8 gateway=\
    192.168.75.1
add address=192.168.76.0/24 dns-server=192.168.76.1,1.1.1.1,8.8.8.8 gateway=\
    192.168.76.1
add address=192.168.77.0/24 dns-server=192.168.77.1,1.1.1.1,8.8.8.8 gateway=\
    192.168.77.1
add address=192.168.78.0/24 dns-server=192.168.78.1,1.1.1.1,8.8.8.8 gateway=\
    192.168.78.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8


/ip firewall address-list
add address=d7160ca3a5e7.sn.mynetname.net list=my-cloud
add address=192.168.7.0/24 list=my_c_ips
add address=192.168.6.0/24 list=my_c_ips
add address=192.168.50.0/24 list=my_c_ips
add address=192.168.11.0/24 list=my_c_ips
add address=192.168.9.0/24 list=my_c_ips
add address=192.168.77.0/24 list=my_b_ips
add address=192.168.76.0/24 list=my_b_ips
add address=192.168.75.0/24 list=my_b_ips
add address=192.168.74.0/24 list=my_b_ips
add address=192.168.10.0/24 list=my_c_ips
add address=V.sn.mynetname.net list=my-cloud
add address=192.168.222.0/24 list=my_c_ips
add address=N.sn.mynetname.net comment=AX3-c list=my-cloud
add address=M.sn.mynetname.net comment=RB750_sl list=my-cloud
/ip firewall filter
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=input dst-address=192.168.77.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=input comment=WIREGUARD_ALLOW dst-port=13231 \
    protocol=udp
add action=accept chain=forward comment=WIREGUARD_ALLOW disabled=yes \
    dst-address=192.168.76.0/24 in-interface=wireguard
add action=accept chain=input comment=WIREGUARD_ALLOW dst-address=\
    192.168.77.0/24 src-address=10.0.0.0/24
add action=drop chain=forward comment=WIREGUARD_BLOCK_INTERNAL_IP disabled=\
    yes dst-address=192.168.76.0/24 src-address=10.0.0.0/24
add action=accept chain=input dst-address=192.168.77.0/24 src-address=\
    192.168.50.0/24
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=\
    192.168.50.0/24
add action=accept chain=input comment=WAN_PING_ALLOW in-interface-list=WAN \
    protocol=icmp
add action=accept chain=input comment="OVPN - ALLOW PORTS" dst-port=1194 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=forward disabled=yes dst-address=SOMEIP \
    in-interface=bridge src-address=192.168.80.100
add action=drop chain=forward dst-address=192.168.90.1 in-interface=\
    vlan_80_unifi0 src-address=192.168.80.100
add action=accept chain=input comment=LIST_IPSEC_b-c dst-address-list=\
    my_c_ips src-address-list=my_b_ips
add action=accept chain=forward comment=LIST_IPSEC_b-c dst-address-list=\
    my_c_ips src-address-list=my_b_ips
add action=accept chain=input comment=LIST_IPSEC_c-b dst-address-list=\
    my_b_ips src-address-list=my_c_ips
add action=accept chain=forward comment=LIST_IPSEC_c-b dst-address-list=\
    my_b_ips src-address-list=my_c_ips
add action=accept chain=input comment="IPSEC - ALLOW PORTS" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=WAN src-address-list=my-cloud
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="OVPN - ALLOW to 77" dst-address=\
    192.168.77.0/24 src-address=192.168.77.0/24
add action=accept chain=forward comment="OVPN - ALLOW to 77" disabled=yes \
    dst-address=192.168.76.0/24 src-address=192.168.77.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment=LIST_IPSEC_b-c dst-address-list=\
    my_c_ips src-address-list=my_b_ips
add action=accept chain=srcnat comment=LIST_IPSEC_b-c dst-address=\
    10.0.0.0/24 src-address=192.168.77.0/24
add action=accept chain=srcnat comment=LIST_IPSEC_b-c disabled=yes \
    dst-address=10.0.0.0/24 src-address=192.168.76.0/24
add action=masquerade chain=srcnat dst-address=192.168.50.0/24 out-interface=\
    wireguard src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add peer=peer-b-c policy-template-group=group-hq-branch
add peer=peer-b-sl policy-template-group=group-hq-branch
/ip ipsec policy
add dst-address=192.168.7.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.77.0/24 tunnel=yes
add dst-address=192.168.50.0/24 level=unique peer=peer-b-sl proposal=\
    proposal-b-c src-address=192.168.77.0/24 tunnel=yes
add dst-address=192.168.7.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.90.0/24 tunnel=yes
add dst-address=192.168.7.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.74.0/24 tunnel=yes
add dst-address=192.168.10.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.77.0/24 tunnel=yes
add dst-address=192.168.11.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.77.0/24 tunnel=yes
add dst-address=192.168.7.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.75.0/24 tunnel=yes
add dst-address=192.168.7.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.76.0/24 tunnel=yes
add dst-address=192.168.6.0/24 level=unique peer=peer-b-c proposal=\
    proposal-b-c src-address=192.168.77.0/24 tunnel=yes
/ip route
add disabled=no dst-address=192.168.55.0/24 gateway=192.168.222.11 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=10.0.0.3 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip traffic-flow target
add dst-address=192.168.76.20
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=ovpn-pch-branch profile=profile-ovpn service=ovpn
add name=l2tp-slp profile=profile-l2tp remote-address=192.168.222.11 \
    service=l2tp
add name=ovpn-ppp-branch profile=profile-ovpn service=ovpn
add name=ovpn-sl-b-branch profile=profile-ovpn service=ovpn
/snmp
set enabled=yes trap-community=pch-community trap-version=2
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MT_4011
/system leds
add interface=wlan2_2ghz leds="wlan1_5ghz_signal1-led,wlan1_5ghz_signal2-led,w\
    lan1_5ghz_signal3-led,wlan1_5ghz_signal4-led,wlan1_5ghz_signal5-led" \
    type=wireless-signal-strength
add interface=wlan2_2ghz leds=wlan1_5ghz_tx-led type=interface-transmit
add interface=wlan2_2ghz leds=wlan1_5ghz_rx-led type=interface-receive
/system logging
add action=remotebranch topics=info
add action=remotebranch topics=critical
add action=remotebranch topics=critical,error,info
add action=remoteAlienVaultOSSIM topics=critical,error,info
add topics=ovpn
add prefix=WG_ topics=wireguard
/system note
set show-at-login=no




/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1_WAN


50.1
Code: Select all
# 2024-11-11 17:52:33 by RouterOS 7.16.1

# model = RB750

/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add exclude=dynamic name=discover
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ppp profile
add bridge-learning=yes name=profile-l2tp-to-A only-one=no use-compression=\
    yes use-encryption=required use-upnp=no
/interface l2tp-client
add allow=mschap2 connect-to=A.sn.mynetname.net disabled=no name=\
    l2tp-to-A profile=default use-ipsec=yes user=l2tpsl
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=d43b0d121167.sn.mynetname.net \
    endpoint-port=13231 interface=wireguard1 name=peer-wawa \
    persistent-keepalive=30s public-key=\
    "KEY="
/ip address
add address=192.168.50.3/24 interface=bridge network=192.168.50.0
add address=192.168.40.3/24 disabled=yes interface=bridge network=\
    192.168.40.0
add address=10.0.0.3/24 interface=wireguard1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
# Interface not active
add interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.50.1,192.168.40.1,1.1.1.1
/ip firewall address-list
add address=A.sn.mynetname.net list=my-cloud
add address=B.sn.mynetname.net list=my-cloud
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 out-interface=\
    wireguard1 src-address=192.168.50.0/24
add action=masquerade chain=srcnat out-interface=bridge
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.50.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.76.0/24 gateway=10.0.0.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.7.0/24 gateway=192.168.11.1 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.77.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set api disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MT_RB750
/system note
set show-at-login=no
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21897
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard - Cant Ping from inside a network

Mon Nov 11, 2024 9:11 pm

Since you use Capsman, will not be able to comment on vlans etc............
Will focus on wireguard and anything else glaring.
Right off the top, dont care a whit about pinging, what I care about is required traffic flow is working. Until ping = person or device, its meaningless at the end......

1. Unless you are very experienced and need to set advanced settings of ip bridge firewall to ON, best to NOT and leave/turn it OFF, and rely on the available IP filter firewall rules!!! Change yets to NO in both spots.
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

2. In general once you go vlans, its best not to mix apples and oranges as the one subnet complicates the bridge setup big time if its still doing dhcp.
Recommend simply move that subnet to another vlan and then whatever bridge ports it was feeding become pvid to that port and untagged on /interface bridge vlan settings.

3. Missing vlans on interface members list....
If all vlans are members of LAN, aka need internet access, they should all be part LAN list!
If you replace the bridge with a vlan, same add this vlan and the bridge can be removed from the LAN interface list.

4. This Router is the peer SERVER for wireguard handshake (has public IP) and thus ALLOWED IPs needs to be adjusted.
- There is no need to put any external address and each client peer needs to be identified by its wireguard ip address ( sometimes exceptions but not usually)
- Allowed IPs is used to IDENTIFY USERS OR USER SUBNETS at the REMOTE site
a. that are coming into the local router
b. that local users will be visiting and thus have as dst-address.
c. exception is 0.0.0.0/0 which means one requires all incoming to be accepted or that local user are going out internet at the remote site ( plus maybe see remote subnets )
d. Remote subnets noted here are usually reflected in an additional manual routes required so that this router knows where to send traffic to (originating locally or to reply to traffic)

/interface wireguard peers
add allowed-address=10.0.0.3/32, 192.168.50.0/24 interface=wireguard public-key="=====" comment=REMOTE client Router"

add allowed-address=10.0.0.2/32 interface=wireguard public-key="++++++" comment="admin remote laptop/smartphone"

5. The input chain is for traffic to the router and forward chain is for traffic from LAN to LAN and LAN to WAN and also includes WAN to LAN (normally a single port fowarding allow rule).
SO THESE are nonsensical and must be removed.
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=192.168.7.0/24
add action=accept chain=input dst-address=192.168.77.0/24 src-address=192.168.7.0/24
and this as well
add action=accept chain=input dst-address=192.168.77.0/24 src-address=192.168.50.0/24

6. Its best to put the firewall rules in proper order and also in the same chain for easy reading and troubleshooting. I can spot an error in seconds vice minutes for example.........
Use the default rules as a guide to proper order and note they are already within the same chain.

7. Slight nuance to this firewall rule. Best to use interface here........ because then you have the option of limiting further by src-address or src-address list. Right now you have limited access to192.168.77.0/24 to ONLY remote users like yourself on laptop and the folks on the other end, the subnets WILL not.
add action=accept chain=input comment=WIREGUARD_ALLOW dst-address=\
192.168.77.0/24 src-address=10.0.0.0/24

Better:
add action=accept chain=input comment=WIREGUARD_ALLOW dst-address=\
192.168.77.0/24 in-intrerface=wireguard { if you need to limit access to this subnet to less use src-address-list for example )

by the way the above rule also replaces/includes the below rule, which doesnt include the wireguard interface and should for clarity and better security... (so the below rule can be also removed).
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=\
192.168.50.0/24

8. In the forward chain add as a last rule in the order the below rule. In other words, all traffic without an admin added allow rule above this is AUTOMATICALLY dropped. So all your extra drop rules can be removed!!! Clean and clear. So focus on only the traffic that should occur - much easier.
add action=drop chain=forward comment="Drop all else"

THEN get rid of the associated default RULE.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Yuu will have to allow an allow LAN to WAN rule though and if any port forwarding an allow rule for that.
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable or remove if not required }

9. REMOVE this rule. It is not required.
add action=masquerade chain=srcnat dst-address=192.168.50.0/24 out-interface=\
wireguard src-address=192.168.77.0/24

10. UNSAFE type of rule allowing a public IP address , DIRECT access to the config of the router. If you want the admin while at the other router, or you as a remote user to access the config of this router, then access the router via wireguard, then access the config!!!
add action=accept chain=input in-interface-list=WAN src-address-list=my-cloud

a. I note in the input chain rule you allow all LAN traffic to access the router so anyone coming in wireguard and anyone on your subnets should be able to as well.
b. AFTER we fix all the current observations, and the config is stable, I would then clean up access on the input chain further by source address list, to only those that should be able to the admin BUT before you do that create two rules to allow all LAN users
access to the DNS services for internet ................

11. mac-server by itself is plain text,
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

12. IP Routes YOU HAVE TWO ROUTES and only one is required.
In general, If you had more than one to the same dst-address , how is the router supposed to know which one to take??
(besides theyare basiclly duplicates) good one in green

/ip route
add dst-address=192.168.50.0/24 gateway=wireguard routing-table=main
add dst-address=192.168.50.0/24 gateway=10.0.0.3 routing-table=main
Top
 
piotrchm93
newbie
Topic Author
Posts: 27
Joined: Mon Feb 13, 2023 8:53 pm

Re: Wireguard - Cant Ping from inside a network

Tue Nov 12, 2024 5:57 am

anav,
WOW! Thank you very much for such a comprehensive answer. I appreciate it very much :)

Today, unfortunately, I'm on business trip and I won't be able to follow your instructions, but as soon as I get back, I'll sit down and read them calmly because it's a mine of new knowledge for me.
Top
Post Reply

Who is online

Users browsing this forum: Sirafim and 35 guests
  4. RouterOS
  5. General