MikroTik

verbylab

1) Incoming UDP connections for Wireguard Good callout, thanks! Essentially the port only needs to be open if we want other peers to establish the connection. The port can also stay closed and we can still proactively establish the tunnel from the router. 2) Order of firewall rules I understand whe...

verbylab

If your MT device is setup properly, why are you here? Try a debian forum! If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config. (3) Your Input chain rule is disorganized, keep chains together for easy viewing, underst...

verbylab

I am trying to solve the same problem. DNS is unfortunately not listed as a supported feature for VRF, see https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206#VirtualRoutingandForwarding(VRF)-Supportedfeatures. I haven't figured out yet how one can make it work with some firewall rule...

verbylab

(2) WHY OH WHY do you have this input chain rule on the RB2011........ add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp Do you expect the server to contact and make a handshake with a client device ????? Because that's the way it's documented? See https:...

verbylab

1) Firewall filter rules creation in WebFig doesn't work anymore. A click on 'Add New' has no effect.
2) Routing rules are still incomplete when used in combination with VRF, i.e. multiple routing tables.

verbylab

Hi! My setup roughly looks like this: VLAN 1 (native LAN): includes a Pi-hole instance at 192.168.1.5 VLAN 20 VLAN 30 The goal is to be able to talk to the Pi-hole from any of the VLANs. I am using MikroTik's VRF implementation which has allowed me to keep the base setup very lean. /ip route export ...

verbylab

Same experience here. All of the router's IP addresses are pingable from all my VRFs/VLANs (using v7.1beta6).

verbylab

Thanks for sharing these data points!

I don't have a lot of experience with MTU settings, so will spend some time learning more about it beyond the basic definitions, particularly how it needs to be configured across interfaces in a network setup.

verbylab

Well yes and no, cause the MSS determines how large a packet is going to be when it reaches the data link layer. If adjusting the MSS fixes the problem related to MTU, I think the OP framed it accurately enough with the understanding of the problem that was available at the time. The MikroTik docume...

verbylab

At which points in chain did you end up adjusting the MTU? I currently have a mangle rule in place but that probably slows things down. The MTU on the wg interface alone (1420) wasn't enough.

verbylab

Would love to hear about your results if you end up running the tests.

Also looking forward to see the Wireguard support on RouterOS mature, but it's been performing very reliably on my little setup so far.

verbylab

Thanks for sharing your config and experience, mawebi. My wg connection was also spotty but adding the MSS mangle rule fixed it (thanks to your post). I am using a MikroTik hAP ac2 and am currently seeing 30% of the throughput that a Raspberry Pi with the same Wireguard configuration delivers. I wil...

verbylab

I actually like the VRF concept. In fact, I could/should have presented my question differently: When using a VRF, why is it necessary to create extra routing rules. Shouldn't the router just automatically pull the rules in the VRF routing table for all interfaces linked to it? To answer my own que...

verbylab

Appreciate it!

verbylab

Thanks! I actually lucked out and managed to get in. Not using the escape character before the dollar sign meant that the router tried to read a variable instead of using the text representation. What I used: thisismy$variable@password Router interpreted as: thisismy@password (because $variable is n...

verbylab

I set a password for one of my users with the following command: /user add name="..." password="u$O382@jklas134" # Not the same password, but the pattern with the dollar sign is the same After setting it, I'm no longer able to log in using that password. I think I should have esc...

verbylab

I found a solution to my problem in https://forum.mikrotik.com/viewtopic.php?t=150377. Was a really strange thing to debug, cause some sites worked and some others didn't. /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn I have ...

verbylab

I almost got this to work now. I eventually created a VRF (which automatically created a routing table), then I created a default route in that routing table. No extra mangle rule our routing rule - nice and simple. Then the pings (ICMP) started to work. Traceroute shows that it's tunneled through t...

verbylab

Thanks to both of you for the additional context!

verbylab

As a follow-up, here are two pages from the new docs (not fully migrated yet) which explain why routes can be found in two places at the moment: https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples v7 introduces a new menu /routing route, which shows all address family routes as w...

verbylab

I actually like the VRF concept. In fact, I could/should have presented my question differently: When using a VRF, why is it necessary to create extra routing rules. Shouldn't the router just automatically pull the rules in the VRF routing table for all interfaces linked to it?

verbylab

Thanks for sharing your config, Alexey! I am currently also setting this up and wondering why it's necessary to create the two routing rules. I was under the impression that creating the VRF will create a separate routing table and creating the default route in that table should be enough. But it se...

verbylab

Yes, it should be rather simple. I am currently trying to solve this using VRF, since it nicely separates the VLANs by default. Adding the VRF for my VLAN worked, but adding the default route for it fails to establish an internet connection for VLAN clients: add comment="Default route for VLAN&...

verbylab

Fair point and good that you asked - precise version declarations are always good.

verbylab

What version of RouterOS you have? v7 since I posted in this forum, but specifically v7.1beta6. What CLI you talk about? https://wiki.mikrotik.com/wiki/Manual:Console. I'm connecting plain via SSH. On WinBox / MAC Telnet / WinBox Termial Direct /routing/rule do not exist It does exist on my router:...

verbylab

[Edit] RouterOS v7.1beta6 [/Edit] Pretty sure that this has been around for older version as well, but... Routes an be found at /routing/route (read-only) and /ip/route via the CLI. Why not consolidate the two? Routing rules can be found at IP>Routes>Rules in WebFig, but only via /routing/rule via C...

verbylab

AFAIK Wireguard is a layer 3 VPN so there is no concept of VLANs - it will route packets between different subnets at each end and firewall rules can be used to restrict which subnets can communicate with each other. If you really need to extend the layer 2 domain then VxLAN, GRETAP or in the Mikro...

verbylab

Nice! For the corporate side, you could simply install Wireguard on any Linux instance and port-forward to it instead of having an extra MikroTik device (unless you want or need to of course). I have done this before and it's been very stable and reliable for my usage pattern (mind you, less than 5...

verbylab

I will soon be looking into a solution to enable remote staff to use physical telephony devices (VoIP phones) alongside their personal laptops running behind their home internet service plans. Allowing them to VPN into the corporate network using Wireguard, running on a MikroTik, is the goal. My th...

verbylab

You are missing allowed-addresses it looks like, and possibly other things are wrong. Have a look at this thread, it may be helpful: https://forum.mikrotik.com/viewtopic.php?f=23&p=865133 Thanks for this hint! I've worked with Wireguard before and when I first tried to set the Allowed Addresses...

verbylab

Should have raised the topic in the beta forum if using beta firmware. I could have, but the beta forum has a tagline of "Please report all issues with RouterOS v7beta" and until I read @mducharme's tip on the allowed-addresses glitch in the UI, nothing indicated that my problem is caused...

verbylab

Hello, First of all, I'd like to say thanks for all of the great resources in this forum. I have been reading loads and learning a lot, but I am now stuck on my little VLAN <-> Wireguard setup. Setup and goals: MikroTIk hAP ac2 that connects a switch to the internet and provides IP services and rout...

verbylab

Thanks for weighing in! Not a huge problem, since I am enjoying the CLI a lot so far (new MikroTik user here). Hoping that the MT team can use this feedback and weave a fix into one of the next releases. Debugging info: ROS Version: v7.1beta6 (development) Model: RBD52G-5HacD2HnD (hAP ac2) Repro: Cr...

verbylab

Hello, I am currently testing v7.1beta6 and WebFig only shows me a small subset of the rules that I can see through the CLI. First, there was only one or two routes missing, but after adding a VRF table to my config, there are only 2 routes left in WebFig, and the CLI shows me 7. Known problem or ha...

verbylab

add address=192.168.90.1 interface=alexa network=192.168.90.1 This is incorrect - by not specifying /24, it uses the default of /32 which is a subnet of one IP (i.e. netmask 255.255.255.255). So you have given the router an IP on this VLAN, with a subnet mask that is only large enough to accommodat...

Search found 35 matches

Re: Can't access device on management VLAN remotely via Wireguard

Re: DNS not resolving some domains

Re: Looking for help with vrf, ntp and dns configuration

Re: Can't access device on management VLAN remotely via Wireguard

Re: v7.1rc1 [development] is released!

Establishing an inter-VRF/VLAN route

Re: VRF traffic isolation

Re: MT Router as Wireguard Client & Benchmarks

Re: MT Router as Wireguard Client & Benchmarks

Re: MT Router as Wireguard Client & Benchmarks

Re: MT Router as Wireguard Client & Benchmarks

Re: MT Router as Wireguard Client & Benchmarks

Re: Wireguard and Mullvad VPN

Re: Dollar sign in password

Re: Dollar sign in password

Dollar sign in password

Re: Tunneling VLAN traffic over Wireguard

Re: Tunneling VLAN traffic over Wireguard

Re: WebFig does not display all routes

Re: IP/Routing menu organization

Re: Wireguard and Mullvad VPN

Re: Wireguard and Mullvad VPN

Re: Tunneling VLAN traffic over Wireguard

Re: IP/Routing menu organization

Re: IP/Routing menu organization

IP/Routing menu organization

Re: Tunneling VLAN traffic over Wireguard

Re: Tunneling VLAN traffic over Wireguard

Re: Tunneling VLAN traffic over Wireguard

Re: Tunneling VLAN traffic over Wireguard

Re: Tunneling VLAN traffic over Wireguard

Tunneling VLAN traffic over Wireguard

Re: WebFig does not display all routes

WebFig does not display all routes

Re: VLAN can't access internet, router, or local LAN