Hello, need some help in routing all traffic from one router through wireguard to WAN.
I have 2 routers, which are connected via wireguard. LocationA and LocationB.
Here is a small graph of what I have, and the blue arrow shows what I want to achieve:
Here are also the exports for both locations:
I want all clients connected to router in LocationA, to have their traffic routed through wireguard to LocationB and to Internet.
I`m able to ping the local networks between the 2 routers, and I have tried creating routes and mangle-marking, however it was without any success.
Any help is more than welcome!
-
-
papabear23
just joined
- Posts: 7
- Joined:
Route Traffic through WireGuard to Internet
You do not have the required permissions to view the files attached to this post.
Re: Route Traffic through WireGuard to Internet [SOLVED]
There are many things wrong with your config,,,,,,,,,,,,,,,,,,,,,, got bogged down.
The best course of action is to read through this article and try to figure out some errors.
They exist in IP address, Peers, Routes, etc.
viewtopic.php?t=182340
Come back when you have something resembling reasonable.
The best course of action is to read through this article and try to figure out some errors.
They exist in IP address, Peers, Routes, etc.
viewtopic.php?t=182340
Come back when you have something resembling reasonable.
-
-
papabear23
just joined
- Posts: 7
- Joined:
Re: Route Traffic through WireGuard to Internet
Hi, I am already going through you article and was praying to MK gods for your answer.There are many things wrong with your config,,,,,,,,,,,,,,,,,,,,,, got bogged down.
The best course of action is to read through this article and try to figure out some errors.
They exist in IP address, Peers, Routes, etc.
viewtopic.php?t=182340
Come back when you have something resembling reasonable.
Modifying all the configs/routes and will come back with some new settings.
Thanks a again!
By any chance, do you offer some paid help as well
?Re: Route Traffic through WireGuard to Internet
No but I do peruse the MT discord channel and you can message me there, if we need to spend more time on your scenario,............... but not required just yet......
-
-
papabear23
just joined
- Posts: 7
- Joined:
Re: Route Traffic through WireGuard to Internet
Woah, wasn`t aware there was one. Thanks again for the directions!No but I do peruse the MT discord channel and you can message me there, if we need to spend more time on your scenario,............... but not required just yet......
Re: Route Traffic through WireGuard to Internet
Dont get too excited, no content as the content should be here. I see it merely as a connection point for follow on discussions.
-
-
papabear23
just joined
- Posts: 7
- Joined:
Re: Route Traffic through WireGuard to Internet
Hey, thanks a lot for that well-written guide.Dont get too excited, no content as the content should be here. I see it merely as a connection point for follow on discussions.
I have solved it all
Re: Route Traffic through WireGuard to Internet
Awesome, glad it worked out. A good plan and diagram go along way
Re: Route Traffic through WireGuard to Internet
can you please share solution?
Re: Route Traffic through WireGuard to Internet
Hi,
Could you please share your final setup ? I have a similar scenario and it works just partially . I want to compare to your approach.
Kind regards
Could you please share your final setup ? I have a similar scenario and it works just partially . I want to compare to your approach.
Kind regards
Re: Route Traffic through WireGuard to Internet
Post your config here seeing as the OPs has solved his case and thus no interference.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists, any ipv6 info if not using ipv6 )
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists, any ipv6 info if not using ipv6 )
Re: Route Traffic through WireGuard to Internet
Thanks a lot
The goal is to route specific traffic on the client (anything directed to the VE IP list) through the WireGuard server to the internet, while allowing all other internet traffic to use the regular internet connection. Everything is working fine except for traffic routed through the WireGuard tunnel. While I can ping both ends of the tunnel and access local resources on both routers, I cannot reach the internet through the tunnel.
However if I use a phone client instead of a RB as client , works smoothly.
Kind regards!
Edited to point out this : That works out good with a phone client
The goal is to route specific traffic on the client (anything directed to the VE IP list) through the WireGuard server to the internet, while allowing all other internet traffic to use the regular internet connection. Everything is working fine except for traffic routed through the WireGuard tunnel. While I can ping both ends of the tunnel and access local resources on both routers, I cannot reach the internet through the tunnel.
However if I use a phone client instead of a RB as client , works smoothly.
Kind regards!
Edited to point out this : That works out good with a phone client
You do not have the required permissions to view the files attached to this post.
Re: Route Traffic through WireGuard to Internet
SERVER Comments
1. This indicates an issue.......
/interface list member
add comment=defconf interface=*C list=LAN
I suspect its because you have not identified any LAN list interface members and yet you have a list??
2. This is wrong........... IF you have IP DHCP Client you should not have a separate IP address for WAN, its one or the other for a static IP.
IF its dynamic, there is no IP address entry.
2. Why do you have a keep alive set on the peers settings on the SERVER? Its the client that keeps things alive ...........
3.Firewall rules are a hot mess............. why people deviate from the defaults to such a degree is beyond me.
I suspect there are issue within these.... will take a closer look,,,,,,,,,,,,,,
CLIENT Comments
4. You have almost identical routes for the wireguard traffic, one is wrong and should be deleted. The one below that is.
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=wireguard-oam \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
1. This indicates an issue.......
/interface list member
add comment=defconf interface=*C list=LAN
I suspect its because you have not identified any LAN list interface members and yet you have a list??
2. This is wrong........... IF you have IP DHCP Client you should not have a separate IP address for WAN, its one or the other for a static IP.
IF its dynamic, there is no IP address entry.
2. Why do you have a keep alive set on the peers settings on the SERVER? Its the client that keeps things alive ...........
3.Firewall rules are a hot mess............. why people deviate from the defaults to such a degree is beyond me.
I suspect there are issue within these.... will take a closer look,,,,,,,,,,,,,,
CLIENT Comments
4. You have almost identical routes for the wireguard traffic, one is wrong and should be deleted. The one below that is.
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=wireguard-oam \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
Re: Route Traffic through WireGuard to Internet
Thank you for your suggestions. I have addressed all the points you raised in your previous post. As of now, if I ping a destination on the VE list, the traffic successfully exits through the wireguard-oam interface on the client, reaches wireguard-oam on the server, and is correctly routed to the internet. I can also observe return traffic back from the internet reaching the wireguard-oam interface on the client. However, this return traffic is not being seen by the user originating the traffic, example "ping anything.ontheVElist.comSERVER Comments
1. This indicates an issue.......
/interface list member
add comment=defconf interface=*C list=LAN
I suspect its because you have not identified any LAN list interface members and yet you have a list??
2. This is wrong........... IF you have IP DHCP Client you should not have a separate IP address for WAN, its one or the other for a static IP.
IF its dynamic, there is no IP address entry.
2. Why do you have a keep alive set on the peers settings on the SERVER? Its the client that keeps things alive ...........
3.Firewall rules are a hot mess............. why people deviate from the defaults to such a degree is beyond me.
I suspect there are issue within these.... will take a closer look,,,,,,,,,,,,,,
CLIENT Comments
4. You have almost identical routes for the wireguard traffic, one is wrong and should be deleted. The one below that is.
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=wireguard-oam \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
The attached diagram illustrates the outbound traffic in cyan and the inbound traffic, which is only reaching the client's wireguard interface, in yellow.
Any assistance would be greatly appreciated.
Warmest regards
You do not have the required permissions to view the files attached to this post.
Re: Route Traffic through WireGuard to Internet
Need facts/evidence.
So latest configs of the routers please.
So latest configs of the routers please.
Re: Route Traffic through WireGuard to Internet
Kind regardsNeed facts/evidence.
So latest configs of the routers please.
You do not have the required permissions to view the files attached to this post.
Re: Route Traffic through WireGuard to Internet
Client Router
(1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\
wireguard-oam src-address=192.168.13.0/24
All you need is.......
add action=masquerade chain=srcnat out-interface=wireguard-oam
++++++++++++++++++++++++++++++++++++++++
When you have control over both ends its best to be accurate. The kludge of using sourcenat to change all IPs to the single WG IP, is a very useful tool for when you dont control the other end,
such as third party VPNs, Technically you can do it either way and it will work. The problem still remains that you need to ensure routing and firewall rules etc....
+++++++++++++++++++++++++++++++++++++++
(2) To ensure traffic from the client router to the server subnet has a path you need the route:
/ip route
add dst-address=172.16.24.0/24 gateway=wireguard-oam routing-table=main
(3) You need to match the route with allowed IPs but since you already have 0.0.0.0/0 its already covered!
(3) To allow traffic to enter the tunnel you need firewall rule.
add chain=forward action=accept src-address=192.168.13.0/24 out-interface=wiregard-oam
(By the way find it confusing for the wireguard interface to be the same as when looking at wireguard parameters, am I looking at server device or client device?, no way to distinguish by name alone........so not helpful.
To complete the circle at the other end......
SERVER ROUTER
(4) SERVER PEER SETTINGS AT SERVER ROUTER
/interface wireguard peers
add allowed-address=10.249.0.13/32,192.168.13.0/24 interface=wireguard-oam public-key=\
"averylongsecurekey"
(5) And the route back to the Client router.
/ip route
add dst-address=192.168.13.0/.24 gateway=wireguard-oam routing-table=main
(1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\
wireguard-oam src-address=192.168.13.0/24
All you need is.......
add action=masquerade chain=srcnat out-interface=wireguard-oam
++++++++++++++++++++++++++++++++++++++++
When you have control over both ends its best to be accurate. The kludge of using sourcenat to change all IPs to the single WG IP, is a very useful tool for when you dont control the other end,
such as third party VPNs, Technically you can do it either way and it will work. The problem still remains that you need to ensure routing and firewall rules etc....
+++++++++++++++++++++++++++++++++++++++
(2) To ensure traffic from the client router to the server subnet has a path you need the route:
/ip route
add dst-address=172.16.24.0/24 gateway=wireguard-oam routing-table=main
(3) You need to match the route with allowed IPs but since you already have 0.0.0.0/0 its already covered!
(3) To allow traffic to enter the tunnel you need firewall rule.
add chain=forward action=accept src-address=192.168.13.0/24 out-interface=wiregard-oam
(By the way find it confusing for the wireguard interface to be the same as when looking at wireguard parameters, am I looking at server device or client device?, no way to distinguish by name alone........so not helpful.
To complete the circle at the other end......
SERVER ROUTER
(4) SERVER PEER SETTINGS AT SERVER ROUTER
/interface wireguard peers
add allowed-address=10.249.0.13/32,192.168.13.0/24 interface=wireguard-oam public-key=\
"averylongsecurekey"
(5) And the route back to the Client router.
/ip route
add dst-address=192.168.13.0/.24 gateway=wireguard-oam routing-table=main
Re: Route Traffic through WireGuard to Internet
Firewall Rules Server Router;
/ip firewall address-list { static dhcp leases or wireguard ip }
add address=172.16.24.XX list=Authorized comment="admin local desktop"
add address=172.16.24.AA list=Authorized comment="admin local laptop"
add address=172.16.24.BB list=Authorized comment="admin local smartphone/ipad"
add address=10.249.0.13 list=Authorized comment="admin remote wireguard"
add address=192.168.13.XX list=Authorized comment="admin from Client router LAN via WG"
/ip firewall
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="Allow Wireguard OAM" dst-port=443 \
protocol=udp
add action=accept chain=input comment="ALLOW SSH" dst-port=22 \
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=udp in-interface list=LAN
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=tcp in-interface list=LAN
add action=drop chain=input comment="DROP ALL ELSE" { enter this rule in last!! }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard-oam out-interface-list=WAN comment="allow all wireguard traffic to use internet"
add action=accept chain=forward in-interface=wireguard-oam dst-address=172.16.24.0/24 disabled=yes comment=allow all wireguard traffic to LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
/ip firewall address-list { static dhcp leases or wireguard ip }
add address=172.16.24.XX list=Authorized comment="admin local desktop"
add address=172.16.24.AA list=Authorized comment="admin local laptop"
add address=172.16.24.BB list=Authorized comment="admin local smartphone/ipad"
add address=10.249.0.13 list=Authorized comment="admin remote wireguard"
add address=192.168.13.XX list=Authorized comment="admin from Client router LAN via WG"
/ip firewall
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="Allow Wireguard OAM" dst-port=443 \
protocol=udp
add action=accept chain=input comment="ALLOW SSH" dst-port=22 \
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=udp in-interface list=LAN
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=tcp in-interface list=LAN
add action=drop chain=input comment="DROP ALL ELSE" { enter this rule in last!! }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard-oam out-interface-list=WAN comment="allow all wireguard traffic to use internet"
add action=accept chain=forward in-interface=wireguard-oam dst-address=172.16.24.0/24 disabled=yes comment=allow all wireguard traffic to LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
Re: Route Traffic through WireGuard to Internet
Client Router
(1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\
wireguard-oam src-address=192.168.13.0/24
All you need is.......
add action=masquerade chain=srcnat out-interface=wireguard-oam
++++++++++++++++++++++++++++++++++++++++
When you have control over both ends its best to be accurate. The kludge of using sourcenat to change all IPs to the single WG IP, is a very useful tool for when you dont control the other end,
such as third party VPNs, Technically you can do it either way and it will work. The problem still remains that you need to ensure routing and firewall rules etc....
+++++++++++++++++++++++++++++++++++++++
(2) To ensure traffic from the client router to the server subnet has a path you need the route:
/ip route
add dst-address=172.16.24.0/24 gateway=wireguard-oam routing-table=main
(3) You need to match the route with allowed IPs but since you already have 0.0.0.0/0 its already covered!
(3) To allow traffic to enter the tunnel you need firewall rule.
add chain=forward action=accept src-address=192.168.13.0/24 out-interface=wiregard-oam
(By the way find it confusing for the wireguard interface to be the same as when looking at wireguard parameters, am I looking at server device or client device?, no way to distinguish by name alone........so not helpful.
To complete the circle at the other end......
SERVER ROUTER
(4) SERVER PEER SETTINGS AT SERVER ROUTER
/interface wireguard peers
add allowed-address=10.249.0.13/32,192.168.13.0/24 interface=wireguard-oam public-key=\
"averylongsecurekey"
(5) And the route back to the Client router.
/ip route
add dst-address=192.168.13.0/.24 gateway=wireguard-oam routing-table=main
Huge thanks to @anav for sharing that solution! I was at my wit's end trying to figure this out, and their post was exactly what I needed. I followed their steps exactly, and boom, problem solved!. This kind of community support is invaluable, and I'm so grateful to be a part of it.
Thanks again. You're a lifesaver!"
Re: Route Traffic through WireGuard to Internet
Hello @avav,
not that relevant with this topic but, what's the difference between:
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=drop chain=input comment="DROP ALL ELSE"
-
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
and
add action=drop chain=input src-address-list=!Authorized
-
add action=drop chain=forward in-interface-list=!LAN
?
not that relevant with this topic but, what's the difference between:
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=drop chain=input comment="DROP ALL ELSE"
-
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
and
add action=drop chain=input src-address-list=!Authorized
-
add action=drop chain=forward in-interface-list=!LAN
?
Re: Route Traffic through WireGuard to Internet
Philosophy.
The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1.
The traffic is safely protected but it allows all traffic and drops some key things for general safety.
When we want to do more, add vlans and other things its much easier, as the config and requirements get complex, to simply DROP ALL traffic.
Then only put back in, what traffic is actually required. Much smaller set of rules needed and we know what traffic we need, much more so than
all the things we need to block.
The more cute rules you put in with !, the trickier the config is to read, meaning more error prone as you add layers of complexity and harder to find the error. KISS
The only drop rule (besides invalid default rule) need only be the LAST Drop all rule. The rest one focuses solely on what traffic should be accepted.
viewtopic.php?t=180838
The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1.
The traffic is safely protected but it allows all traffic and drops some key things for general safety.
When we want to do more, add vlans and other things its much easier, as the config and requirements get complex, to simply DROP ALL traffic.
Then only put back in, what traffic is actually required. Much smaller set of rules needed and we know what traffic we need, much more so than
all the things we need to block.
The more cute rules you put in with !, the trickier the config is to read, meaning more error prone as you add layers of complexity and harder to find the error. KISS
The only drop rule (besides invalid default rule) need only be the LAST Drop all rule. The rest one focuses solely on what traffic should be accepted.
viewtopic.php?t=180838