Community discussions

MikroTik App
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:04 pm

We have a two firewalls connected through wireguard where locally everything is working normally.

With reference to the attached diagram, we would like to connect to a device (with port 4575) which is connected to Firewall 2 from a public computer.

Basically connection shall pass from:
1) Public computer to the FW 1
2) FW1 to FW2 (via wireguard)
3) FW2 to the connected device


When checking firewall rules on FW1 and FW2, traffic was accepted to the device but connection was still not available.

Could it be something with TCP going back to FW1?
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1120
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:12 pm

It could be 10 things, without any config impossible to say. (could be nat, routing, ...)
Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ???

The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard Client ?

On a side-note, if FW2 is *also* connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12947
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:14 pm

We have a two firewalls ....
Ok, the schema is clear, but are missing all IPs.....

If you don't provide the configurations, you can only go blind, trying, groping, you choice...
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:38 pm

We have a two firewalls ....
Ok, the schema is clear, but are missing all IPs.....

If you don't provide the configurations, you can only go blind, trying, groping, you choice...

FW1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-remote-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-remote-site#2
/ip address
add address=10.20.200.1 interface=wireguard-remote-site#2 network=10.20.200.2
add address=10.21.200.1 interface=wireguard-remote-site#1 network=10.21.200.2
add address=172.50.201.1/30 interface=ether1 network=172.50.201.0

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
    187.122.133.144 endpoint-port=22222 interface=wireguard-to-remote-site#1 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
    187.122.133.145 endpoint-port=33333 interface=wireguard-to-remote-site#2 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=input comment=\
    "WireGuard Ports " dst-port=22222,33333 \
    protocol=udp 
add action=accept chain=input comment=\
    "WireGuard Ports " src-port=22222,33333 \
    protocol=udp 
add action=accept chain=forward-from-wan \
    dst-address=10.200.40.5 dst-port=4575
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=\
    4575 protocol=tcp to-addresses=10.200.40.5

FW 2
/interface ethernet
set [ find default-name=ether2 ] speed=100Mbps
/ip dhcp-client
add interface=ether2
/ip address
add address=10.20.200.2 interface=wireguard-to-main-site#1 network=10.20.200.1
add address=10.21.200.2 interface=wireguard-to-main-site#2 network=10.21.200.1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-main-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-main-site#2

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
    188.122.133.144 endpoint-port=22222 interface=wireguard-to-main-site#1 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
    188.122.133.145 endpoint-port=33333 interface=wireguard-to-main-site#2 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=forward comment=\
    "natted from remote site" dst-address=10.200.40.5 \
    dst-port=4575 log=yes log-prefix=inside protocol=tcp
add action=accept chain=input comment=\
    "WireGuard Ports " dst-port=22222,33333 \
    protocol=udp 
add action=accept chain=input comment=\
    "WireGuard Ports " src-port=22222,33333 \
    protocol=udp 


Internally we are able to connect to 10.200.40.5:4575 but from external connection arrives to firewall 2 but connection fails.

Sorry but had to edit and subtract from 1000 lines of code.. so if you need anything else just ask :) thanks for helping.

Further find attachment of forwaded log from FW2.
You do not have the required permissions to view the files attached to this post.
Last edited by lukik007 on Wed Apr 26, 2023 1:47 pm, edited 1 time in total.
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:43 pm

It could be 10 things, without any config impossible to say. (could be nat, routing, ...)
Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ???

The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard Client ?

On a side-note, if FW2 is *also* connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?
The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12947
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 1:52 pm

ok, heavy edited.... for example missing all "dstnat-services", like have nothing.

But, if is the only NAT you do, and the line is not altered, miss the destination address or at least the incoming WAN interface.
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=4575 protocol=tcp to-addresses=10.200.40.5

and missing also the source NAT, the device try to use ISP2 for reply, but is natted with another WANIP2 and remote connection can not be possible...
pseudo rule:
add action=src-nat chain=srcnat-services dst-address=10.200.40.5 to-addresses=<internal F1 address>
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1840
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:17 pm

The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.

Just a suggestion but you can try to enable DMZ (if supported by the 4G modem) which might sometime remove potential double-nat issues. Btw, what kind of 4G modems are they?
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:20 pm

The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.

Just a suggestion but you can try to enable DMZ (if supported by the 4G modem) which might sometime remove potential double-nat issues. Btw, what kind of 4G modems are they?
not possible since managed by ISP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12947
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:23 pm

 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:24 pm

n/a
You do not have the required permissions to view the files attached to this post.
Last edited by lukik007 on Wed Apr 26, 2023 3:41 pm, edited 1 time in total.
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:25 pm

tried didnt work.

the first nat was already set. .the source nat was added but still didnt work.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12947
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:30 pm

Pass... also hide the information that there is another firewall in the middle... it's too much for me, before I become vulgar, and I already am of my own...
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1840
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:31 pm

not possible since managed by ISP.

Okay. Is this some kind of NMO/SLA business subscription with a preconfigured router/modem that is managed and monitored by the ISP? What NMO/ISP and modem is it?

Btw, regarding the last network diagram, where are the 4G modems located?

EDIT:
Just a suggestion but if you add subnets and ip addresses to the picture it makes it much easier to understand your configuration.
Last edited by Larsa on Wed Apr 26, 2023 3:41 pm, edited 1 time in total.
 
lukik007
just joined
Topic Author
Posts: 21
Joined: Mon May 27, 2019 10:18 am

Re: Natting Public Ip Over Wireguard  [SOLVED]

Wed Apr 26, 2023 3:40 pm

Pass... also hide the information that there is another firewall in the middle... it's too much for me, before I become vulgar, and I already am of my own...
sorry :)

solved by adding the Source NAT on FW1 instead.

Thanks for your help.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1840
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 3:44 pm

Glad you managed to get it working!

Just curious but do you use some sort of NMO/SLA business plan with a pre-configured router/modem managed and monitored by the ISP and secondly, what is the NMO/ISP and what kind of modem is it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12947
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Natting Public Ip Over Wireguard

Wed Apr 26, 2023 4:02 pm

solved by adding the Source NAT on FW1 instead.
so, even if I didn't know it, I had already written the right name.... :mrgreen: