Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Wireguard: Cannot reach Internal LAN

Post Reply
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Wireguard: Cannot reach Internal LAN

Fri Jun 09, 2023 12:35 pm

Hi all,

I have setup site2site VPN via wireguard, here is what i can achieve:
1. I can only ping router 2 from router1's interface and vice versa.

What i have been unable to achieve:
1. Cannot reach internal LAN devices from either side i.e from router1, i cannot reach devices in the LAN of router 2 and vice versa

I would like to be able to reach devices on both ends.

Below are my configs:
Router1:
Code: Select all
# jun/09/2023 12:17:04 by RouterOS 7.9.2
# software id = 141B-TTYI
#
# model = RB951G-2HnD
# serial number = XXXXXXX
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=XXXXX wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguardVPN_to_Bandari
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer
add address=xx.xxxx.xxx.xx/32 exchange-mode=ike2 name="XXXXXi"
add address=xx.90.xxx.xx/32 exchange-mode=ike2 name=XXXX
add address=xx.72.xxxx.xxx/32 exchange-mode=ike2 name=XXX
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.170.10-192.168.170.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
    41.90.248.49 endpoint-port=13231 interface=wireguardVPN_to_Bandari \
    persistent-keepalive=10s public-key=\
    "publickey"
/ip address
add address=192.168.170.1/24 comment=defconf interface=bridge network=\
    192.168.170.0
add address=10.10.10.1/30 interface=wireguardVPN_to_Bandari network=\
    10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.170.0/24 comment=defconf dns-server=192.168.170.1 \
    gateway=192.168.170.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.170.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    41.90.248.49
add action=accept chain=forward dst-address=192.168.170.0/24 src-address=\
    192.168.172.0/24
add action=accept chain=forward dst-address=192.168.172.0/24 src-address=\
    192.168.170.0/24
add action=accept chain=input comment="For Winbox Access" dst-address=\
    192.168.170.0/24 dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.170.0/24 \
    src-address=192.168.172.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=xxx
add peer="xxxxx"
add peer=xxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=xxxx src-address=192.168.170.0/24 tunnel=\
    yes
add dst-address=192.168.171.0/24 peer="xxxxxx" src-address=\
    192.168.170.0/24 tunnel=yes
add dst-address=192.168.172.0/24 peer=xxxx src-address=192.168.170.0/24 \
    tunnel=yes
/ip route
add disabled=no dst-address=192.168.172.0/24 gateway=10.10.10.2 \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name="xxxxxx"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Router 2:
Code: Select all
# jun/09/2023 12:22:13 by RouterOS 7.9.2
# software id = 645K-5L30
#
# model = RB951Ui-2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=Pharmaplus wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_to_Nyali
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec peer
add address=xxxxxx/32 exchange-mode=ike2 name=\
    "xxxxxxxx"
add address=xxxxxxx/32 exchange-mode=ike2 name="xxxxxxx"
add address=xxxxxx/32 exchange-mode=ike2 name=xxxxx
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.172.10-192.168.172.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.170.0/24 endpoint-address=\
    197.232.146.177 endpoint-port=13231 interface=wireguard_to_Nyali \
    persistent-keepalive=10s public-key=\
    "publickey2"
/ip address
add address=192.168.172.1/24 comment=defconf interface=bridge network=\
    192.168.172.0
add address=10.10.10.2/30 interface=wireguard_to_Nyali network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.172.0/24 comment=defconf gateway=192.168.172.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.172.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    197.232.146.177
add action=accept chain=input dst-address=192.168.172.0/24 dst-port=8291 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.172.0/24 src-address=\
    192.168.170.0/24
add action=accept chain=forward dst-address=192.168.170.0/24 src-address=\
    192.168.172.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="xxxxx"
add peer="xxxxx"
add peer=xxxx
/ip ipsec policy
add dst-address=192.168.160.0/24 peer="xxxxx" src-address=\
    192.168.172.0/24 tunnel=yes
add dst-address=192.168.170.0/24 peer="xxxxx" src-address=\
    192.168.172.0/24 tunnel=yes
add dst-address=192.168.1.0/24 peer=xxxx src-address=192.168.172.0/24 tunnel=\
    yes
/ip route
add disabled=no dst-address=192.168.170.0/24 gateway=10.10.10.1 \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name="xxxxxx"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Fri Jun 09, 2023 1:26 pm

1. Do both have publicly accessible IP addresses?
2. Did you want both to be clients and servers or just one has client and one as server for initial handshake?

The reason I ask is both have input chain rules for wireguard whereas normally only one needs it to establish a connection.
Top
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Re: Wireguard: Cannot reach Internal LAN

Fri Jun 09, 2023 1:29 pm

1. Do both have publicly accessible IP addresses?
2. Did you want both to be clients and servers or just one has client and one as server for initial handshake?

The reason I ask is both have input chain rules for wireguard whereas normally only one needs it to establish a connection.
Below are the answers:
1. Yes both have publicly accessible IP addresses
2. I want router 1 to be the server while router 2 to be the client, however the end goal is that the 2 LANS can talk to each other

Just to add that i can ping both gateways(10.10.10.1 and 10.10.10.2) from LAN side of each router. Just cant reach any devices...
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Fri Jun 09, 2023 9:14 pm

(1) The rules for input chain access to the router from Wireguard are incorrect. Remember that the Input chain is for traffic to the router, not to a subnet..............
Remove these
/ip firewall filter
add action=accept chain=input comment="For Winbox Access" dst-address=\
192.168.170.0/24 dst-port=8291 protocol=tcp src-address=192.168.1.0/24
and
/ip firewall filter
add action=accept chain=input dst-address=192.168.172.0/24 dst-port=8291 \
protocol=tcp src-address=192.168.1.0/24[/i]

and replace with ( always change default port to a unique port )
There is no need provide all users access to config (bad security practice) and thus limited by address list.

R1 -->add action=accept chain=input comment="For Winbox Access" src-address-list=Authorized
R2 -->add action=accept chain=input comment="For Winbox Access" src-address-list=Authorized

Where the source address list is comprised of admin devices with IPs statically set leases on each router.
Consider that via wireguard an admin IP can be used on both Routers addresss lists, for example, if an admin on R1 requires the ability to config R2.

(2) Slight modification for routes
R1
/ip route
add disabled=no dst-address=192.168.172.0/24 gateway=wireguardVPN_to_Bandari \
routing-table=main suppress-hw-offload=no

R2
/ip route
add disabled=no dst-address=192.168.170.0/24 gateway=wireguard_to_Nyali \
routing-table=main suppress-hw-offload=no
wireguard_to_Nyali

(3) To ensure clarity and to support both being able to initiate a connection use different listening ports....... So....

R1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguardVPN_to_Bandari

/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp ( src address optional but if fixed not a bad idea! )

/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
41.90.248.49 endpoint-port=14231 interface=wireguardVPN_to_Bandari \
persistent-keepalive=10s public-key=\
"publickey"

R2
/interface wireguard
add listen-port=14231 mtu=1420 name=wireguard_to_Nyali

/ip firewall filter
add action=accept chain=input dst-port=14231 protocol=udp (src address optional but not a bad idea)

/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.170.0/24 endpoint-address=\
197.232.146.177 endpoint-port=13231 interface=wireguard_to_Nyali \
persistent-keepalive=10s public-key=\
"publickey2"
Top
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Re: Wireguard: Cannot reach Internal LAN

Sat Jun 10, 2023 1:05 pm

@anav, Have done as you have recommended but still no traffic between subnets:
Below are the current configs:
Code: Select all
# jun/10/2023 12:50:46 by RouterOS 7.9.2
# software id = 141B-TTYI
#
# model = RB951G-2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=18:FD:74:2F:82:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=xxxxx-protocol=802.11
/interface wireguard
add listen-port=14231 mtu=1420 name=Wireguard_to_bandari
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer
add address=xxxx/32 exchange-mode=ike2 name="Pharmaplus Likoni"
add address=xxxxx/32 exchange-mode=ike2 name=Bandari
add address=xxxxxx/32 exchange-mode=ike2 name=PRD \
    send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.170.10-192.168.170.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
    41.90.248.49 endpoint-port=14231 interface=Wireguard_to_bandari \
    persistent-keepalive=10s public-key=\
    "public key"
/ip address
add address=192.168.170.1/24 comment=defconf interface=bridge network=\
    192.168.170.0
add address=10.10.10.1/30 interface=Wireguard_to_bandari network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.170.0/24 comment=defconf dns-server=192.168.170.1 \
    gateway=192.168.170.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.170.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=14231 protocol=udp
add action=accept chain=input comment="For Winbox Access" dst-address=\
    192.168.170.0/24 dst-port=8291 protocol=tcp src-address=192.168.1.0/24(will sort this later)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=input dst-address=192.168.170.0/24 src-address=\
    192.168.172.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=xxxx
add peer="xxxxx"
add peer=xxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=xxxx src-address=192.168.170.0/24 tunnel=\
    yes
add dst-address=192.168.171.0/24 peer="xxxxx" src-address=\
    192.168.170.0/24 tunnel=yes
add dst-address=192.168.172.0/24 peer=xxxx src-address=192.168.170.0/24 \
    tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.172.0/24 gateway=10.10.10.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.172.0/24 gateway=Wireguard_to_bandari \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name="xxxxx"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Router 2:
Code: Select all
# jun/10/2023 12:58:41 by RouterOS 7.9.2
# software id = 645K-5L30
#
# model = RB951Ui-2HnD
# serial number = xxx
/interface bridge
add admin-mac=18:FD:74:A1:30:xxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=xxxx wireless-protocol=802.11
/interface wireguard
add listen-port=14231 mtu=1420 name=Wiregurad_to_nyali
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec peer
add address=197.248.99.69/32 exchange-mode=ike2 name=\
    "xxxxxx"
add address=xxxx/32 exchange-mode=ike2 name="xxxx"
add address=xxxx/32 exchange-mode=ike2 name=xxx
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.172.10-192.168.172.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.170.0/24 endpoint-address=\
    197.232.146.177 endpoint-port=14231 interface=Wiregurad_to_nyali \
    persistent-keepalive=10s public-key=\
    "publickey2"
/ip address
add address=192.168.172.1/24 comment=defconf interface=bridge network=\
    192.168.172.0
add address=10.10.10.2/30 interface=Wiregurad_to_nyali network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.172.0/24 comment=defconf gateway=192.168.172.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.172.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=14231 protocol=udp
add action=accept chain=input dst-address=192.168.172.0/24 dst-port=8291 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer="xxxx"
add peer="xxxx"
add peer=xxxx
/ip ipsec policy
add dst-address=192.168.160.0/24 peer="xxxx" src-address=\
    192.168.172.0/24 tunnel=yes
add dst-address=192.168.170.0/24 peer="xxxx" src-address=\
    192.168.172.0/24 tunnel=yes
add dst-address=192.168.1.0/24 peer=xxxx src-address=192.168.172.0/24 tunnel=\
    yes
/ip route
add disabled=yes distance=1 dst-address=192.168.170.0/24 gateway=10.10.10.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.170.0/24 gateway=Wiregurad_to_nyali \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name="xxxx"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Sat Jun 10, 2023 5:08 pm

Actually you didnt, the listening port was NOT supposed to change on R1, just on R2.
The input chain rule for wireguard port in concert was NOT supposed to change on R1, just on R2
( In both cases above it was supposed to stay at 13231 ).

The only thing that was supposed to change was
a. the peer setting for endpoint port on R1 to 14231
b. the listening port and input chain rule for wireguard port on R2 to 14231
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The allowed addresses holds the key to the issue....
Note the allowed IP for the subnets is identical on both config and thus we can conclude is WRONG

The local subnet on R1 is 192.168.170.0 and should be the remote IP subnet identified on R2
The local subnet on R2 is 192.168.172.0/24 and should be the remote IPsubnet identified on R1

Thus on R1
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
41.90.248.49 endpoint-port=14231 interface=Wireguard_to_bandari \
persistent-keepalive=10s public-key=\
"public key"

Thus on R2
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
41.90.248.49 endpoint-port=14231 interface=Wireguard_to_bandari \
persistent-keepalive=10s public-key=\
"public key"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Sat Jun 10, 2023 5:57 pm

Also, recommend that each router identify the other router in allowed IPs by its IP address X/32 vice X/30.
This should not be an issue.
Top
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Re: Wireguard: Cannot reach Internal LAN

Sat Jun 10, 2023 10:20 pm

Actually you didnt, the listening port was NOT supposed to change on R1, just on R2.
The input chain rule for wireguard port in concert was NOT supposed to change on R1, just on R2
( In both cases above it was supposed to stay at 13231 ).

The only thing that was supposed to change was
a. the peer setting for endpoint port on R1 to 14231
b. the listening port and input chain rule for wireguard port on R2 to 14231
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The allowed addresses holds the key to the issue....
Note the allowed IP for the subnets is identical on both config and thus we can conclude is WRONG

The local subnet on R1 is 192.168.170.0 and should be the remote IP subnet identified on R2
The local subnet on R2 is 192.168.172.0/24 and should be the remote IPsubnet identified on R1

Thus on R1
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
41.90.248.49 endpoint-port=14231 interface=Wireguard_to_bandari \
persistent-keepalive=10s public-key=\
"public key"

Thus on R2
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.172.0/24 endpoint-address=\
41.90.248.49 endpoint-port=14231 interface=Wireguard_to_bandari \
persistent-keepalive=10s public-key=\
"public key"
@Anav
If you check correctly:
on R1:
The allowed Address is the subnet of R2: 192.168.172.0/24
While on R2:
The allowed Address is the subnet of R1: 192.168.170.0/24

Kindly just check the configs again as from your current suggestion the allowed subnet remain the same on both, that part is confusing to me.
Thanks.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Sun Jun 11, 2023 3:21 pm

Hmm I swore it was not the case, but after checking for the 10th time LOL, It does indeed look fine.
My observations regarding the port numbers still stands to have clear difference. ( first half of post 6 )

Did you try setting both peers to .X/32 vice 0/30 for allowed addresses ???
Top
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Re: Wireguard: Cannot reach Internal LAN

Mon Jun 12, 2023 9:59 am

Update:
@anav the solutions did not work, was forced to revert back to using ipsec since I don't have enough time to troubleshoot the issue.

Thanks for taking your time to have a look at my issue and for trying to help me out. Totally appreciated.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Mon Jun 12, 2023 2:28 pm

Okay when you get more time, I am willing to assist, skype, discord, teamviewer etc............. it should work!!
Top
 
Datanav
just joined
Topic Author
Posts: 24
Joined: Mon Jul 15, 2019 8:06 pm
Location: Nairobi, Kenya
Contact:
Contact Datanav

Re: Wireguard: Cannot reach Internal LAN

Mon Jul 03, 2023 4:06 pm

@Anav
I want to revisit this issue. Let me know how we can connect and maybe schedule a session we go through the setup. Would like also to know how to connect link wireguard via CGNAT.

Thanks
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Mon Jul 03, 2023 6:29 pm

CGNAT isnt possible that I am aware of....... only as a client but not as a Server in that
a. its not a public IP
b. assuming you cannot forward a port on that type of device.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard: Cannot reach Internal LAN

Mon Jul 03, 2023 6:32 pm

anav_ds on discord in Mikrotik forum, contact me there........
Top
Post Reply
  4. RouterOS
  5. Beginner Basics