Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

WireGurad cannot access specific Lan devices

Post Reply
 
catsir
just joined
Topic Author
Posts: 19
Joined: Sat Mar 11, 2023 8:24 am

WireGurad cannot access specific Lan devices

Tue Jun 27, 2023 12:57 pm

I'm using WireGuard to connect MT, I can't access Ubuntu (192.168.2.3) in Lan, but I can access Nas in Lan.
I try to use Ping ubuntu in MT and it works fine.

I think it's the same problem as mine, but it's not fixed.
viewtopic.php?p=1007978&hilit=wireguard+Lan#p1007978

I tried using tcpdump in ubuntu, I can see the traffic coming from WG, but can't establish any connection.
In MT
add action=log chain=forward dst-address=192.168.2.3 in-interface=wireguard1 log=yes
I can see the SYN packets coming through.


I use tracert on win10 to traceroute.
PS C:\Users\ca> TRACERT.EXE 192.168.2.115

通过最多 30 个跃点跟踪
到 NAS [192.168.2.115] 的路由:

1 6 ms 7 ms 8 ms 10.0.2.1
2 7 ms 7 ms 7 ms NAS [192.168.2.115]

PS C:\Users\ca> TRACERT.EXE 192.168.2.3

通过最多 30 个跃点跟踪到 192.168.2.3 的路由

1 6 ms 6 ms 6 ms 10.0.2.1
2 * * * 请求超时。
I will update my firewall rules later. Thanks for any help.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="allow lan ping" in-interface=bridge1 protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="allow upnp" dst-port=1900 in-interface=bridge1 protocol=udp src-address-list=!upnp
add action=drop chain=input comment="allow upnp" dst-port=2828 in-interface=bridge1 protocol=tcp src-address-list=!upnp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop Ax3600 dns " dst-port=53 protocol=udp src-address=192.168.2.96 src-address-list=""
add action=accept chain=input comment="allow gatwayarrp input" in-interface=vrrp1
add action=accept chain=input comment="allow dnsarrp input" in-interface=vrrp2
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="allow internet" in-interface-list=Lan out-interface-list=Wan
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=wireguard1
add action=accept chain=forward comment="WG to LAN" in-interface=wireguard1 out-interface=bridge1
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input comment="drop wan dns search" dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=drop chain=input comment="drop all wan" in-interface=pppoe-out1
add action=drop chain=forward comment="Drop all else" log=yes


/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=Wan
add action=dst-nat chain=dstnat comment="to22" dst-port=2222 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.3 to-ports=22
add action=dst-nat chain=dstnat comment="to10001" dst-port=10001 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.3 to-ports=10001
add action=dst-nat chain=dstnat dst-port=4500 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.2.3 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.2.3 to-ports=500
add action=dst-nat chain=dstnat dst-port=3333 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.99 to-ports=22
add action=dst-nat chain=dstnat dst-port=33066 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.3 to-ports=3002

/ip firewall raw
add action=add-src-to-address-list address-list=PSD address-list-timeout=none-dynamic chain=prerouting comment="psd" in-interface=\
    pppoe-out1 protocol=tcp psd=21,3s,3,1
add action=drop chain=prerouting comment="" src-address-list=PSD

/interface list member
add interface=bridge1 list=Lan
add interface=vrrp1 list=Lan
add interface=vrrp2 list=Lan
add interface=wireguard1 list=Lan
add interface=pppoe-out1 list=Wan

/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=192.168.1.2/24 interface=wan network=192.168.1.0
add address=192.168.2.4/24 comment=gatway interface=vrrp1 network=192.168.2.0
add address=192.168.2.5/24 comment=dns interface=vrrp2 network=192.168.2.0
add address=10.0.2.1/24 interface=wireguard1 network=10.0.2.0
Last edited by catsir on Tue Jun 27, 2023 6:56 pm, edited 8 times in total.
Top
 
fragtion
Member Candidate
Member Candidate
Posts: 269
Joined: Fri Nov 13, 2009 10:08 pm
Location: Cape Town, South Africa

Re: Cannot access specific LAN devices after using wireguard

Tue Jun 27, 2023 2:09 pm

Tip: No need to type "TRACERT.EXE" each time... you can just use "tracert"
Top
 
catsir
just joined
Topic Author
Posts: 19
Joined: Sat Mar 11, 2023 8:24 am

Re: Cannot access specific LAN devices after using wireguard

Tue Jun 27, 2023 2:24 pm

Tip: No need to type "TRACERT.EXE" each time... you can just use "tracert"
Thanks for your advice
Top
Post Reply
  4. RouterOS
  5. Beginner Basics