My network infrastructure is as follows:
3 ISP with fixed public IPs
- ISP 1 connected via a PPPOE connection
- ISP 2 and 3 connected to the router via the DHCP client of the router (the IP is fixed on the DHCP server of the box)
The ISP 3 box does not allow the configuration in Bridge mode, so the NAT is configured so that all the ports are redirected to the router.
On the router:
4 vlans with each a specific IP addressing.
Bridges are not used.
IP/SEC configuration IKE2 is not used.
In the firewall rules, nat and mangle are configured.
Customers who will have to use the VPN are under macOS, iOS, Windows and Android.
Objective :
Connect to VPN to access the WAN using public IP which allows access to VPS servers.
The problem lies in the configuration of the Wireguard VPN.
Public and private keys are properly configured.
Handshake is not visible in Winbox, but there is sometimes RX and TX traffic.
The customer (Android) indicates that the connection is established, but impossible to have access to the WAN.
Is this a problem in the rules of the Firewall?
A road problem?
It's been a while since I make lots of manipulations, and I admit that it becomes painful.
Does anyone have the kindness of looking at my configuration to help me, please?
Any advice, any help will be welcome.
Thanks in advance
As an attachment my config.
-
-
Alpha7456321
just joined
- Posts: 4
- Joined:
Wireguard not connected with Multiple WAN
You do not have the required permissions to view the files attached to this post.
Re: Wireguard not connected with Multiple WAN
SUMMARY Wireguard is not the main problem!!
1. Why do you lie about the facts??
Quote: "On the router:
4 vlans with each a specific IP addressing.
Bridges are not used.
IP/SEC configuration IKE2 is not used."
From config:
/interface bridge
add name=bridge_EURAFIBRE
add name=bridge_FREE
add name=bridge_LAN_MANAGEMENT
add name=bridge_ORANGE
/interface bridge port
add bridge=bridge_LAN_MANAGEMENT interface=ether1_LAN_MANAGEMENT
add bridge=bridge_EURAFIBRE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus7_VLAN10_FREE2 pvid=10
add bridge=bridge_EURAFIBRE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus12_VLAN20_FREE2 pvid=20
add bridge=bridge_ORANGE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus9_VLAN30_ORANGE pvid=30
add bridge=bridge_FREE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus11_VLAN40_FREE pvid=4
/interface bridge vlan
add bridge=bridge_FREE disabled=yes tagged=\
bridge_FREE,sfp-sfpplus11_VLAN40_FREE vlan-ids=40
2. Furthermore you completely mix up vlans and bridges when the vlans are assigned to etheport interfaces and not the bridges....
3. The solution is ONE bridge all vlans including the management LAN. The bridge should no dhcp!
4. Two recommendations
a. read this thread for how to: viewtopic.php?p=1111667#p1111667
b. take one port off the bridge and make it an offbridge safe access point to config vlan bridge filtering.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge
/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/interface list member
add interface=Offbridge5 list=LAN
Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!
1. Why do you lie about the facts??
Quote: "On the router:
4 vlans with each a specific IP addressing.
Bridges are not used.
IP/SEC configuration IKE2 is not used."
From config:
/interface bridge
add name=bridge_EURAFIBRE
add name=bridge_FREE
add name=bridge_LAN_MANAGEMENT
add name=bridge_ORANGE
/interface bridge port
add bridge=bridge_LAN_MANAGEMENT interface=ether1_LAN_MANAGEMENT
add bridge=bridge_EURAFIBRE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus7_VLAN10_FREE2 pvid=10
add bridge=bridge_EURAFIBRE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus12_VLAN20_FREE2 pvid=20
add bridge=bridge_ORANGE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus9_VLAN30_ORANGE pvid=30
add bridge=bridge_FREE frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus11_VLAN40_FREE pvid=4
/interface bridge vlan
add bridge=bridge_FREE disabled=yes tagged=\
bridge_FREE,sfp-sfpplus11_VLAN40_FREE vlan-ids=40
2. Furthermore you completely mix up vlans and bridges when the vlans are assigned to etheport interfaces and not the bridges....
3. The solution is ONE bridge all vlans including the management LAN. The bridge should no dhcp!
4. Two recommendations
a. read this thread for how to: viewtopic.php?p=1111667#p1111667
b. take one port off the bridge and make it an offbridge safe access point to config vlan bridge filtering.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge
/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/interface list member
add interface=Offbridge5 list=LAN
Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!
Re: Wireguard not connected with Multiple WAN
1. Which WAN will customers use to acccess your wireguard?
2. your firewall rules need work
for example you have two rules that are redundant.
--> add action=drop chain=input comment="WANs : protection DNS" dst-port=53 \
in-interface-list=Liste_WANs protocol=tcp
add action=drop chain=input comment="WANs : protection DNS" dst-port=53 \
in-interface-list=Liste_WANs protocol=udp
AND
add action=drop chain=input comment="Drop all not from LANs" \
in-interface-list=!Liste_LANs
The first rules (port 53) can be removed as the second rule already does the same thing and more. ALL ports coming in on the WAN LOL.
3. The order of the firewall rules in both chains need work.
4. WHY do you have duplicate rules for DSTNAT rules, port forwarding, these two are incorrect and should be removed.
add action=dst-nat chain=dstnat comment=ALARME dst-port=33333 protocol=udp \
to-addresses=172.16.0.13 to-ports=33333
add action=dst-nat chain=dstnat dst-port=33333 protocol=tcp to-addresses=\
172.16.0.13 to-ports=33333
5. Are you ONLY using WAN3 for port forwarding?
6. State clearly the purpose of each of your mangling sets of rules, me thinks those are also wrong.
2. your firewall rules need work
for example you have two rules that are redundant.
--> add action=drop chain=input comment="WANs : protection DNS" dst-port=53 \
in-interface-list=Liste_WANs protocol=tcp
add action=drop chain=input comment="WANs : protection DNS" dst-port=53 \
in-interface-list=Liste_WANs protocol=udp
AND
add action=drop chain=input comment="Drop all not from LANs" \
in-interface-list=!Liste_LANs
The first rules (port 53) can be removed as the second rule already does the same thing and more. ALL ports coming in on the WAN LOL.
3. The order of the firewall rules in both chains need work.
4. WHY do you have duplicate rules for DSTNAT rules, port forwarding, these two are incorrect and should be removed.
add action=dst-nat chain=dstnat comment=ALARME dst-port=33333 protocol=udp \
to-addresses=172.16.0.13 to-ports=33333
add action=dst-nat chain=dstnat dst-port=33333 protocol=tcp to-addresses=\
172.16.0.13 to-ports=33333
5. Are you ONLY using WAN3 for port forwarding?
6. State clearly the purpose of each of your mangling sets of rules, me thinks those are also wrong.
-
-
Alpha7456321
just joined
- Posts: 4
- Joined:
Re: Wireguard not connected with Multiple WAN
Hello Anav,
First thank you for taking the time to answer me.
Each advice is good to take.
I did not lie about the facts: I carried out many configuration tests, and I had previously created bridges.
But as you can see, they are not used!
DHCP management on bridges was too complex to manage in comparison with VLANS.
To bring you additional elements:
To access wireguard, customers will use sfp-sfpplus4_wan_free2
You say that there are redundant rules, but they do not treat the same protocol (TCP and UDP)
Same for the DSTNAT on Port 33333.
Port Forwarding are used for SFP-SFPPLUS3_WAN_Free and SFP-SFPPLUS4_WAN_FREE2
I defined mangle rules to properly separate routes from each VLAN which correspond to a separate ISP.
The joint diagram may be more explicit.
First thank you for taking the time to answer me.
Each advice is good to take.
I did not lie about the facts: I carried out many configuration tests, and I had previously created bridges.
But as you can see, they are not used!
DHCP management on bridges was too complex to manage in comparison with VLANS.
To bring you additional elements:
To access wireguard, customers will use sfp-sfpplus4_wan_free2
You say that there are redundant rules, but they do not treat the same protocol (TCP and UDP)
Same for the DSTNAT on Port 33333.
Port Forwarding are used for SFP-SFPPLUS3_WAN_Free and SFP-SFPPLUS4_WAN_FREE2
I defined mangle rules to properly separate routes from each VLAN which correspond to a separate ISP.
The joint diagram may be more explicit.
You do not have the required permissions to view the files attached to this post.
Re: Wireguard not connected with Multiple WAN
@alpha,
if yes, then maybe the problem could be somewhere between
- wg client routing config. else
- could be on the tunnel server routing config. else
- could be on the tunnel server firewall settings.
try to traceroute from your wg client - the output will tell you the failed point.
have a try and good luck
the simplest way is just to look at the state of your wg interface whether is up or down - at your winboxHandshake is not visible in Winbox, but there is sometimes RX and TX traffic.
did you mean - you want to create a tunnel server which accessed from the internet and go back to internet?The customer (Android) indicates that the connection is established, but impossible to have access to the WAN.
if yes, then maybe the problem could be somewhere between
- wg client routing config. else
- could be on the tunnel server routing config. else
- could be on the tunnel server firewall settings.
try to traceroute from your wg client - the output will tell you the failed point.
have a try and good luck
-
-
Alpha7456321
just joined
- Posts: 4
- Joined:
Re: Wireguard not connected with Multiple WAN
Hi,
The objective is that users connect to VPN to access external servers (VPS) with the public IP of the ISP.
The firewall of these servers allows access only to this public IP.
The Wireguard interface is up, and there is sometimes a little traffic.
The customer indicates that it is connected, but yet there is no internet access and no ping or traceout is possible.
I cannot identify the problem.
The objective is that users connect to VPN to access external servers (VPS) with the public IP of the ISP.
The firewall of these servers allows access only to this public IP.
The Wireguard interface is up, and there is sometimes a little traffic.
The customer indicates that it is connected, but yet there is no internet access and no ping or traceout is possible.
I cannot identify the problem.
Re: Wireguard not connected with Multiple WAN
Without a diagram I have no clue what your network looks like.
Are these customers remotely connecting to your MT router to use your internet?
Are the customers behind the MT router and connecting to your CHR in the cloud to get internet
Are the customers behind the MT router and connecting to your connection to a third party VPN provider ??
Are these customers remotely connecting to your MT router to use your internet?
Are the customers behind the MT router and connecting to your CHR in the cloud to get internet
Are the customers behind the MT router and connecting to your connection to a third party VPN provider ??