WireGuard AzireVPN - misbehavior

daveq · Tue Mar 21, 2023 4:32 pm

Hello,

I've already tried Mikrotik support, but they suggest to ask here...
---
I was trying to enable / add my WireGuard VPN provider AzireVPN, but is not working properly seems like

After finishing bellow steps, VPN is connected but devices working strange, some pages are not able to open - timeout , some are opening fine.
WhatIsMyIP pages - some are showing im in Sweden (VPN locaion), some shows local country IP

I assume it has something to do IPv4 vs IPv6 setting

1. Could you please suggest what / where to setup to be working correctly?
2. Next step i would like to WhiteList/select few devices / IPs to be on VPN (has PublicIP) and open few ports for those devices
3. Rest devices should be under Local IP.

Thanks!

Here is what i did following multiple guides and wiki sources:

# Adding interface with correct private key works well
/interface/wireguard/add listen-port=13231 private-key="PrivateKey1" name=wg-az-se-sto comment="AzireVPN SE-STO interface"
# Over here i've added IPs from az-se-sto.conf file, but not able to add IPv6 address or doing it wrongly
/ip/address add address=10.0.15.53/32,2a0e:1c80:1337:1:10:0:15:53/128 interface=wg-az-se-sto
# it worked only without IPv6
/ip/address add address=10.0.15.53/32 interface=wg-az-se-sto
# This was added fine
/interface/wireguard/peers/add endpoint-address=se-sto.azirevpn.net endpoint-port=51820 public-key="PublicKey1" allowed-address=0.0.0.0/0, ::/0 interface=wg-az-se-sto
# here it surprisingly accepted also IPv6 DNS
/ip dns set servers=91.231.153.2,192.211.0.2,2a0e:1c80:1337:1:10:0:0:1 allow-remote-requests=yes
# both added fine
/ip/route add dst-address=0.0.0.0/0 gateway=wg-az-se-sto
# except " se-sto.azirevpn.net " can't be added seems like, even VPN provider strongy suggest to use hostname , as IP might change with the time. So i had to do "ping se-sto.azirevpn.net " to get IP 45.15.16.52
/ip/route add dst-address=45.15.16.52 gateway=10.38.166.65
# adding rule to FW
/ip firewall nat add chain=srcnat action=masquerade out-interface=wg-az-se-sto
# adding rule to FW to allow WG traffic
/ip firewall filter add action=accept chain=output comment="allow WireGuard" dst-address=45.15.16.52 dst-port=51820 protocol=udp place-before=1

[Interface]
PrivateKey = PrivateKey1
Address = 10.0.15.53/32, 2a0e:1c80:1337:1:10:0:15:53/128
DNS = 91.231.153.2, 192.211.0.2, 2a0e:1c80:1337:1:10:0:0:1

[Peer]
PublicKey = PublicKey1
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = se-sto.azirevpn.net:51820

se-sto.azirevpn.net = 45.15.16.52

anav · Wed Mar 22, 2023 3:39 am

Is your network ipv6? if so cannot help as not fluent in such language.

daveq · Wed Mar 22, 2023 10:37 am

Hi,

No i have mostly IPv4, but IPv6 is not disabled (yet)

anav · Wed Mar 22, 2023 1:08 pm

When ready to not use ipv6, as stated can help troubleshoot.
In the meantime checkout PARA 7 and PARA 9 (D) -- viewtopic.php?t=182340

daveq · Thu Mar 30, 2023 5:23 pm

Hi, I went finally through the guide, but probably i have still something wrong.
If someone would be that kind and check it, suggest what to change...over 2 month reading and not going any much furter

1. Some pages stopped to load (eg. duckduckgo.com) , google.com loads fine, not sure if DNS, something cached or FW problems is causing it...
2. After applying suggested settings, Can't connect to MT via IP now , only via MAC
3. Soon as is working normally - I would like to WhiteList/select few devices / IPs to be on VPN (has PublicIP) and open few ports for those devices
Rest devices should be under Local Provider IP.

I'm using 3rd party VPN provider

This is the "former" code to add VPN WG

# Adding interface with correct private key works well
/interface/wireguard/add listen-port=13231 private-key="PrivateKey1" name=wg-az-se-sto comment="AzireVPN SE-STO interface"
# Over here i've added IPs from az-se-sto.conf file, but not able to add IPv6 address or doing it wrongly
/ip/address add address=10.0.15.53/32,2a0e:1c80:1337:1:10:0:15:53/128 interface=wg-az-se-sto
# it worked only without IPv6
/ip/address add address=10.0.15.53/32 interface=wg-az-se-sto
# This was added fine
/interface/wireguard/peers/add endpoint-address=se-sto.azirevpn.net endpoint-port=51820 public-key="PublicKey1" allowed-address=0.0.0.0/0, ::/0 interface=wg-az-se-sto
# here it surprisingly accepted also IPv6 DNS
/ip dns set servers=91.231.153.2,192.211.0.2,2a0e:1c80:1337:1:10:0:0:1 allow-remote-requests=yes
# both added fine
/ip/route add dst-address=0.0.0.0/0 gateway=wg-az-se-sto
# except " se-sto.azirevpn.net " can't be added seems like, even VPN provider strongy suggest to use hostname , as IP might change with the time. So i had to do "ping se-sto.azirevpn.net " to get IP 45.15.16.52
/ip/route add dst-address=45.15.16.52 gateway=10.38.166.65
# adding rule to FW
/ip firewall nat add chain=srcnat action=masquerade out-interface=wg-az-se-sto
# adding rule to FW to allow WG traffic
/ip firewall filter add action=accept chain=output comment="allow WireGuard" dst-address=45.15.16.52 dst-port=51820 protocol=udp place-before=1

Config from VPN provider

[Interface]
PrivateKey = PrivateKey1
Address = 10.0.15.53/32, 2a0e:1c80:1337:1:10:0:15:53/128
DNS = 91.231.153.2, 192.211.0.2, 2a0e:1c80:1337:1:10:0:0:1

[Peer]
PublicKey = PublicKey1
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = se-sto.azirevpn.net:51820

#had to find real IP in order to use it in Mikrotik
ping se-sto.azirevpn.net = 45.15.16.52

Then i've added

/routing table
add disabled=no fib name=useWG

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=se-sto.azirevpn.net \
    endpoint-port=51820 interface=wg-az-se-sto persistent-keepalive=40s \
    public-key="PublicKey1"

/ip address
add address=10.0.15.53/24 interface=wg-az-se-sto network=10.0.15.0

/ip firewall filter
add action=accept chain=forward in-interface=bridge out-interface=\
    wg-az-se-sto
add action=accept chain=output comment="allow WireGuard" disabled=yes \
    dst-address=45.15.16.52 dst-port=51820 protocol=udp
    
    /routing rule
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

added also whole export "anonymized"

Thanks

404Network · Thu Mar 30, 2023 8:38 pm

(1) REMOVE THIS RULE, no need for it.
add action=accept chain=output comment="allow WireGuard" disabled=yes \
dst-address=45.15.16.52 dst-port=51820 protocol=udp

(2) Add persistent keep alive to your peer settings lets say 35 seconds. ( oops I see you have one already, all good )

(3) For endpoint use se-sto.azirevpn.net

GO TO FIREWALL ADDRESS LIST and create one call it 3rdPartyVPN, so that you can see the resolve at any time
The address may change so using a fixed IP is not the best solution.

aka DO NOT USE the number!! The config you posted seems fine as it uses the address....

(4) Modify your DNS rules .........
From:
/ip dhcp-server network
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server=192.168.10.1 \
gateway=192.168.10.1

TO:
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1, 9.9.9.9 { or whatever public DNS you prefer }

AND
From:
/ip dhcp-server network
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server=192.168.10.1 \
gateway=192.168.10.1
TO:
/ip dhcp-server network
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server= 91.231.153.2,192.211.0.2 \
gateway=192.168.10.1

NOTE: The router itself needs a proper DNS setting and we only need to ensure bridge entries use the DNS in question.

(5) FIXED FIREWALL RULES. Note, ORDER is important within a chain!!!!
INPUT CHAIN
( got rid of output rule, not required , you had handshake input rule disabled??, block dns rules were redundant and removed, --> allow all traffic from LAN then drop all else!! )
( your input rules for SSH and winbox were dangerous and removed, and also not required as LAN access is already available.)
FORWARD CHAIN
( added bridge to wan access, a proper separated allow port forwarding rule and then drop all else rule)

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=no dst-port=51820 in-interface=\
    ether1-WAN protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
   in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=\
    WAN
add action=accept chain=forward in-interface=bridge out-interface=\
    wg-az-se-sto
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop  chain=forward comment="drop all else"

...

(6) NO MANGLING REQUIRED, remove all mangling rules concerning the connection, it seems like they are for other bogus reasons.
In order to troubleshoot your wireguard, disable mangling rules for now !!

(7) CLEANING UP NAT ( remove rule in orange )
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Google DNS Force" disabled=yes \
dst-port=53 protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=masquerade chain=srcnat out-interface=wg-az-se-sto

Okay I see you do have the critical rule, put it at the top so its visible. aka for nothing else organize the view of your config!!

(8) WHAT are these port forwarding rules for ????
add action=dst-nat chain=dstnat comment=Lox dst-port=6789 in-interface=\
ether1-WAN log=yes log-prefix=Lox protocol=tcp to-addresses=\
192.168.10.100 to-ports=6789
add action=dst-nat chain=dstnat comment="Transmission BT" dst-port=\
6665 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=\
192.168.10.101 to-ports=9911

Remember, if you have incoming traffic on the WAN, you are FORCING TRAFFIC into the TUNNEL.
Thus how do you expect the return traffic from bridge devices will then go back out WAN ????? See 12.

(9) WHERE IS WAN IP route. It will not be visible if you have selected default route in IP DHCP Client. So will assume you have, otherwise you need a manual IP route.
AND GET RID OF BOGUS ROUTE.
add dst-address=45.15.16.52 gateway=10.38.166.65

/ip route
add dst-address=0.0.0.0/0 gwy=ISP_gwy_IP routing-table=main { ex of manual route, probably not necessary if route already exists }
add dst-address=0.0.0.0/0 gwy=wg-az-se-sto routing-table=useWG

(11 ) ROUTING RULE IS WRONG
From:
add action=lookup disabled=no src-address=192.168.20.0/24 table=useWG
TO:
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

(12)
Need two additional routing rules for your port fowarding to work.......... ORDER is key.

/routing rule
add action=lookup-only-in-table src-address=192.168.10.100 table=main
add action=lookup-only-in-table src-address=192.168.10.101 table=main
add action=lookup src-address=192.168.10.0/24 table=useWG

daveq · Fri Mar 31, 2023 3:03 pm

Hello,

Thanks for helping out, i tried to put all modifications as you suggested.

duckduckgo.com, mail.proton.me still not loading
PortFWD doesnt work now
All devices are on VPN Sweden location and most of pages working so far except few

Here are some details:

1. removed

2. 35s set

3. used se-sto.azirevpn.net and seems like it's resolving it's IP , does it somehow read / add into the WG settings? As provider is using only "se-sto.azirevpn.net"
This way i'll add later other Locations

Capture.JPG

4. Done, used Google DNS for test 8.8.8.8 and 8.8.4.4
Formerly i had VPN DNS servers as default for all traffic

5. Used your FW rules, removed mine

6. Mangling disabled - i guess i added them follow some guide to identify type of traffic

7. removed

8. Those are local servers which i want to access from Internet, those rules were working fine.
Plan is to add few more with WG and it's WG Public IP , add few servers to be reachable via duckdns.org address
So some stay on Provider Public IP and some will be on WG VPN Public IP

9. Done

10.
/ip route
add dst-address=0.0.0.0/0 gwy=ISP_gwy_IP routing-table=main { ex of manual route, probably not necessary if route already exists }
add dst-address=0.0.0.0/0 gwy=wg-az-se-sto routing-table=useWG

[admin@MikroTik_Ax3] > /ip route
[admin@MikroTik_Ax3] /ip/route> add dst-address=0.0.0.0/0 gateway=wg-az-se-sto routing-table=useWG
[admin@MikroTik_Ax3] /ip/route>

routes.png

11. Yeah realized that later that day also

12. Without WG VPN enabled PortFWD were working,
but added them as suggested, seems like not working now, just tried

404Network · Fri Mar 31, 2023 3:43 pm

(1) Remove the static entry
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan

(2) Check out the copy job,, If I drop all traffic at the end how is any traffic going to out out your own WAN (aka the return traffic from external users).
So using logic as well as attention to detail.

Your config
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=51820 in-interface=ether1-WAN \
protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=\
wg-az-se-sto
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

My CONFIG recommendation:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=no dst-port=51820 in-interface=\
ether1-WAN protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=\
WAN
add action=accept chain=forward in-interface=bridge out-interface=\
wg-az-se-sto
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(3) I dont get it, you clearly are not reading or thinking. I stated that ORDER is critical in routing rules.
I stated that for the return traffic from servers to reach back to the WAN they would need to be PRIOR to the rule forceing ALL bridge traffic out the WAN so what did you do???

/routing rule
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG
add action=lookup-only-in-table src-address=192.168.10.100 table=main { WRONG this will never be used all traffic goes out wg }
add action=lookup-only-in-table src-address=192.168.10.101 table=main { WRONG this rule will never be used all traffic goes out wg }

What I had provided:
/routing rule
add action=lookup-only-in-table src-address=192.168.10.100 table=main { server traffic gets out local WAN as required }
add action=lookup-only-in-table src-address=192.168.10.101 table=main { server traffic gets out local WAN as required }
add action=lookup src-address=192.168.10.0/24 table=useWG { rest of bridge traffic goes out wg }

daveq · Fri Mar 31, 2023 4:58 pm

EDIT: PortFWD working agian

Just some of the webpages are still issue

1. removed completely

2. Seems like this was mistake i had to modify:
FROM:
add action=accept chain=forward in-interface=bridge out-interface=WAN
TO:
add action=accept chain=forward in-interface=bridge out-interface=ether1-WAN

Hopefully now correct all

FW2.JPG

3. I entered those commands , but seem like the order is not right. How to change order? As in FW rules i'm able to change order in WinBox - mouse drag & drop
Or i need to remove them a re-add in specific order?

rules.JPG

Removed & re-added

[admin@MikroTik_Ax3] > /routing rule
[admin@MikroTik_Ax3] /routing/rule> add action=lookup-only-in-table src-address=192.168.10.100 table=m
ain
[admin@MikroTik_Ax3] /routing/rule> add action=lookup-only-in-table src-address=192.168.10.101 table=m
ain
[admin@MikroTik_Ax3] /routing/rule> add action=lookup src-address=192.168.10.0/24 table=useWG

rul2.JPG

404Network · Fri Mar 31, 2023 6:05 pm

YOu are quite correct, the config I was supposed to type is
add chain=forward action=accept in-interface=bridge out-interface-list=WAN

( your fix is equally as valid !! )

The yolk is on my face for that one!!

++++++++++++++++++++++++++++++++++

Yes the second attempt worked, the clue is looking at the rule numbers at the left hand column 0,1,2 etc....

OKAY, so you are saying its about 98% there ?? Some webpage shenanigans...........
If so try
a. changing MTU to 1500 if no joy
b. return to default 1420 and try this and then with MTU at 1500
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg-az-se-sto passthrough=yes protocol=tcp tcp-flags=syn

c. if no joy set MTU to 1420 and try this one.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wg-az-se-sto protocol=tcp tcp-flags=syn tcp-mss=1381-65535

daveq · Fri Mar 31, 2023 10:35 pm

1. Rule 12 can be removed now? as it was wrong and should be rule 13 ?

fw3.JPG

2. With adding the command , started to work, changing to MTU 1500 didnt worked out.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg-az-se-sto passthrough=yes protocol=tcp tcp-flags=syn

Rest of pages are working now

fw4.JPG

Man thanks a lot!!! with the Mikrotik wiki and guides i went through i will be spending few months to accomplish this, really appreciate you time spend with this issue.

-----
3. Yes the second attempt worked, the clue is looking at the rule numbers at the left hand column 0,1,2 etc....
I see those numbers , but no option to change it or reorder in WinBox UI. Bit strange to me how it works

4. Just to confirm port fwd rules
If i'm adding extra rules:
add action=dst-nat chain=dstnat comment=Lox123 dst-port=6789 in-interface=ether1-WAN log=yes log-prefix=Lox protocol=tcp to-addresses=192.168.10.XXX to-ports=6789

Need to also add the forwarded IP.XXX into here?
/routing rule
add action=lookup-only-in-table src-address=192.168.10.XXX table=main

5. Final step how to pick / whitelist only few clients to use VPN and others stay on local IP ?

Thanks!

404Network · Sat Apr 01, 2023 1:35 am

5. How many............. a few just add them as you do the servers before the forcing out wireguard rule.

daveq · Mon Apr 03, 2023 11:51 pm

Thanks for all suggestions,

1. Router via WinBox is not reachable via local IP, only via MAC...probably need to add some additional rule into Firewall

2. I have around 50+ clients, on VPN will be 5.

I tried to add ports for Transmission and it says is not open

BT.JPG

What i've analyzed so far - ports from my "regular" IP via "ether1-WAN" are reachable via FW rules, so i assume the rule is right.

All ports via VPN "wg-az-se-sto" interface , seems NOT reachable

Thanks!

anav · Tue Apr 04, 2023 12:40 am

Not sure what you mean not reachable LOL.
Remember you are putting all traffic out wg tunnel.

SO if you try and reach the router from your LANIP 192.168.10.XX its going out the tunnel if IP based.
MAC works around it and what most people use anyway.

If you want to retain IP access, then take a port off the bridge, give it an IP address only
and add the etheport to the LAN interface list and you will be able to access by IP address.
You could also create another VLAN to access it

++++++++++++++++++++++++++++++++++++++++++++++++++++

I dont see the problem, all your port forwardings from external users should come in the local WAN, hit the 192.168.100 or 101 and go back out the local WAN.
Isnt that what you wanted??? All other users are forced out wireguard for internet!

anav · Tue Apr 04, 2023 1:04 am

Not sure what you mean by port via VPN are not available.
If you want to use servers through both VPNs that takes some more programming for sure.
RIght now any traffic exiting the servers goes out the WAN........ not VPN.

daveq · Tue Apr 04, 2023 1:07 am

Not reachable over VPN Public IP

- i'm using duckdns.org in oder to use some own hosted servers and easy remember address and be reachable from Internet
- in torrent for example you are not Active due to that http://bt.degreez.net/firewalled.html

I' able to be in VPN tunnel -> data out, but i need also data IN <- via some ports

Another benefit
AzireVPN gives me Public IP and i dont need to have additional paid Public IP from my provider.

Hope it make sense

----
MAC for mikrotik is not easy to remember that's why i use Local IP

VLAN - no experience with that yet...

---

I dont see the problem, all your port forwardings from external users should come in the local WAN, hit the 192.168.100 or 101 and go back out the local WAN.
Isnt that what you wanted??? All other users are forced out wireguard for internet!

Some services run over local WAN, some need to go over WG VPN interface as described above

40 clients - Via regular WAN / Local Provider IP
5 clients - Via VPN only / Azire IP - example some content on AndroidTV on netflix,iptv etc i can chose Country to unlock the view option

anav · Tue Apr 04, 2023 4:05 am

Okay, as for mac, it shows automatically on neighbours on winbox, no need to memorize just select it.

Just for giggles try this to see if it works.

/routing rules. ( in correct order of course )

[1st] add action=lookup-only-in-table dst-address=10.0.15.0/24 src-address=192.168.10.100 table=useWG { allow return traffic to wg server clients } *****
[2nd] add action=lookup-only-in-table src-address=192.168.10.100 table=main { allow return traffic out through local wan }
[3rd] add action=lookup-only-in-table src-address=192.168.10.101 table=main { allow return traffic out through local wan }
[4th] add action=lookup src-address=192.168.10.0/24 table=useWG { last rule to force rest of bridge out wg tunnel }

***** assumes you are sourcnatting the traffic from the WG server to your router. In other words your internal server doesnt see other public IPs but sees a wireguard source address for this rule to work.

+++++++++++++++++++++++++++

daveq · Tue Apr 04, 2023 1:24 pm

Tried, but still not PortFWD via VPN

Removed former rules

Routing1.JPG

Added suggested:

Routing2.JPG

Tried those options:

FW1.png

Even tried to disable working rules, if they dont interfere each other

FW2.png

anav · Tue Apr 04, 2023 1:42 pm

Why are you trying to port forward the wg traffic coming in on the MT?
The traffic coming in on WG is already on the LAN so to speak........
The port forwarding or moving the traffic appropriately into the WG tunnel and towards the MT is done at the azure site.

The only rule really needed at the MT end is a firewall rule.
add action=forward chain=forward in-interface=wireguard dst-address-list=serverlist

where server list contains .100 and.101 for example.

daveq · Tue Apr 04, 2023 1:46 pm

ADD:

What i've also noticed even whole traffic should be currently over WG VPN,

My Duckdns docker (which is regularly updating IP) based on Server IP.101 is sharing PublicIP and NOT VPN IP
even i tried directly VPN IP:port doesnt work.

More and more confusion for me

anav · Tue Apr 04, 2023 1:49 pm

It is not clear what you are trying to accomplish or what you want to accomplish or provide in terms of traffic.

I thought the duckgo was an IP address for your azure link as you stated they give you a public IP and you use duckgo to send users to that public IP.

The question is what happens to users once they arrive at azure.......... That is the missing link you do not understand nor I.

+++++++++++++++++++++++++++++++++++++++++++++++

Why are you using duckgo docker when you already have a domain name via IP cloud for the mikrotik????
In any case, that doesnt explain how users find the public IP of the azure???

anav · Tue Apr 04, 2023 1:52 pm

You really need to
a. understand the requirements and articulate them for all users/devices based on traffic flow not on the config or equipment.
b. you need to provide a network diagram showing all the connections
c. you need to better explain what you are doing at azure site. ( what services they provide, etc....)

daveq · Tue Apr 04, 2023 2:29 pm

DuckDNS i'm using for years, not aware of any other option in Mikrotik
DuckDNS run as docker on server, where the server was formerly on VPN, so it shared VPN IP to DuckDNS so i had always actual VPN IP
Therefore some services were reachable via usernameX.duckdns.org:PORT
---Currently even Server is on VPN IP, Duckdns is getting NON VPN Public IP - this i don't understand why...all current setting is all traffic over VPN tunel, isnt it?

Here is the quick graph, not a network specialist, hopefully it's clear what i want to achieve

graph.png

EDIT:
Before i had Asus RT-88AX router, i was on OpenVPN, but Asus NAND chip weared out from some reason, so i moved to Mikrotik. MT doesnt support UDP on OpenVPN.
WG protocol is "newer better" so i've switched to this

Comparing to Asus is really next level to setup here VPN and PortFWD.

My setup on Asus was something like this:

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

# Service A(9977,55552,55553)
iptables -I FORWARD -i tun11 -p tcp -d 192.168.10.101 -m multiport --dports 9977,55552,55553 -j ACCEPT
iptables -I FORWARD -i tun11 -p udp -d 192.168.10.101 -m multiport --dports 55552,55553 -j ACCEPT

# Service B (9977,55552,55553)
iptables -t nat -I PREROUTING -i tun11 -p tcp -m multiport --dports 9977,55552,55553  -j DNAT --to-destination 192.168.10.101
iptables -t nat -I PREROUTING -i tun11 -p udp -m multiport --dports 55552,55553 -j DNAT --to-destination 192.168.10.101

Didn't had to setup anything else on VPN Provider (Azire) site,
basic steps login/pass
you pick country
download the *.config file , load it up (in MT still not possible)
Pick the local IP which you want to have on VPN
Set above PortFwd rules
All working...

AzireVPN has PublicIP with no blocking ports, but I've asked them again to double check.
As still no clue where is the problem to make it work

anav · Tue Apr 04, 2023 5:44 pm

The part I dont get is duck.org on docker.
Why do you have anything behind your router, it should be hosted at duck.org ???
Trying to host something behind the router while also doing vpn and forcing traffic out various ways is problematic and needs careful attention.

Duck DNS
free dynamic DNS hosted on AWS

anav · Tue Apr 04, 2023 6:22 pm

Aslo, Azire is just a VPN provider, they do not do any port forwarding there..............?????

It seems to be this is your situation.

One flat subnet at MT Router.

a. users local to router access server via LOCAL WANIP domain name YES/ NO ??
b. users local to router access server via server LANIP YES/ NO ??
c. users EXTERNAL to router access server via LOCAL WANIP Yes/No ??
d. users at c use which domain name??
e. users EXTERNAL to router access server via WG IP yes/no ??
f. users in e. use duckdns name to access WG IP yes/no ??
g. is there any reason you have to host duck dns on docker ???
h. which IP is the docker use on the MT router LAN ???
i. Do you know what IP Cloud is ???

daveq · Tue Apr 04, 2023 8:39 pm

got reply from AzireVPN support

They've changed PublicIP to SharedIP and no PortFWD option

without any notice

So we are looking for problem on MT for nothing....F****

----

I formerly applied to AzireVPN due to PublicIP on some locations and no PortFWD limitation

Local Provider has sharedIP, with only 4 ports open which i already use for some services
If i would like to have PublicIP i would have to pay extra fee. Price for PublicIP = AzireVPN with PublicIP

a. users local to router access server via LOCAL WANIP domain name - YES
b. users local to router access server via server LANIP - YES
c. users EXTERNAL to router access server via LOCAL WANIP - YES few ports open from provider , sharedIP
d. users at c use which domain name?? - Dont understand
e. users EXTERNAL to router access server via WG IP - YES when was VPN PublicIP working, used few ports
f. users in e. use duckdns name to access WG IP - YES
g. is there any reason you have to host duck dns on docker - Wasnt working on former Router, so i add it as Docker on Server
h. which IP is the docker use on the MT router LAN ? - Yes LAN
i. Do you know what IP Cloud is ??? - No experience

anav · Tue Apr 04, 2023 9:47 pm

Dont despair LOL.
By the way we would have to ensure the docker LANIP goes out the normal WAN and not into the WG tunnel for that to work in sync with the public DYNDNS duck site.
Why not juse use duck.dns in their AWS cloud ?? Still dont understand why you need a docker to manage ????

What do you use to give users your public WANIP for those coming in on the normal WAN. which domain name service do you use??

we can get this working for you.

daveq · Wed Apr 05, 2023 3:22 pm

So Azire suggested to use OpenVPN for "PublicIP" needs, from what i've read MT has many issues with OpenVPN and no support for UDP after 10y...

This way i will have 3rd PublicIP from internet to my Router...

One issue replace other...but luckily i have some support here - Thanks for that

---

duckdns in their AWS Cloud?
This is what i use:
https://hub.docker.com/r/linuxserver/duckdns/
Only feature is takes my PublicIP and update/send (each 5min) it to "user.duckdns.org" domain in order to be reachable from Internet.

I'm not running own Domain name server - if that was the question

---

What do you use to give users your public WANIP for those coming in on the normal WAN. which domain name service do you use??

I have public domain from my provider "port.providerXY.net:PORT" to which i can open those few ports - this is temporary as VPN doesn't work

In the end if VPN PublicIP would be working properly, i wouldn't need to use "port.providerXY.net:PORT" anymore...just to unique domain at "user.duckdns.org"

----

Did quick google, so this might do the trick and i don't need to use Docker anymore

https://github.com/beeyev/Mikrotik-Duck ... IP-Updater
viewtopic.php?p=421794&hilit=monitor+ip+address+duckdns

anav · Wed Apr 05, 2023 4:46 pm

Okay I dont want to delve into temporary.
Given that you have now known limitations with your VPN provider and you dont need duckdns on docker
Draw a better network diagram to describe what is going on.
Lots of choices here for drawing programs - viewtopic.php?p=908118
Also provide a line by line statement for each group or individual user requirements for traffic flow without mention of config details.

VenoyaTasha · Thu Apr 06, 2023 12:29 pm

Here are some suggestions that might help:

You could try disabling IPv6 on your Mikrotik router and see if it resolves the issue. To do so, go to "IP" > "Settings" and uncheck the "Enable IPv6" option.

To whitelist/select a few devices/IPs to be on VPN, you can create a firewall filter rule that matches the IP addresses of those devices and then apply the rule to the WireGuard interface. To open specific ports for those devices, you can also create a firewall rule that allows traffic on those ports.

For the rest of the devices, you can configure your Mikrotik router to use NAT (Network Address Translation) to assign them local IP addresses.

Hope this helps! If you have any further questions or need more specific guidance, feel free to ask.

daveq · Tue Apr 11, 2023 7:38 pm

@anav - will do hopefully within this week

@VenoyaTasha - did that in my past tests , seems like Azire WigeGuard is using IPv6 as well and then VPN connection wasn't working. But i can try again...
Anyway it won't solve the issue with port fwd - they confirmed that on Wireguard is no port FWD working at the moment.

Only option to port fwd is using OpenVPN for "specific" IPs / Clients. So basically 2 VPN connections running
As Mikrotik have issue with OpenVPN, also is not supporting UDP after like 10 years (what i've read). I need to try OpenVPN on TCP connection

Getting bit more complex vs my first idea of working concept on Asus Router

Thanks guys

daveq · Fri Apr 14, 2023 11:44 am

Before i prepare the diagram...

Is there easy way how to have 2 groups

1. group of IPs (clients) on Internet without VPN
2. group of IPs (clients) on Internet with VPN

As some "local" services don't run on abroad IPs - like IPTV for example...

Thanks

anav · Fri Apr 14, 2023 6:59 pm

I always segment groups of user by way of VLANs.
The only time this is problematic is for L2 type services mDSN streaming be it music or whatever........

Another method could be by SSID, if only a wireless requirement where SSID ties into a VLAN.

Finally the last ditch method is to create a firewall address list of all like users and then mangle/ mark their traffic.

anav · Mon Apr 24, 2023 5:28 pm

If you are able to have two vlans, dont worry about some exceptions within the vlans, you stated 5 users may be unique,
we can deal with those as well........

daveq · Mon Apr 24, 2023 6:19 pm

Hello,

Is such graph enough? or need to be more detailed with client IP range etc?

Thanks

anav · Mon Apr 24, 2023 6:34 pm

Getting there....
So the hapax gets a private WANIP from the lite beam correct?
You basically have limited options due to using unmanaged switches.

Below the AXE3, you can only host one flat subnet
to the switch to the attached lan clients of the switches to the cap acXL attached to the switch.

The AXE can utilize other subnets to provide to the lan clients directly connected and of course to clients connecting by WIFI to the AX3.

I hope you understand these limitations......
Thus SOUTH of the axe 3, lets give all those users VLAN10
Thus NORTH of the axe 3, lets give the directly connected LAN clients VLAN20
The directly connected AX3 WIFI clients I assume will be a mix of VLAN10, VLAN20 and lets add a third vlan VLAN30 that only the AX3 provides.

If this makes sense so far good.
Now you have to attribute what traffic each vlan needs (majority of users within a vlan).
Then you have to discuss any exceptions........

Or provide more clarity in what you would like to achieve especially if way off base...............

daveq · Mon Apr 24, 2023 7:24 pm

- So the hapax gets a private WANIP from the lite beam correct?
lite beam has own IP from provider 10.x.x.x1, hAP AX3 has also IP from provider 10.x.x.x2
I agreed with them to have 2 fixed IPs , to be able to manage
Otherwise the LiteBeam would become Main router with DMZ to hap AX3

I've added devices which i would like to have on VPN:
1. WireGuard VPN - no PortFWD possible
- Desktop
- Mobile
2. OpenVPN - due to PortFWD option
- NAS
3. NonVPN
- AndroidTV - due to local country IPTV content (it blocks abroad IPs)
- the rest clients ~40+

Alternate is to stop using WG VPN protocol and use only OpenVPN protocol for everything
- it's bit slower vs WG
- it might not work with Mikrotik - haven't test it yet
+ PortFWD available

In Asus Router was bit simplified i could pick any IPs to be on VPN, without VLAN needed, but i mentioned it already

That's not that simple on Mikrotik, right?
----
If I understand the idea with VLAN right = seems like problem would be with the "client" location for VPN , basically each client is in some extra layer/VLAN this would lead that All Client (except LAN Clients 02) in that VLAN would be on VPN, so same as is it now - ALL client on VPN (without VLAN).

MyNetwork2.jpg

anav · Tue Apr 25, 2023 2:57 am

I dont understand why you need port forwarding.
Typically port forwarding is done via ones public IP and is required to get through NAT.
If you give your user a WIREGUARD peer setting, why cannot they access your servers directly through wireguard?

Assuming the reason is that you cannot forward the wireguard port from the ISP device to your device??

daveq · Tue Apr 25, 2023 8:07 pm

PortFWD is needed as i dont have PublicIP from my Provider
VPN over WireGuard doesn't have the PortFWD option, nor Public IP yet, even AzireVPN confirmed they are working on some solution
VPN over OpenVPN offers me PublicIP with PortFWD - confirmed with AzireVPN , that this option is still working

PortFWD is needed to access few Services/Servers hosted on my unRaid server
Torrent and DC++ to be "active" user

daveq · Thu May 18, 2023 10:33 am

Hi,

Got suggested that via https://help.mikrotik.com/docs/display/ ... ress-lists i might be able to create filter rule in Firewall https://help.mikrotik.com/docs/display/ROS/Filter

Would that possibly work? for the scenario i need?

As changing HW switches to be able to create VLAN just for few devices, is pricy solution which i would like to avoid.

Thanks

anav · Mon Jan 13, 2025 5:32 pm

If you have the right router arm/tile etc you can use BTHVPN to connect to your network remotely from your smartphone or laptop etc...

Looking at your diagram you should replace both switches with manageable switches, and then you can apply vlans throughout your network and isolate all the users/devices as required.

ACJM · Wed Jan 15, 2025 6:47 pm

When ready to not use ipv6, as stated can help troubleshoot.
In the meantime checkout PARA 7 and PARA 9 (D) -- viewtopic.php?t=182340

What happened to this page? I often come back to it.