Please be gentle, I just barely know enough to get myself into trouble here.
I have a HEX router board at home that I use with several computers in my office.
I have a GLiNet Travel router that I want to use when I'm away from the office doing some events.
I have managed to set up Wireguard and I seem to have been able to connect the travel router to the home router successfully,
However, from the laptop connected to the travel router with the Wireguard ON, I do not seem to be able to access the internet.
I'm not sure even how to share the configurations to get help here. It seems to me there should be some firewall or routing rule I need to create to allow the connection from the vpn to access the WAN from the home router.
here is some added info on the Hex router board
# 2025-04-04 13:41:50 by RouterOS 7.18.2
# software id = XXXX-XXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXXXXXX
Re: Wireguard Peer not able to reach internet
If you are using a default config there is an interface list “LAN” that is used by the firewall filter to define the interfaces that have internet access. You may need to add your WireGuard interface to this list
Also: Check the “Allowed IPs” on your client
To share your config
hide anything confidential and post the anythingyouwish.rsc file here
Also: Check the “Allowed IPs” on your client
To share your config
Code: Select all
/export file=anythingyouwish
Re: Wireguard Peer not able to reach internet
Ok, so I figured out how to share the configuration on the Mikrotik router.
Code: Select all
# 2025-04-04 15:01:15 by RouterOS 7.18.2
# software id = XXXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXXXXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.88.8/32 client-address=192.168.88.8/32 \
client-dns=1.1.1.1 client-endpoint=XX.X.XXX.XXX endpoint-port=13231 \
interface=wireguard1 name=XXXXXXXXuser1 private-key=\
"redacted" public-key=\
"redacted"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.88.8 interface=wireguard1 network=192.168.88.8
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 comment="Local Address list" list=LOCAL
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard coop2025 rule" dst-port=\
13231 protocol=udp
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
WAN src-address=192.168.88.8
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ppp profile
set *FFFFFFFE comment="for coop king vpn" dns-server=1.1.1.1 local-address=\
192.168.88.1 remote-address=*2
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTikHEX
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard Peer not able to reach internet
How do I add the wireguard interface to the LAN list? I think I must be looking in the wrong spot?If you are using a default config there is an interface list “LAN” that is used by the firewall filter to define the interfaces that have internet access. You may need to add your WireGuard interface to this list
Do I just add another LAN list? Right now it has bridge and I don't see a way to add more to it in that window
Re: Wireguard Peer not able to reach internet
You have some strange things with the addressing of your WireGuard interface. It should be in a different network than any other interface.
You have
This address is in the same network as ether2 and the network makes no sense.
Try putting this in its own network like:
Fix the WireGuard client address
Add WireGuard into list LAN
Let’s start with that. Ill keep looking, there may be more.
Edit: The client address should not be the same as the wireguard interface address. I fixed that above.
You have
Code: Select all
/ip/address add address=192.168.88.8 interface=wireguard1 network=192.168.88.8Try putting this in its own network like:
Code: Select all
/ip/address add address=192.168.8.1/24 interface=wireguard1 network=192.168.8.0Fix the WireGuard client address
Code: Select all
add allowed-address=192.168.8.0/24 client-address=192.168.8.8/32 \
client-dns=1.1.1.1 client-endpoint=XX.X.XXX.XXX endpoint-port=13231 \
interface=wireguard1 name=XXXXXXXXuser1 private-key=\
"redacted" public-key=\
"redacted"Add WireGuard into list LAN
Code: Select all
/interface list member add comment=wireguard interface=wireguard1 list=LANLet’s start with that. Ill keep looking, there may be more.
Edit: The client address should not be the same as the wireguard interface address. I fixed that above.
Last edited by eltikpad on Fri Apr 04, 2025 10:40 pm, edited 4 times in total.
Re: Wireguard Peer not able to reach internet
so I set up the client router using the config file I created from winbox based on this tutorial https://mikrotikmasters.com/setting-up- ... ive-guide/Also: Check the “Allowed IPs” on your client
Code: Select all
[Interface]
ListenPort = 51820
PrivateKey =Redacted=
Address = 192.168.88.8/32
DNS = 1.1.1.1
[Peer]
PublicKey =Redacted=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = home public IP address:13231
I did set up port forwarding on my ISP's router to pass 13231 and 51820 to my mikrotic router and as noted, the wireguard seems to have connected, I just can't seem to access the internet from the travel router when I have the wireguard enabled.
Re: Wireguard Peer not able to reach internet
That “Allowed IPs” is fine. It means “route everything into the wireguard tunnel”
See my notes above about your addressing issues.
See my notes above about your addressing issues.
Re: Wireguard Peer not able to reach internet
I'll change the address to 192.168.89.8 since the other router uses 192.168.8.1 for it's interface so I'll avoid that. Let me see if I can update it everywhere I shouldYou have some strange things with the addressing of your WireGuard interface. It should be in a different network than any other interface.
You haveThis address is in the same network as ether2 and the network makes no sense.Code: Select all/ip/address add address=192.168.88.8 interface=wireguard1 network=192.168.88.8
Try putting this in its own network like:Code: Select all/ip/address add address=192.168.8.1 interface=wireguard1 network=192.168.8.0/24
Fix the WireGuard client addressCode: Select alladd allowed-address=192.168.8.0/24 client-address=192.168.8.8/32 \ client-dns=1.1.1.1 client-endpoint=XX.X.XXX.XXX endpoint-port=13231 \ interface=wireguard1 name=XXXXXXXXuser1 private-key=\ "redacted" public-key=\ "redacted"
Add WireGuard into list LANCode: Select all/interface list member add comment=wireguard interface=wireguard1 list=LAN
Let’s start with that. Ill keep looking, there may be more.
Edit: The client address should not be the same as the wireguard interface address. I fixed that above.
Re: Wireguard Peer not able to reach internet
Just dont make the interface the same as the client address. Same network, yes, same address no.
Re: Wireguard Peer not able to reach internet
Code: Select all
# 2025-04-04 15:46:39 by RouterOS 7.18.2
# software id = XXXXXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXXXXauto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.89.0/32 client-address=192.168.89.8/32 \
client-dns=1.1.1.1 client-endpoint=XXXXXXXXXXXX endpoint-port=13231 \
interface=wireguard1 name=coop2025user1 private-key=\
"redacted" public-key=\
"redacted="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.89.1 interface=wireguard1 network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 comment="Local Address list" list=LOCAL
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard coop2025 rule" dst-port=\
13231 protocol=udp
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
WAN src-address=192.168.89.8
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ppp profile
set *FFFFFFFE comment="for coop king vpn" dns-server=1.1.1.1 local-address=\
192.168.88.1 remote-address=*2
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTikHEX
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard Peer not able to reach internet
So updated both routers
I'm able to connect with the wireguard but still not accessing the internet through it.
I'm able to connect with the wireguard but still not accessing the internet through it.
Re: Wireguard Peer not able to reach internet
IP addresses are still messed up.
Interfaces “bridge” and “ether2” are in the same network. Move one of them./ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.89.1 interface=wireguard1 network=192.168.89.0
Re: Wireguard Peer not able to reach internet
This is good.
Should not need this
Code: Select all
/interface list member
add interface=wireguard1 list=LANShould not need this
Code: Select all
add action=accept chain=forward in-interface=wireguard1 out-interface-list= WAN src-address=192.168.89.8Re: Wireguard Peer not able to reach internet
this also looks good
Client address is in the same network as the wireguard interface address. Progress.
Ooops, I missed something here.
Code: Select all
/interface wireguard peers
add allowed-address=192.168.89.0/32 client-address=192.168.89.8/32 \
client-dns=1.1.1.1 client-endpoint=XXXXXXXXXXXX endpoint-port=13231 \
interface=wireguard1 name=coop2025user1 private-key=\
"redacted" public-key=\
"redacted="
/ip address
add address=192.168.89.1 interface=wireguard1 network=192.168.89.0
Client address is in the same network as the wireguard interface address. Progress.
Ooops, I missed something here.
Should beallowed-address=192.168.89.0/32
allowed-address=192.168.89.0/24
Re: Wireguard Peer not able to reach internet
Ok, I don't think I actually added the bridge or ether2, I think they were in the config before I started messing with it so I guess I just need to know what I can get rid of since I don't really know what the bridge is doing here.IP addresses are still messed up.
Interfaces “bridge” and “ether2” are in the same network. Move one of them./ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.89.1 interface=wireguard1 network=192.168.89.0
Re: Wireguard Peer not able to reach internet
ok fixed that
Ooops, I missed something here.
Should beallowed-address=192.168.89.0/32
allowed-address=192.168.89.0/24
Re: Wireguard Peer not able to reach internet
Ok, I don't think I actually added the bridge or ether2, I think they were in the config before I started messing with it so I guess I just need to know what I can get rid of since I don't really know what the bridge is doing here.IP addresses are still messed up.
Interfaces “bridge” and “ether2” are in the same network. Move one of them.
Default config usually starts with just a bridge. Id probably remove the ether2 layer3 interface
Re: Wireguard Peer not able to reach internet
Just started reading the post and yes, MANY ERRORS in the config which are not all yet sorted.
Clearly your wireguard IP address is hosed.
It should be assuming you only need/want one peer as such
add address=192.168.89.1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1, and .2 )
The Laptop peer should have its address set at 192.168.89.2
The allowed IPs on the laptop peer should simply be 0.0.0.0/0
The only peer settings on the ROUTER needed, the rest is optional and often confusing, should be
add allowed-address=192.168.89.2 interface=wireguard1 public-key="---"
++++++++++++++++++++++++++++++++++++++++
if you wanted to keep the 192.168.89.8 address currently on the laptop you would need a different netmask
add address=192.168.89.1/28 interface=wireguard1 network=192.168.89.0 ( provides IPs from .1 to .14 )
+++++++++++++++
As to previous errors ether2 has no business having the same address as the bridge,
either remove the address
OR
take ether2 off the bridge in /bridge ports and give it a different address.
Clearly your wireguard IP address is hosed.
It should be assuming you only need/want one peer as such
add address=192.168.89.1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1, and .2 )
The Laptop peer should have its address set at 192.168.89.2
The allowed IPs on the laptop peer should simply be 0.0.0.0/0
The only peer settings on the ROUTER needed, the rest is optional and often confusing, should be
add allowed-address=192.168.89.2 interface=wireguard1 public-key="---"
++++++++++++++++++++++++++++++++++++++++
if you wanted to keep the 192.168.89.8 address currently on the laptop you would need a different netmask
add address=192.168.89.1/28 interface=wireguard1 network=192.168.89.0 ( provides IPs from .1 to .14 )
+++++++++++++++
As to previous errors ether2 has no business having the same address as the bridge,
either remove the address
OR
take ether2 off the bridge in /bridge ports and give it a different address.
Re: Wireguard Peer not able to reach internet
Where exactly is ether2 on the bridge? I don't think I put it there. Just the other day I reset this router and then I upgraded the RouterOS software. Not entirely sure where some of the starting config came from.Just started reading the post and yes, MANY ERRORS in the config which are not all yet sorted.
Clearly your wireguard IP address is hosed.
It should be assuming you only need/want one peer as such
add address=192.168.89.1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1, and .2 )
The Laptop peer should have its address set at 192.168.89.2
The allowed IPs on the laptop peer should simply be 0.0.0.0/0
The only peer settings on the ROUTER needed, the rest is optional and often confusing, should be
add allowed-address=192.168.89.2 interface=wireguard1 public-key="---"
++++++++++++++++++++++++++++++++++++++++
if you wanted to keep the 192.168.89.8 address currently on the laptop you would need a different netmask
add address=192.168.89.1/28 interface=wireguard1 network=192.168.89.0 ( provides IPs from .1 to .14 )
+++++++++++++++
As to previous errors ether2 has no business having the same address as the bridge,
either remove the address
OR
take ether2 off the bridge in /bridge ports and give it a different address.
Re: Wireguard Peer not able to reach internet
by the way, The Wireguard client is a travel router currently plugged into a separate internet source from my home network. There will likely be more than one device using the travel router.
After making a couple of the above recommended changes, I have been able to reach the internet through the wireguard. However, it is making dialup seem quick at the moment so I definitely need to clean up more of the issues.
After making a couple of the above recommended changes, I have been able to reach the internet through the wireguard. However, it is making dialup seem quick at the moment so I definitely need to clean up more of the issues.
Re: Wireguard Peer not able to reach internet
removed ether2 and now I can't get into the router.
Re: Wireguard Peer not able to reach internet
Perfect so netmask 28 works for you !!
As for the rest looking at post #3 your worK!
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.88.8 interface=wireguard1 network=192.168.88.8
As for the rest looking at post #3 your worK!
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.88.8 interface=wireguard1 network=192.168.88.8
Re: Wireguard Peer not able to reach internet
Best thing is to repost your latest for review!
Re: Wireguard Peer not able to reach internet
ok restarted router. I'm back in
Re: Wireguard Peer not able to reach internet
This config is valid, but the earlier config I gave was also valid. Just a difference of personal preference. Use which every you would like, but no need to change things that arent broken. There is plenty to do here.
It should be assuming you only need/want one peer as such
add address=192.168.89.1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1, and .2 )
The Laptop peer should have its address set at 192.168.89.2
The allowed IPs on the laptop peer should simply be 0.0.0.0/0
The only peer settings on the ROUTER needed, the rest is optional and often confusing, should be
add allowed-address=192.168.89.2 interface=wireguard1 public-key="---"
Re: Wireguard Peer not able to reach internet
Code: Select all
# 2025-04-04 18:29:03 by RouterOS 7.18.2
# software id = XXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXX
/interface bridge
add admin-mac=2XXXXXXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.89.0/24 client-address=192.168.89.8/24 \
client-dns=1.1.1.1 client-endpoint=XXXXXXX endpoint-port=13231 \
interface=wireguard1 name=coop2025user1 private-key=\
"Redacted=" public-key=\
"Redacted="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=73.5.222.169/24 interface=ether1 network=73.5.222.0
add address=192.168.89.1/24 interface=wireguard1 network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 comment="Local Address list" list=LOCAL
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="wireguard coop2025 rule" dst-port=\
13231 protocol=udp
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
WAN src-address=192.168.89.8
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ppp profile
set *FFFFFFFE comment="for coop king vpn" dns-server=1.1.1.1 local-address=\
192.168.88.1 remote-address=*2
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTikHEX
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard Peer not able to reach internet
So the wireguard is working to get to the internet, just SLOW so yes I still want some help cleaning things up,
Thank you for the help, this old dog is finding the new tricks very challenging.
Thank you for the help, this old dog is finding the new tricks very challenging.
Re: Wireguard Peer not able to reach internet
Good, it sounds like some progress.
Some questions to think about:
What is “SLOW” internet? Pings have high latency? Web browsing pages load slowly? File downloads are only 500Mbps?
Is the internet slow from a host directly attached to this router (not vpn)?
Some trace routes might be a good place to start. Won’t tell us everything, but its something.
Some questions to think about:
What is “SLOW” internet? Pings have high latency? Web browsing pages load slowly? File downloads are only 500Mbps?
Is the internet slow from a host directly attached to this router (not vpn)?
Some trace routes might be a good place to start. Won’t tell us everything, but its something.
traceroute 8.8.8.8
Re: Wireguard Peer not able to reach internet
So from my desktop connected directly to the Mikrotik via wire. Things load fast and I can log into accounts quickly etc.
From the laptop connected to the travel router, just trying to say log into microsoft, it was "go fix dinner" before I even got to the point where I could enter the email.
google search for what is my ip timed out and gave me nothing.
With the wireguard turned off, I can actually access web pages.
From the laptop connected to the travel router, just trying to say log into microsoft, it was "go fix dinner" before I even got to the point where I could enter the email.
google search for what is my ip timed out and gave me nothing.
With the wireguard turned off, I can actually access web pages.
Re: Wireguard Peer not able to reach internet
Shouldn’t be that slow. Try some trace routes through the vpn.
Re: Wireguard Peer not able to reach internet
so with vpn off from the travel routerr, trace is 1 -2 ms at the local routers and up to 29ms everywhere else so not terrible
with vpn on 1ms at the travel router and the quickest anything else got was 42ms all the way up to 80ms and a few time outs
and from the desktop connected to the mikrotik a bit faster on average compared to the travel router connected through another router getting xfinitywifi
with vpn on 1ms at the travel router and the quickest anything else got was 42ms all the way up to 80ms and a few time outs
and from the desktop connected to the mikrotik a bit faster on average compared to the travel router connected through another router getting xfinitywifi
Code: Select all
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms router.lan [192.168.88.1]
2 1 ms <1 ms <1 ms 10.0.0.1
3 10 ms 10 ms 9 ms 96.120.22.13
4 10 ms 10 ms 32 ms ae-251-1204-rur02.fruitlandpr.fl.lakecnty.comcast.net [96.110.220.109]
5 10 ms 10 ms 10 ms be-5-rar01.sumter.fl.lakecnty.comcast.net [96.108.36.125]
6 16 ms 27 ms 17 ms ae-30-ar03.bonitasprngs.fl.naples.comcast.net [68.85.212.102]
7 22 ms 22 ms 29 ms be-33933-cs03.miami.fl.ibone.comcast.net [96.110.45.89]
8 23 ms 22 ms 21 ms be-3312-pe12.nota.fl.ibone.comcast.net [96.110.33.170]
9 * * * Request timed out.
10 23 ms 23 ms 20 ms 142.251.251.195
11 22 ms 21 ms 21 ms 108.170.234.75
12 20 ms 20 ms 22 ms dns.google [8.8.8.8]
Re: Wireguard Peer not able to reach internet
I think I realized something through, the mikrotik didn't really totally reset. It must have reloaded settings from file storage within it.
So perhaps it would make sense for me to clean more stuff out but I don't want to render myself unable to use it if I mess it up again.
So perhaps it would make sense for me to clean more stuff out but I don't want to render myself unable to use it if I mess it up again.
Re: Wireguard Peer not able to reach internet
So updating that I have reset the router with default config after saving the backups to my computer but I think I'll start fresh with the "default" config
Here is that default config
Then I will come back and re-do the wireguard vpn after I take care of a few things.
Here is that default config
Code: Select all
# 2025-04-04 19:56:02 by RouterOS 7.18.2
# software id = XXXXXXX
#
# model = RB750Gr3
# serial number = XXXXXXX
/interface bridge
add admin-mac=XXXXXXXX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard Peer not able to reach internet
Good idea to reset. Among other things your firewall filters were a mess. Order matters with them. Also it is good form to keep each chain together.
Re: Wireguard Peer not able to reach internet
good news, I was able to get it all set back up and the vpn can access the internet, well kinda.
Bad news, it is slow enough to time out more things than not. Unfortunately not really usable this way.
Bad news, it is slow enough to time out more things than not. Unfortunately not really usable this way.
Code: Select all
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.89.2/24 client-address=192.168.89.2/24 \
client-dns=1.1.1.1 client-endpoint=XXXXXXXXX endpoint-port=13231 \
interface=wireguard1 name=Coop2025 private-key=\
"redacted=" public-key=\
"redacted="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.89.1/24 interface=wireguard1 network=192.168.89.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard Peer not able to reach internet
So the reason for me wanting to get this to work is...
I'm teaching a group of kids at our homeschool co-op. We are doing Minecraft Education. To use Education, you need access to the internet in order to log in and authenticate your Microsoft 365 for education account. We managed one week using a mobile hotspot but the signal was not that good and a few of the kids kept getting bumped out or loosing connection. The following week we realized that there were some live eithernet ports on the wall and they had access to the internet at good speed. I hooked up the following week thinking we were all set only to find out that they must have some sort of firewall restricting some access. I was able to access some web pages but not others and we were unable to authenticate the microsoft accounts. We wound up having to use the Public wifi to get through the class.
I was hoping I would be able to use the travel router and VPN to either be able to more safely let everyone use the Public wifi or be able to tunnel through the eithernet connection back to my home location to allow everyone to log in and enjoy the class. So far my attempts to prep for this don't seem very promising.
I'm teaching a group of kids at our homeschool co-op. We are doing Minecraft Education. To use Education, you need access to the internet in order to log in and authenticate your Microsoft 365 for education account. We managed one week using a mobile hotspot but the signal was not that good and a few of the kids kept getting bumped out or loosing connection. The following week we realized that there were some live eithernet ports on the wall and they had access to the internet at good speed. I hooked up the following week thinking we were all set only to find out that they must have some sort of firewall restricting some access. I was able to access some web pages but not others and we were unable to authenticate the microsoft accounts. We wound up having to use the Public wifi to get through the class.
I was hoping I would be able to use the travel router and VPN to either be able to more safely let everyone use the Public wifi or be able to tunnel through the eithernet connection back to my home location to allow everyone to log in and enjoy the class. So far my attempts to prep for this don't seem very promising.
Re: Wireguard Peer not able to reach internet
To config vlan filtering always a good idea to take an unused port or temporarily use a lesser important port and take it off the bridge,
Give it an Ip address and config from there safely.
Okay how to create an offbridge port. REMOVE ether5 from /interface bridge ports
/interface ethernet
set [ find default-name=ether5 ] comment=OffBridge5
/interface list
add list=TRUSTED
/interface list member
add interface=OffBridge5 list=TRUSTED
add interface=OffBridge5 list=LAN
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
Now simply plug in laptop to ether5 on the router, change IPV4 settings on the laptop to 192.168.77.2 and you should be in!!
Repeat for any mikrotik device when doing vlans and bridge.
Give it an Ip address and config from there safely.
Okay how to create an offbridge port. REMOVE ether5 from /interface bridge ports
/interface ethernet
set [ find default-name=ether5 ] comment=OffBridge5
/interface list
add list=TRUSTED
/interface list member
add interface=OffBridge5 list=TRUSTED
add interface=OffBridge5 list=LAN
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
Now simply plug in laptop to ether5 on the router, change IPV4 settings on the laptop to 192.168.77.2 and you should be in!!
Repeat for any mikrotik device when doing vlans and bridge.
Re: Wireguard Peer not able to reach internet
Ok I'm intrigued but I fear much of this just went right over my head.To config vlan filtering always a good idea to take an unused port or temporarily use a lesser important port and take it off the bridge,
Give it an Ip address and config from there safely.
Okay how to create an offbridge port. REMOVE ether5 from /interface bridge ports
/interface ethernet
set [ find default-name=ether5 ] comment=OffBridge5
/interface list
add list=TRUSTED
/interface list member
add interface=OffBridge5 list=TRUSTED
add interface=OffBridge5 list=LAN
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
Now simply plug in laptop to ether5 on the router, change IPV4 settings on the laptop to 192.168.77.2 and you should be in!!
Repeat for any mikrotik device when doing vlans and bridge.
So I think you are telling me that I need to use ether5 to create a vlan that is not part of the bridge make a list and mark this offbridge5 as TRUSTED and LAN
Give it a separate IP address and network.
Next you loose me a little bit when telling me to plug a laptop into it and change the IPV4 setting on the laptop. I'm not sure how changing settings on a laptop will help when it is the Travel router that I really want to set up as trusted with the wireguard VPN.
Would it work to plug the travel router into ether5 temporarily and access it with the laptop to adjust the settings there? But I'm not entirely clear on what I'm trying to do with changing the IPV4 settings on the laptop and how that will help me get the VPN working quicker?
Re: Wireguard Peer not able to reach internet
It’s a good idea to set up a port like this, just so that you don’t accidentally lock yourself out of the router. For some reason this particular config doesnt set up a dhcp server for this network, so you have to manually configure your laptop interface IP address to access it. Also, ignore the part about vlan filtering, you are not using vlans.
It is unusual that your vlan connection is so slow. It would be interesting to put a Wireguard client on your laptop, and access the VPN without the travel router to see how it is.
Beware that you will still be limited to the upstream and downstream bandwidth of your home ISP connection, and their will be some latency from bouncing your packets back and forth from your house and Miami (from the trace routes), but again it shouldn’t be this slow.
It is unusual that your vlan connection is so slow. It would be interesting to put a Wireguard client on your laptop, and access the VPN without the travel router to see how it is.
Beware that you will still be limited to the upstream and downstream bandwidth of your home ISP connection, and their will be some latency from bouncing your packets back and forth from your house and Miami (from the trace routes), but again it shouldn’t be this slow.
Re: Wireguard Peer not able to reach internet
you mean vpn connection is so slow? Since I don't have a vlan set up.
I expect that a VPN is going to be slower than just plugging into the internet. But something is wrong when I can't even log in to microsoft or do a google search.
I expect that a VPN is going to be slower than just plugging into the internet. But something is wrong when I can't even log in to microsoft or do a google search.
Re: Wireguard Peer not able to reach internet
I seem to have misunderstood the current state here. Are you saying that general internet access through this router is now very slow? Or only traffic through the VPN connection?
Re: Wireguard Peer not able to reach internet
Through the VPN connection is SLOW.
Through just the travel router connected to the public xfinitywifi without the VPN was working fine (at least when it would hold the connection, it seems to drop out more often and sometimes get funny about needing to approve the log in and stuff like that.) The tracert was pretty good on it anyway.
Once I turn on the VPN, it slows to a crawl and things like my norton password manager and microsoft log in just quit working.
I am now testing it directly on the laptop to see if the problem is in the travel router. Same issues directly on the laptop. My next step will be to take a drive to an alternative public wifi and see if it is the xfinitywifi that is buggering things but I'm kinda doubting it.
Through just the travel router connected to the public xfinitywifi without the VPN was working fine (at least when it would hold the connection, it seems to drop out more often and sometimes get funny about needing to approve the log in and stuff like that.) The tracert was pretty good on it anyway.
Once I turn on the VPN, it slows to a crawl and things like my norton password manager and microsoft log in just quit working.
I am now testing it directly on the laptop to see if the problem is in the travel router. Same issues directly on the laptop. My next step will be to take a drive to an alternative public wifi and see if it is the xfinitywifi that is buggering things but I'm kinda doubting it.
Re: Wireguard Peer not able to reach internet
So, I went out for a bit today with the travel router and the laptop.
I think the biggest issue today was that the public internet kept dropping out. Was really hard to do a tracert comparison because the internet was dropping out about every minute.
And the public internet has that captive portal thing where you need to get in and go to the web page to agree to the terms before it drops out and before you can confirm it's working and turn on a vpn.
So at this point I have the Wireguard set up between the travel router and the home router. I was able to test it out today on the other public internet and it was faster than it had been through xfinitywifi. I also tested out another VPN service that uses openvpn that works on the travel router. And then I was testing out the NordVPN free meshnet (however, that requires connecting through a computer and doesn't give me the option of directing all the traffic through a router so not really helpful at the moment since the point is to have something that I can easily direct all the traffic from the class through (the travel router wifi plus an eithernet switch to plug in the devices that have that option was my plan to make this easier))
I think the biggest issue today was that the public internet kept dropping out. Was really hard to do a tracert comparison because the internet was dropping out about every minute.
And the public internet has that captive portal thing where you need to get in and go to the web page to agree to the terms before it drops out and before you can confirm it's working and turn on a vpn.
So at this point I have the Wireguard set up between the travel router and the home router. I was able to test it out today on the other public internet and it was faster than it had been through xfinitywifi. I also tested out another VPN service that uses openvpn that works on the travel router. And then I was testing out the NordVPN free meshnet (however, that requires connecting through a computer and doesn't give me the option of directing all the traffic through a router so not really helpful at the moment since the point is to have something that I can easily direct all the traffic from the class through (the travel router wifi plus an eithernet switch to plug in the devices that have that option was my plan to make this easier))