Hi there

I have a HEX S (RB760iGS) at home, acting as a router, capsman (controlling 2 CAP AC and 1 HAP AC2), where i used to run openVPN, and now migrated to Wireguard (super cool).

Since i help an ONG with their IT stuff (i work in IT myself), i got them the same router, mostly mirroring my configuration (but without openvpn).
I then connected that router to an ipsec vpn (softether) in an azure VM.

Said vpn was not fully ok for them, so when i learned about wireguard, i set it up in their Router as i had done on mine, and configured their windows 2019 VM as a peer. (i also added peers to the remote server so that they can either access it from the office via their router or on the go, like i do at home).

That works ok.

I also tried connecting my home to their router, which also works.

The only thing that does NOT work, is road warrior access to them.
Android/windows clients connect, but there is only info transfered, never received (log shows no handshake after 5 seconds and retries).

I read somewhere that ipsec configs might conflict with wireguard, but i believe i removed everything from the old config.

I have not added the wireguard interface to the LAN list (just like i did not at home), and i used individual rules to allow forward/input from the wireguard IPs to the lan/mikrotik (just like i did at home, but i did try adding it later on with no success).

I don't know what else to try, there are little differences between their TIK and mine (we have the same ISP, with the same modem set in bridge mode, we both have a switch connected to it, albeit in different ports, and what they don't have, is more tik devices, they have some lame tplink or nisuta wifi router used as a makeshift AP).

My Tik has the bridge set as "non root" and with 1 port set as "root port". Theirs, even if i did the same while configuring it, has the bridge set as "root" and all ports as "designated". (never touched that, so i don't know the difference or if it could be a problem).
Both devices have the bridge with "arp enabled" (theirs had it as proxy arp for something needed on the ipsec vpn, but i set it as mine when i removed ipsec)
In my device, under the switch section, every port has Defailt VLAN ID 1, and in their case, only the ethernet1 (used for internet) port has it.
We don't use vlans (neither at home, nor at their super small office).

I am tempted to go and reset their whole thing, but i am trapped at home with covid and they only stop working on sundays.

In the attached picture you will see all the info i think is relevant.

At home, i used 172.17.118.0/24 (don't ask) for the LAN range and 10.200.1.0/24 for wireguard (tik device is always .254).
In their case its 10.0.2.0/24 for LAN and 10.0.1.0/24 for wireguard (kept the softether ip range so that they had no reconfigurations needed). .254 is always their TIK and .253 is their cloud server.

When all failed, i recreated the road warrir peers, and also created a new wireguard server with a different range (10.200.2.0/24) to test with the road warriors, which still failed.
I then connected my TIK to theirs on this new device/ip, and it worked.

I seem to understand that its only working when the endpoint and port is defined and not for road warriors.

I usually add my peers with /32 in the tik peer section, but i tried one with /24 too (seen on the picture).

I am out of ideas.

One step at a time.
1. Can a road warrior connect to your Router?
2. If so, the steps/settings for the office Router would be the same!!!

So determine the differences between the two hexes.
a. ISP type
b. ISP equipment

Suggest you post your hex config here
/export file=anynameyouwish and we can see if there is anything that stands out.

This is a dirt simple wg configuration so it may be routes and firewalls getting in the way!

example of my road warrior setup.

IP IPHONE:
WG INTERFACE
Public key: xxxxx { to give my mikrotik server }
Addresses: 10.2.30.2/32 { fake source address to be assigned to my IPHone for the purposes of traversing the tunnel }
DNS Servers: 1.1.1.1,9.9.9.9 { use standard dns servers available }

PEER
Public key=yyyyy { from the mikrotik server }
Endpoint: mynetnameMTdevice:54545
keep-alive=30 seconds { not actually on my iphone but would be applicable for a road warrior on a laptop for example }
Allowed IP: 0.0.0.0/0 { as I wish to use access for internet and subnets }

Note: this is a critical setting as its not clear what the road warrior access to the office HEX is to be used for ???
For example if the intent is for the road warrior to access a specific IP address, then that is what should be inserted for Allowed Address. 192.168.5.10/32
If its an entire subnet then put the subnet 192.168.5.0/24. If its for the internet 0.0.0.0/0. If its for internet and anything on the LAN already covered by 0.0.0.0/0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MT ROUTER
WG interface
Public Key=yyyyy
Listening Port = 54545

PEER
Public Key=xxxx from Iphone
Allowed IPs = 10.2.30.2/32

+++++++++++++++++++++++++++++++++++++++++++++

IP routes
dst-address=10.2.30.2/32 gwy=nameofWGinterface table=main { required if one doesnt use IP address for wg interface }

Firewall addresses: (assumes use of drop all rules at end of forward chain)
add chain=forward action=accept in-interface=wginterfacename dst-address=subnet or IP address src-address=10.2.30.2/32 { addresses subnet or server access }
add chain=forward action=accept in-interface=wginterfacename out-interface=WAN src-address=10.2.30.2/32

One step at a time.
1. Can a road warrior connect to your Router?
2. If so, the steps/settings for the office Router would be the same!!!

So determine the differences between the two hexes.
a. ISP type
b. ISP equipment

Suggest you post your hex config here
/export file=anynameyouwish and we can see if there is anything that stands out.

This is a dirt simple wg configuration so it may be routes and firewalls getting in the way!

Hi!

Its ironic that i am strugging, because it should be easy, i did both and i hand copied their router's config from mine...

I can connect to mine no problem in "road warrior mode".
I can even connect to the azure server like that.
I can't to theirs, it seems to be no answer

The router is the same model, the ISP is the same (i have a 40mb service, they 30, but the rest is the same).
And the ISP device is the same model and both are in bridge mode (all functions disabled, public IP handled to the mikrotik port).

Should i export both mine and their configs?

Anything i should "anonimise" first?

Thanks!

example of my road warrior setup.

IP IPHONE:
WG INTERFACE
Public key: xxxxx { to give my mikrotik server }
Addresses: 10.2.30.2/32 { fake source address to be assigned to my IPHone for the purposes of traversing the tunnel }
DNS Servers: 1.1.1.1,9.9.9.9 { use standard dns servers available }

PEER
Public key=yyyyy { from the mikrotik server }
Endpoint: mynetnameMTdevice:54545
keep-alive=30 seconds { not actually on my iphone but would be applicable for a road warrior on a laptop for example }
Allowed IP: 0.0.0.0/0 { as I wish to use access for internet and subnets }

Note: this is a critical setting as its not clear what the road warrior access to the office HEX is to be used for ???
For example if the intent is for the road warrior to access a specific IP address, then that is what should be inserted for Allowed Address. 192.168.5.10/32
If its an entire subnet then put the subnet 192.168.5.0/24. If its for the internet 0.0.0.0/0. If its for internet and anything on the LAN already covered by 0.0.0.0/0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MT ROUTER
WG interface
Public Key=yyyyy
Listening Port = 54545

PEER
Public Key=xxxx from Iphone
Allowed IPs = 10.2.30.2/32

+++++++++++++++++++++++++++++++++++++++++++++

IP routes
dst-address=10.2.30.2/32 gwy=nameofWGinterface table=main { required if one doesnt use IP address for wg interface }

Firewall addresses: (assumes use of drop all rules at end of forward chain)
add chain=forward action=accept in-interface=wginterfacename dst-address=subnet or IP address src-address=10.2.30.2/32 { addresses subnet or server access }
add chain=forward action=accept in-interface=wginterfacename out-interface=WAN src-address=10.2.30.2/32

More or less what i have, i think.

The idea with the road warrior was for me to be able to access winbox without a dedicated pc and remote access to it, and for anyone to acces whatever they may need (most usually to print something for the people not from remote).

Yes, sounds reasonable, I do the same think, access my router remotely for config purposes.
Yes, at this point the only thing would be to see the two configs.

As far as sensitive, public IPs and public gateways ( sometimes they crop up if routes are displayed etc. )

There goes.

You will notice i don't use keepalive normally, mostly because i saw no need for that when i was "road warrioring into my home".

If i don't use it on their config against the azure server or against my TIK, then until they ping the other side the conection does not work for the cloud/my tik.

Yeah I had a once over and dont see what would be blocking it.

Yeah I had a once over and dont see what would be blocking it.

That's sad

Any way i can trace/snoop whats happening with the connection ?

Someone with more experience than I, may be able to help you on that front.
The only thing I would do is clean up your firewall rules and have about 10,000 less rules and clearer rules.
THats personal preference, your rules seem to be working fine for you so no need to change, but to be honest for anyone to
read what you are doing is no easy chore.

I put my WireGuard interface on the list of internal interfaces (LAN on the default configuration).

This will solve most problems, like masquerading (if needed), firewall rules, forwarding internal to WireGuard road warriors, etc.

The only firewall rule I add is to accept UDP port 13231 in the input chain (don't bother with the interface if you allow *all out*).

Someone with more experience than I, may be able to help you on that front.
The only thing I would do is clean up your firewall rules and have about 10,000 less rules and clearer rules.
THats personal preference, your rules seem to be working fine for you so no need to change, but to be honest for anyone to
read what you are doing is no easy chore.

Well, my rules are kinda old (back when i learned about mikrotik, i knew iptables, but i looked arround for "skeletons" to build them.
I did remove stuff overtime.

Maybe the "mangle" section is kinda long, and can be improved while keeping the same queue tree functionality?

The filter part is not really "mine".

I put my WireGuard interface on the list of internal interfaces (LAN on the default configuration).

This will solve most problems, like masquerading (if needed), firewall rules, forwarding internal to WireGuard road warriors, etc.

The only firewall rule I add is to accept UDP port 13231 in the input chain (don't bother with the interface if you allow *all out*).

Tried doing that, did nothing.

I might end up setting the azure one so that i can access the office mikrotik while connected to the server

Why do you use capsman on the hex, do you have a number of APs attached??

Why do you use capsman on the hex, do you have a number of APs attached??

That's my personal one, yes, at home i have 2 CAP AC and 1 HAP AC2 for wifi. (overkill, but had them laying arround after some failed proyects).

There is no capsman where roadwarrior does not work tho.

Well, your post about my firewall prompted me to look at the default one and, i think, set it in a simpler way (i left the syn flood, port scanner and bogons stuff there, but removed the "support/wireguard lists and went with the LAN/!LAN option (added each wireguard interface to the LAN list too).

Still, i could not solve or understand my issue.

Its a fact that the site2site and site2azurevm ones work, but no roadwarrior.

I even made a 3rd interface/subnet for roadwarrior peers with no luck, i still see only transfer but no reception and handshake never completes.

I removed the old configs and here is the new one (for the record, i tried removing the non standard filter part and even disabled all the mangle stuff needed for queue tree, with no luck).

With this version tho, the "my home <> offcie" tunnel works perfectly so i left it enabled.

Right now, i have no need of the road warrior option, BUT, i believe i might in the future, and have no further idea of how to get it going.

I dont see any glaring showstoppers regarding whats preventing your wireguard connection.
Presuming the clients were set up okay.

I dont see any glaring showstoppers regarding whats preventing your wireguard connection.
Presuming the clients were set up okay.

They should be ok since i am testing with a notebook and android phone, i am able to use them on my home device but not on this other one.

Fearing i might have done something wrong with the keys, i recreated the peers and configs a few times too

And since this is new to me, i have no idea how to debug it.

And then... i went to my parents home to try again (i have a mikrotik there too).
I failed in the SAME way... but then it hit me.... my home has a real public IP and both the office and my parents home has double nat. (handled by the ISP).

In that case, the HOME ROUTER should be the SERVER for both connections and both the office and relatives should be clients during the initial establishment of the tunnel.

If you provide full config for all three, I will take a look.

In terms of the other devices........ Having an ISP router will not have any detrimental affect unless a peer is trying to go out the INTERNET via the office or relatives WANIP.
IF all internet bound traffic via WG is coming out your home router, no worries.

In that case, the HOME ROUTER should be the SERVER for both connections and both the office and relatives should be clients during the initial establishment of the tunnel.

If you provide full config for all three, I will take a look.

In terms of the other devices........ Having an ISP router will not have any detrimental affect unless a peer is trying to go out the INTERNET via the office or relatives WANIP.
IF all internet bound traffic via WG is coming out your home router, no worries.

I am not using wireguard to go to internet, it is just for the remote access.

Then again, i don't wan't my home to be the center of all that

If the ISP rejects my request for a true public ip or a port redirection, i will revive the idea of having a miktoritk cloud router (it is already created) on the azure sponsorship i got this ONG (will probably need to buy the license to lift the limitations tho).

Did you find a solution to this?