[admin@MikroTik] > /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-mark=vpn
expected end of command (line 1 column 70)
/routing rule
add src-address=x.x.x.x/32 action=lookup-only-in-table table=vpnok, so that doesn't work:You need to define routing table first (in /routing/table) and route's parameter is now named routing-table. And instead of using mangle rule, you can use routing rule:
Code: Select all/routing rule add src-address=x.x.x.x/32 action=lookup-only-in-table table=vpn
> /routing/table/add name=pve-vpn
> /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-table=pve-vpn
> /ip firewall nat add chain=srcnat out-interface=wireguard-client-pve action=masquerade
> /routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
input does not match any value of table
> /routing/table/print
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
1 name="pve-vpn"
VPN is up and running, from MT:There's nothing clearly wrong here. You added new routing table with default gateway and told router that 192.168.1.105 should use it. So if 192.168.102.1 is reachable (you have some address/mask on WG interface where the subnet contains 192.168.102.1), if it's not blocked by local or remote firewall, tunnel works, etc... it should work.
[admin@MikroTik] > ping 192.168.102.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.102.1 56 64 85ms198us
1 192.168.102.1 56 64 37ms710us
2 192.168.102.1 56 64 37ms67us
3 192.168.102.1 56 64 37ms442us
sent=4 received=4 packet-loss=0% min-rtt=37ms67us avg-rtt=49ms354us max-rtt=85ms198us
❯ mtr 192.168.102.1 --report
Start: 2022-03-12T20:07:45+0000
HOST: k-desktop Loss% Snt Last Avg Best Wrst StDev
1.|-- 192.168.1.1 0.0% 10 0.4 0.4 0.3 0.5 0.0
2.|-- 192.168.102.1 0.0% 10 37.3 37.0 36.7 37.3 0.2
❯ mtr 192.168.102.3 --report
Start: 2022-03-12T20:15:29+0000
HOST: k-desktop Loss% Snt Last Avg Best Wrst StDev
1.|-- 192.168.1.1 0.0% 10 0.3 0.4 0.3 0.5 0.1
2.|-- 192.168.102.1 0.0% 10 37.4 37.3 37.0 37.8 0.3
3.|-- 192.168.102.3 0.0% 10 107.5 113.5 76.1 165.6 30.5
I can't ping anything except 192.168.1.x hosts from .105And ping from 192.168.1.105 to 192.168.102.1? Or anything else from 192.168.1.105, do you see it on wireguard-client-pve interface using Tools->Torch?
❯ ping 192.168.102.1
PING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=3 Destination Net Unreachable
❯ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Net Unreachable
From 192.168.1.1 icmp_seq=2 Destination Net Unreachable
Config attached. I am pretty sure I've done everything that is mentioned in the above link for my particular needs.Did you use a systematic approach?
viewtopic.php?p=906311#p906311
Please post entire config
/export file=anynameyouwish
ok, so I am lost now. How can I display then add it? What I am looking at here:I see route, but not in pve-vpn table.
[admin@MikroTik] > ip/route/print where routing-table
Flags: D - DYNAMIC; A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 pppoe-out1 0
DAc 38.242.191.252/32 pppoe-out1 0
DAc 192.168.1.0/24 bridge1 0
DAc 192.168.102.0/24 wireguard-client-pve 0
0 As 0.0.0.0/0 192.168.102.1 1
[admin@MikroTik] > routing/route/print
Flags: A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
Av 0.0.0.0/0 pppoe-out1 ip4 0 30 10 pppoe-out1
Ac 38.242.191.252/32 pppoe-out1 ip4 0 10 pppoe-out1
Ac 192.168.1.0/24 bridge1 ip4 0 10 bridge1
Ac 192.168.102.0/24 wireguard-client-pve ip4 0 10 wireguard-client-pve
As 0.0.0.0/0 192.168.102.1 ip4 1 30 10 wireguard-client-pve
Ac fe80::%ether1/64 ether1 ip6 0 10 ether1
Ac fe80::%bridge1/64 bridge1 ip6 0 10 bridge1
A H ether1 link 0
A H ether2-master link 0
A H ether3 link 0
A H pppoe-out1 link 0
A H bridge1 link 0
A H wireguard-client-pve link 0
I removed that rule:"/ip/route/print detail" shows more info, including routing table. But since in /routing/route/print it points to wireguard-client-pve, it looks like you have the right one. But then you posted older config (routing rule is missing there too).
/routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpnIt is Wireguard installed on Debian. There are two clients configured on it. My MT router at home and my mobile phone for test purposes. With my mobile connected to it I can access anything I want routed via the VPN. From MT (client) I can ping Wireguard server IP (192.168.102.1), I don't know though how can I run traceroute from MT using other than default gw. for example 192.168.102.1Well its not clear to me what is at the other end of the wireguard tunnel, another MT device, a third party VPN?
It is not clear to me what other uses of the wireguard tunnel are currently in place,,,, are there any other local users on that tunnel? Is it for inbound traffic reaching your subnets or internet?
A clear picture is very helpful to ensure the config covers everything......
[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 1.1.1.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV, STATUS
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 192.168.102.2 0% 3 0.4ms 0.4 0.3 0.5 0.1 host unreachable from 192.168.102.2
2 0% 0 0ms
[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 192.168.102.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 192.168.102.1 0% 6 36.4ms 44.7 36.4 84.2 17.7
Not sure if I understand, but it is installed on bare metal Dell server in Poland in my dad's company if that make sense.Okay your explanation is not clear but I will try to make sense of it.
A. You have a wireguard Server Debian OS WHERE? On WHAT?
correctB. YOu have two wireguard clients that connect to the Debian Device, a MT device at home, and a smart phone (mobile)
internet only, I don't need to access remote LAN network.The smart phone connects to the debian only for internet and anything else?
No, it just connects to Wireguard on Debian and then access the internet routed through it. This is for test purposes to verify if VPN itself works as expected.The smart phone connects to the debian and then enters another tunnel and connects to the MT for internet? or anything else?
No, MT has just a tunnel to Debian, the purpose is to configure single client/IP in MT local network to go through that tunnel. Rest clients should access Internet as normal via the MT pppoe.the MT (user(s) connects to the debian for internet ?
Internet only routed via Debian for single IP behind the MT. Don't need to access remote (Debian) LAN.The MT (user(s) connects to the debian for accessing a subnet or server?
It doesn't make any sense:Easy peasy. Looks like most is done!
(1) remove IP address for wg interface
(2) add necessary route for regular traffic (done already)
(3) add 'forcing' route for single IP out wg interface
dst-address=0.0.0.0/0 gwy=WANIP gateway table=main {this should already exist as you have checked off add IP route - YES at the pppoe client setup!}
dst-address=0.0.0.0/0 gwy=wireguard-client-pve table=pve-vpn
[admin@MikroTik] > ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.1.1/24 192.168.1.0 ether2-master
1 D x.x.x.x/32 38.242.191.252 pppoe-out1
2 192.168.102.2/24 192.168.102.0 wireguard-client-pve
[admin@MikroTik] > ip/address/remove numbers=2
dst-address=0.0.0.0/0 gwy=WANIP gateway table=main {this should already exist as you have checked off add IP route - YES at the pppoe client setup!}
dst-address=0.0.0.0/0 gwy=wireguard-client-pve table=pve-vpn
It sometimes happens with @anav's advices.It doesn't make any sense:
They are mostly fine, but he has this personal "quest against addresses" and that one doesn't always work very well.I've changed it to:It sometimes happens with @anav's advices. :lol: They are mostly fine, but he has this personal "quest against addresses" and that one doesn't always work very well.It doesn't make any sense:
Btw, I found the problem, you have allowed-address=192.168.102.0/24 for peer, so that's the only subnet you'll be able to access. It you want access to anything on internet, you need allowed-address=0.0.0.0/0.
add allowed-address=0.0.0.0/0 endpoint-address=46.x.x.x \
endpoint-port=8443 interface=wireguard-client-pve public-key=\
"XXXX"
/routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
it didn't make any difference. I can't ping Debian Wireguard IP (192.168.102.1), I can only ping local MT Wireguard IP (102.2) and local network IPs from 192.168.1.0 network. So unlikely this was a problem.Since allowed-address explains why this didn't work, try it again.
I agree that it should but it doesn'tIt should. You have route, you have srcnat, firewall doesn't block it. It's possible that access to internet wouldn't work because of something on server side. But at least ping to 192.168.102.1 must work, if it works from router itself.
❯ mtr 192.168.102.1 --report
Start: 2022-03-13T00:32:52+0000
HOST: k-desktop Loss% Snt Last Avg Best Wrst StDev
1.|-- 192.168.1.1 0.0% 10 0.5 0.5 0.4 0.5 0.0
2.|-- 192.168.102.1 0.0% 10 37.1 37.0 36.7 37.1 0.1
add allowed-address=192.168.102.0/24 endpoint-address=46.x.x.x \
endpoint-port=8443 interface=wireguard-client-pve public-key=\
"XXXX"
/routing/rule/add src-address=192.168.1.39/32 action=lookup-only-in-table table=pve-vpn
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.102.1ok, got it working now.Is it same "From 192.168.1.1 icmp_seq=3 Destination Net Unreachable" as before or something else? And the route, in export it was:
but it was either some export error or old config and it definitely has routing-table=pve-vpn now, correct?Code: Select all/ip route add distance=1 dst-address=0.0.0.0/0 gateway=192.168.102.1
ip/route/add dst-address=0.0.0.0/0 routing-table=pve-vpn gateway=wireguard-client-pve
/routing/rule/add src-address=192.168.1.39/32 action=lookup-only-in-table table=pve-vpn
****@MikroTik] > /ip/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp
0 Xs dst-address=0.0.0.0/0 routing-table=to_WAN02 pref-src="" gateway=eth5 - WAN2 (4G) check-gateway=ping distance=2 scope=255 target-scope=10 suppress-hw-offload=no
1 Xs dst-address=0.0.0.0/0 routing-table=to_WAN01 pref-src="" gateway=PPPoE - ZEN check-gateway=ping distance=1 scope=255 target-scope=10 suppress-hw-offload=no
D d dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=10.241.127.182 immediate-gw=10.241.127.182%eth5 - WAN2 (4G) distance=2 scope=30 target-scope=10 vrf-interface=eth5 - WAN2 (4G) suppress-hw-offload=no
DAv dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=PPPoE - ZEN immediate-gw=PPPoE - ZEN distance=1 scope=30 target-scope=10 vrf-interface=PPPoE - ZEN suppress-hw-offload=no
DAc dst-address=10.241.127.180/30 routing-table=main gateway=eth5 - WAN2 (4G) immediate-gw=eth5 - WAN2 (4G) distance=0 scope=10 suppress-hw-offload=no local-address=10.241.127.181%eth5 - WAN2 (4G)
DAc dst-address=51.148.77.133/32 routing-table=main gateway=PPPoE - ZEN immediate-gw=PPPoE - ZEN distance=0 scope=10 suppress-hw-offload=no local-address="my public IP"%PPPoE - ZEN
DAc dst-address=172.16.10.0/23 routing-table=main gateway=BRIDGE immediate-gw=BRIDGE distance=0 scope=10 suppress-hw-offload=no local-address=172.16.11.1%BRIDGE
2 As dst-address=192.168.11.0/24 routing-table=main pref-src="" gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=1 scope=30 target-scope=10 suppress-hw-offload=no
DAc dst-address=192.168.88.0/24 routing-table=main gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=0 scope=10 suppress-hw-offload=no local-address=192.168.88.2%WG-MikroTik-GB
3 As dst-address=0.0.0.0/0 routing-table=WG pref-src="" gateway=192.168.88.1 immediate-gw=192.168.88.1%WG-MikroTik-GB check-gateway=ping distance=1 scope=30 target-scope=10 suppress-hw-offload=no
ip firewall nat add chain=srcnat out-interface=ovpn-out1 action=masqueradeip dhcp-client set wlan1 default-route-distance=10routing table add name=mark_WAN1 fib
routing table add name=mark_VPN fib
ip firewall mangle add chain=prerouting in-interface=bridge action=mark-routing new-routing-mark=mark_WAN1 passthrough=no
ip firewall mangle add chain=prerouting in-interface=bridge2 action=mark-routing new-routing-mark=mark_VPN passthrough=no
ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=mark_WAN1