MikroTik

Community discussions
https://forum.mikrotik.com/

Wireguard, can't get access into LAN and haven't Internet

https://forum.mikrotik.com/viewtopic.php?t=198049

Page 1 of 1

Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 10:20 am
by ictoplossing
Hello,
I've configured Wireguard (via cloud-host) in Mikrotik, can connect but can't get access into LAN and haven't Internet.

Where am i wrong?

I guess that there should be Firewall rule between VLAN with Internet access and wireguard1 (interface)?

Can anybody help me, please?
Code: Select all
/interface bridge
add admin-mac=00:2C:00:D4:00:00 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=belgium disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid="Net" wireless-protocol=802.11
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=NET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=*1 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=9.0.0.3/32 interface=wireguard1 public-key=\
    "gL0X0+RPyXXXXXXXXXXXXXXXXcFxOFjaNVm0="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 interface=wireguard1 network=9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow WireGuard / SSL port" dst-port=\
    443 protocol=udp
add action=accept chain=forward comment="Allow WireGuard traffic" \
    in-interface=wireguard1 out-interface-list=WAN src-address=9.0.0.3
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=VPN disabled=yes dst-port=443 \
    protocol=tcp to-ports=443
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
Tnx in advance!

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 12:36 pm
by anav
Can you confirm you have two mikrotiks?
One in the cloud you connect to from the mikrotrik at home.
If so would need both configs.......

Also its not clear so a network diagram to illustrate your plan would be great.

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 3:30 pm
by ictoplossing
Can you confirm you have two mikrotiks?
One in the cloud you connect to from the mikrotrik at home.
If so would need both configs.......

Also its not clear so a network diagram to illustrate your plan would be great.
Hi Anav,
I have 1 home router, i need to get acces into may local-network from another place, from my work pc. Simple home VPN.
Client-server connection.

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 3:51 pm
by anav
Got it so basically windows wireguard client from laptop/desktop at work, laptop from remote location (coffee shop), smartphone/pad from remote location.
Ensure you get windows wg client from wireguard home page and not microsoft itself.

To be clear you simply want to reach home LAN or did you want to use home internet?
I caution that if you don't have permissions from WORK IT, to add a VPN and access internet bypassing WORK setup, you could be in violation of their rules, which I do not condone and for which you should be fired. In any case I will assume this is not the case. :-)

COMMENTS:
(1) add vlan1 as a WAN list member!
(2) you only have one wg client listed, surely you have more LOL. (iphone, ipad etc.)
(3) REMOVE IP dhcp client, as your wan interface setup is done through the pppoe interface settings!
(5) Firewall rules disorganized, put all input chain together and then forward chain, much easier to read/troubleshoot.
(6) Unless you use IPV6, get rid of all entries except what I have installed. If you use IPV6, then someone else should help LOL
(7) UPNP removed, should not be needed !! WHy do you have it.

(4) REMOVE SSL PORT 443 (input chain), has nothing to do with wireguard and if you have a server on the LAN as I see you have a destination NAT rule with 443, then nothing to do with input chain as well. Okay this needs more discussion. The question WHY did you use 443 for wireguard? The only reason to do this is if the Work IT system blocks all other ports? Is this the case??

Config predicated upon answers to 4..

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 4:29 pm
by ictoplossing
Got it so basically windows wireguard client from laptop/desktop at work, laptop from remote location (coffee shop), smartphone/pad from remote location.
Yes, so i mean!
Ensure you get windows wg client from wireguard home page and not microsoft itself.
Yes, i did it and configured. I can connect via WineGuard app but don't have access into home LAN.
(4) REMOVE SSL PORT 443 (input chain), has nothing to do with wireguard and if you have a server on the LAN as I see you have a destination NAT rule with 443, then nothing to do with input chain as well. Okay this needs more discussion. The question WHY did you use 443 for wireguard? The only reason to do this is if the Work IT system blocks all other ports? Is this the case??
Exactly! :D I work from guarded network where blocked all ports except 443 SSL port :)

Do you have any advice? Must i remove all firewall rules and begin again?

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 5:02 pm
by anav
Pay attention to interface list members and firewall/nat rules.
.....
Code: Select all
/interface bridge
add arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=NET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1  list=WAN
/interface wireguard peers
add allowed-address=9.0.0.3/32 interface=wireguard1 public-key=\
    "gL0X0+RPyXXXXXXXXXXXXXXXXcFxOFjaNVm0="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 interface=wireguard1 network=9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
{ Input Chain }
(default rules)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="wireguard handshake" dst-port=443 protocol=udp
add action=accept chain=input comment="allow LAN access"  in-interface-list=LAN
add action=drop chain=input comment="Drop all else"  { put this rule in last of all the rules, at least ensuring the allow LAN rule above is in place first }
{ Forward Chain }
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop  chain=input comment="drop all"
add action=drop  chain=forward comment="drop all"

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 9:38 pm
by ictoplossing
Pay attention to interface list members and firewall/nat rules.
Hi Anav,
May be am i stupid? :/

I've removed all rules and did all again:
Code: Select all
/interface bridge
add admin-mac=DX:xx:xx:xx:xx:F3 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=NET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=*1 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=vlan1 list=WAN
/interface wireguard peers
add allowed-address=9.0.0.3/32 interface=wireguard1 public-key=\
    "gL0X0+xxxxxxxxxxxxxxxOFjaNVm0="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 interface=wireguard1 network=9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-nat-state="" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake" dst-port=443 \
    protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=\
    LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This Wireguard config:
Code: Select all
[Interface]
PrivateKey = gL0X0xxxxxxxxxxxxxxxxVm0=
Address = 9.0.0.3/32
DNS = 8.8.8.8

[Peer]
PublicKey = q6asXxxxxxxxxxxxxxxxvSQ=
AllowedIPs = 0.0.0.0/0
Endpoint = dexxxxxxxxxxaf.sn.mynetname.net:443
PersistentKeepalive = 10

Where am i wrong?..

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Tue Jul 25, 2023 10:18 pm
by anav
Just need better attention to detail! ;-)


(1) Remove the line add interface=vlan1 list=WAN it wasnt on the config provided?

(2) You failed to remove this line or disable it.

/ip dhcp-client
add comment=defconf interface=ether1

(3) Security wise, you need this ASAP
After the rule below in italic, add the drop all rule as shown

add action=accept chain=input comment="allow LAN access" in-interface-list=LAN
add action=drop chain=input comment="Drop all Else"

**** OKAY I see the problem you added the input chain rule at the very bottom, move that up!!!!

(4) THe drop invalid traffic rule in the forward chain should be ABOVE the allow internet traffic rule. Its the last default rule in the forward chain before the start of admin created rules for allowed traffic.

(5) YOU ARE MISSING the drop rule for the FORWARD CHAIN ( should be where you erroneously have the same input chain rule aka for drop )

(6) You can remove all those iPV6 addresses.

(7) Tool mac-server (by itself) should be set to NONE, its not a secure method to access the routers config.
Only the tool mac-server mac-winbox server should have the interface-list=LAN

++++++++++++++++++++++++++++++++++++++
See if progress can be made....

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Wed Jul 26, 2023 1:11 pm
by ictoplossing
Hi Anav,
Tnx for your answer but there still same problem - no traffic between wireguard and LAN... I did all stap by stap.

Any idea?
Code: Select all
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=NET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=9.0.0.3/32 interface=wireguard1 public-key=\
    "gL0X0xxxxxxxxxxxxxxxxaNVm0="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 interface=wireguard1 network=9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-nat-state="" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake" dst-port=443 \
    protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=\
    LAN
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Image

Re: Wireguard, can't get access into LAN and haven't Internet  [SOLVED]

Posted: Wed Jul 26, 2023 2:30 pm
by anav
Looks good.
Add another client for testing purposes (9.0.0.4/32) from your phone for example and test using an external cellular connection to your router.
See if the handshake rule on the input chain is reached as you can see the counter increase by one.
This will confirm that your public IP is reachable for example and the request at least reaches your router.
If not maybe the router is not reachable
If it does tick up, then suspect you may have mixed up keys for example.
From you phone over cellular can you ping your router using the dydndns URL???

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Wed Jul 26, 2023 3:00 pm
by ictoplossing
Yes!! Thank you!

I can get access at router (ex., via browser 10.0.0.1) and to my NAS (too via browser). But i can't to get access to shared SMB folders at my NAS (10.0.0.200).

Do you have some think?

Greetings!

PS. Anav, u r amazing! :D

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Wed Jul 26, 2023 3:14 pm
by anav
Okay so lets recap.
a. Wireguard handshake works, the input chain rule is tripped.
b. You can reach the router from the client and can config the router
c. YOu can reach the Bridge Subnet
d. you CANNOT reach a single device on the subnet the NAS SERVER.

There is nothing on the router preventing access.
The problem is a firewall on the NAS that is not accepting the 9.0.0.3 address at its door, check the NAS settings............

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Thu Jul 27, 2023 3:35 pm
by ictoplossing
Hi Anav,
Tnx for your help! The probleem has been solved.

How can i buy beer for you? Send me your PayPal in pm, please.

Re: Wireguard, can't get access into LAN and haven't Internet

Posted: Thu Jul 27, 2023 4:10 pm
by anav
Hi there, the payment is letting us all know what the issue was, so that we can better help others down the line, even if its an NAS error, PC error etc.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/