I'm trying to connect from my Linux desktop to my Mikrotik router with WireGuard and access the devices on the LAN. I followed the instructions on the Mikrotik documentation (https://help.mikrotik.com/docs/display/ ... uardtunnel) and I can connect to the router. I can ping the router. I can ssh into the router. I can't ping or access any of the numerous devices on the LAN.

Also please see my Dec 03 post about port forwarding having similar problems. We must have something mis-configured in our router but I don't know where to start to look.

you can start by posting your mikrotik config
/export file-=anynameyouwish ( minus router serial #, public WANIp info, keys etc.)

plus linux client wg settings.

I just noticed all of these /ip arp entries that I didn't know were there. My compatriot configured this and ran some kind of a scan to get all of those. He doesn't remember exactly what he did.

Thanks for looking!

PS

For some reason now I am able to ping a lot of the devices on the LAN. Not all but a lot.

# 2023-12-08 21:51:43 by RouterOS 7.12.1
# software id = 2NNB-MPRM
#
# model = RB750Gr3
# serial number = HDFxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:76 arp=proxy-arp auto-mac=no comment=\
"defconf - proxy arp for pptp" name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="GIVES 8 ADDRESSES FOR VPN 192.168.146.196-203 " name=PPTP-POOL \
ranges=192.168.146.196-192.168.146.203
/ip dhcp-server
add address-pool=PPTP-POOL disabled=yes interface=bridge lease-time=10m name=\
defconf
/port
set 0 name=serial0
/ppp profile
add interface-list=LAN local-address=PPTP-POOL name=pptp remote-address=\
PPTP-POOL use-encryption=required
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set max-mru=1092 max-mtu=1092 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1092 max-mtu=\
1092
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.100.0/24,192.168.146.0/24 client-address=\
192.168.100.2/32 client-dns=1.1.1.1 interface=wireguard1 public-key=\
"-------------------------------------------="
/ip address
add address=192.168.146.195/24 comment=defconf interface=bridge network=\
192.168.146.0
add address=xx.xx.xx.xx/xx interface=ether1 network=xx.xx.xx.xx
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip arp
add address=192.168.146.236 comment="IP-223" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.239 comment="FLEX Q5" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.238 comment="NORTH CAMERA" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.237 comment="SOUTH CAMERA" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.224 comment="DMR=LIGHT WEB POWER CONTROL" \
interface=bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.223 comment="FLEX Q4" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.222 comment="IP-223" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.219 comment="MICROWAVE" interface=\
bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.218 comment=" MICROWAVE" interface=\
bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.217 comment="MICROWAVE" interface=\
bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.216 comment="MICROWAVE" interface=\
bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.205 comment="DCB CLIENT" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.204 comment="DCB SERVER" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.235 comment="PICTURE SERVER" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.230 comment="IP TO SERIAL FOR CONTROLLER" \
interface=bridge mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.225 comment="DMR REPEATER" interface=bridge
add address=192.168.146.250 comment="SWITCH" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.146.220 comment="CAMERA" interface=bridge \
mac-address=xx:xx:xx:xx:xx:xx
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.2.230 netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip dns static
add address=192.168.0.195 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="PPTP SERVER" dst-port=1723 protocol=\
tcp
add action=accept chain=input disabled=yes in-interface-list=LAN
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DMR TCP" dst-port=50037 \
in-interface-list=WAN log=yes log-prefix="DMR TCP" protocol=tcp \
to-addresses=192.168.146.226 to-ports=50037
add action=dst-nat chain=dstnat comment="DMR UDP" dst-port=50037 \
in-interface-list=WAN log=yes log-prefix="DMR UDP" protocol=udp \
to-addresses=192.168.146.226 to-ports=50037
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=xxxxc profile=pptp service=pptp
add name=xxxxe profile=pptp service=pptp
add disabled=yes name=vpn
add name=xxxn profile=pptp service=pptp
add name=xxxf profile=pptp service=pptp
add name=xxxg profile=pptp service=pptp
add comment="For DCB Testing" name=dcb profile=pptp service=pptp
add name=xxxm profile=pptp service=pptp
add comment="test for other logins" name=xxxxx
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Greenwich
/system identity
set name="Name"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=us.pool.ntp.org
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-dst-ip-address=192.168.146.235/32 filter-dst-port=56543 \
filter-interface=all filter-operator-between-entries=and



[Interface]
Address = 192.168.100.2/32
DNS = 1.1.1.1,8.8.8.8
PostUp = wg set %i private-key /etc/wireguard/private.key
PostUp = ping -c1 192.168.100.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xx.xxx:13231
AllowedIPs = 192.168.100.0/24, 192.168.146.0/24
PersistentKeepalive = 25

There is something wrong with your MT peer settings.
/interface wireguard peers
add allowed-address=192.168.100.0/24,192.168.146.0/24 client-address=\
192.168.100.2/32 client-dns=1.1.1.1 interface=wireguard1 public-key=\
"-------------------------------------------="

As far as I know there is NO SUCH SETTING...................... is this something from BACK to home VPN???
ALSO there is no such entry as client DNS........... Maybe these were added in 7.13c??

One does not even need endpoint address which is probably the closest thing to what you have called client address, when setting the peer for a client (for the handshake).
FINALLY, WHY oh WHY did you put in 192168.146.0/24 ?????? that is a local subnet??

SHOULD BE:
/interface wireguard peers
add allowed-address=192.168.100.2/32
interface=wireguard1 public-key=\
"-------------------------------------------="

I'm using Winbox to work with this. Without the allowed-address=192.168.100.0/24,192.168.146.0/24 I cannot get to the router on the wireguard address 192.168.100.1 or to the LAN which is 192.168.146.0/24. I tried to take out the client-dns=1.1.1.1 but it won't go. I'm running 7.12.1 in this router. I'm now able to get to about 90% of the devices on the LAN. The device that I am most interested in connecting to I cannot connect to or ping. I can ping it from the ARP page which makes no sense to me. The bridge has proxy-arp set for the folks that are coming in via PPTP because they insisted on using interface addresses in the LAN address block. I've tried turning it off or setting it to enabled and that doesn't appear to have any effect. I'm thinking now it might be some problem in my device the the NIC having a higher metric on its route.

Thanks for looking.

So the answer was to put in a NAT srcnat masquerade of the addresses used by the wireguard server and peers.

;;; wireguard
chain=srcnat action=masquerade src-address=192.168.220.0/24 log=no

Makes no sense to me??

a. you have a perfectly legitimate Source NAT rule that covers all LAN to WAN traffic.
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN

b. the wireguard is part of the lan interface list
add interface=wireguard1 list=LAN

c. You do not really block any traffic on the forward chain....... other than some wan traffic.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

FINALLY what does 192.168.220.0.24 have to do with anything??

The local bridge and wireguard ARE NOT RELATED>
/ip address
add address=192.168.146.195/24 comment=defconf interface=bridge network=\
192.168.146.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0

Thus your comment is illogical!!!

@anav

i need one info from u

i really don't understand the pint of client-address , client-dns client-listen-port and client-endpoint.

Are they need to be configured at the Server site?

Even if yes, than whay is the purposes?

Strange to ask here but okay, Its part of the new BTH design, or the give a client a setup design (export).
Just makes sure its not part of the real config come play time as the regular allowed IPs is what is critical.