At home i have fixed broadband with DHCP public IP
At the boat i have an LTE connection over CGNAT
I'm trying to configure wireguard to connect from the boat to home.
The connection is established, i can ping the addresses of each end of the tunnel (172.16.0.1 or .2).
I can ping each routers IP from the other (192.168.1.1 & 10.1.1.1)
What i cant do is ping or connect to any devices within either way from either network.
i have read through quite a few posts on the forum, ive read and reread the wireguard docs, and i cant figure out whats missing.
Very basic network diagram attached.
Any help greatly appreciated.
Thanks, Colin
WireGuard site to site devices cant connect
You do not have the required permissions to view the files attached to this post.
Re: WireGuard site to site devices cant connect
HOME
General Comment: For organization purposes, readability and troubleshooting, its best to keep firewall chains, the input chain together and forward chain together ( order within chains is critical ).
Security Caution!: Do not OPEN WINBOX to the Internet. You should only access the config from the LAN side (either directly or via VPN. This rule has to go...
add action=accept chain=input comment="allow Winbox" disabled=yes \
in-interface=ether1 port=8291 protocol=tcp
(1) FROM:
add action=accept chain=input dst-port=51820 log=yes log-prefix=boat \
protocol=udp src-address=172.16.0.2
TO:
add action=accept chain=input dst-port=51820 log=yes log-prefix=boat \
protocol=udp
Discussion: The connection is from an external IP ( think whatever the LTE CGNAT gets sourcenatted to when it hits the WWW, when making the initial connection to your router.
Stated differently, 172.16.0.2 never comes over the WWW to the Main router, it only travels once the tunnel is established and goes through the tunnel. It can reach the config of the router via input chain rules or it can reach the subnets on main router via the forward chain, and could go out the internet of the router via the forward chain as welll, if so inclined.
(2) Firewall chain organization:
/ip firewall address-list { use static dhcp leases for local router IPs }
add address=192.168.1.XX list=Authorized comment="admin PC"
add address=192.168.1.YY list=Authorized comment= "admin laptop/smartphone"
add address=10.1.1.Z list=Authorized comment="remote admin on boat wired"
add address=10.1.1.A list=Authorized comment="remote admin on boat wifi"
add address=172.16.0.3 list=Authorized comment="remote rw admin laptop"
add address=172.16.0.4 list=Authorized comment="remote rw admin smartphone"
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input dst-port=51820 protocol=udp log=yes log-prefix=Incoming-Wireguard
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" in-interface=wg0 dst-address=192.168.1.0/24
add action=accept chain=forward comment="local access to tunnel" src-address=192.168.1.0/24 out-interface=wg0
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Add peers as necessary:
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32 interface=wg0 name=rw1-laptop \
public-key=""
add allowed-address=172.16.0.4/32 interface=wg0 name=rw2-smartphone \
public-key=""
BOAT
(3) From
/interface wireguard peers
add allowed-address=172.16.0.1/32,192.168.1.0/24 endpoint-address=\
zapto.org endpoint-port=51820 interface=wg0 \
persistent-keepalive=25s public-key=""
TO:
/interface wireguard peers
add allowed-address=172.16.0.0/24,192.168.1.0/24 endpoint-address=\
zapto.org endpoint-port=51820 interface=wg0 \
persistent-keepalive=25s public-key=\ ""
Discussion: The Main Home has a peer to peer connection with all client peers for initial handshake, hence the /32. However single client peers only have ONE peer to peer connection and that is to the main router. Hence we use 0/24 which ALLOWS for example any other single peer ( like road warriors connecting to the main router ) can also connect to the boat wireguard etc...
(4) MISSING ip route
/ip route
add dst-address=192.168.1.0/24 gateway=wg0 routing-table=main
EDIT: okay I see you have something entered and its IN ERROR!!! GET RID OF THIS FIRST ONE and just keep the second one!!
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=*D pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
(5) DELETE Masquerade rule, serves NO purpose, not required.
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 ipsec-policy=\
out,ipsec src-address=10.1.1.0/24
(6) Modify DNS and remove static default not required..........
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
(7) Firewall rules Fixed
/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="remote admin PC"
add address=192.168.1.YY list=Authorized comment= "remote admin laptop/smartphone"
add address=10.1.1.Z list=Authorized comment="LOCAL admin on boat wired"
add address=10.1.1.A list=Authorized comment=LOCAL admin on boat wifi"
add address=172.16.0.3 list=Authorized comment="remote rw admin laptop"
add address=172.16.0.4 list=Authorized comment="remote rw admin smartphone"
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" in-interface=wg0 dst-address=10.1.1.0/24
add action=accept chain=forward comment="local access to tunnel" src-address=10.1.1.0/24 out-interface=wg0
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
NOTE: The simplicity of the firewall structure provided means they are identical only major difference between the two is:
a. No need for input chain handshake on the boat ( client peer ). One less entry.
b. We simply replace the subnet in the forward chain rules for the traffic flowing in/out of tunnel and only the applicable subnet ( on boat its 10.1.1.0/24 )
General Comment: For organization purposes, readability and troubleshooting, its best to keep firewall chains, the input chain together and forward chain together ( order within chains is critical ).
Security Caution!: Do not OPEN WINBOX to the Internet. You should only access the config from the LAN side (either directly or via VPN. This rule has to go...
add action=accept chain=input comment="allow Winbox" disabled=yes \
in-interface=ether1 port=8291 protocol=tcp
(1) FROM:
add action=accept chain=input dst-port=51820 log=yes log-prefix=boat \
protocol=udp src-address=172.16.0.2
TO:
add action=accept chain=input dst-port=51820 log=yes log-prefix=boat \
protocol=udp
Discussion: The connection is from an external IP ( think whatever the LTE CGNAT gets sourcenatted to when it hits the WWW, when making the initial connection to your router.
Stated differently, 172.16.0.2 never comes over the WWW to the Main router, it only travels once the tunnel is established and goes through the tunnel. It can reach the config of the router via input chain rules or it can reach the subnets on main router via the forward chain, and could go out the internet of the router via the forward chain as welll, if so inclined.
(2) Firewall chain organization:
/ip firewall address-list { use static dhcp leases for local router IPs }
add address=192.168.1.XX list=Authorized comment="admin PC"
add address=192.168.1.YY list=Authorized comment= "admin laptop/smartphone"
add address=10.1.1.Z list=Authorized comment="remote admin on boat wired"
add address=10.1.1.A list=Authorized comment="remote admin on boat wifi"
add address=172.16.0.3 list=Authorized comment="remote rw admin laptop"
add address=172.16.0.4 list=Authorized comment="remote rw admin smartphone"
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input dst-port=51820 protocol=udp log=yes log-prefix=Incoming-Wireguard
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" in-interface=wg0 dst-address=192.168.1.0/24
add action=accept chain=forward comment="local access to tunnel" src-address=192.168.1.0/24 out-interface=wg0
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Add peers as necessary:
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32 interface=wg0 name=rw1-laptop \
public-key=""
add allowed-address=172.16.0.4/32 interface=wg0 name=rw2-smartphone \
public-key=""
BOAT
(3) From
/interface wireguard peers
add allowed-address=172.16.0.1/32,192.168.1.0/24 endpoint-address=\
zapto.org endpoint-port=51820 interface=wg0 \
persistent-keepalive=25s public-key=""
TO:
/interface wireguard peers
add allowed-address=172.16.0.0/24,192.168.1.0/24 endpoint-address=\
zapto.org endpoint-port=51820 interface=wg0 \
persistent-keepalive=25s public-key=\ ""
Discussion: The Main Home has a peer to peer connection with all client peers for initial handshake, hence the /32. However single client peers only have ONE peer to peer connection and that is to the main router. Hence we use 0/24 which ALLOWS for example any other single peer ( like road warriors connecting to the main router ) can also connect to the boat wireguard etc...
(4) MISSING ip route
/ip route
add dst-address=192.168.1.0/24 gateway=wg0 routing-table=main
EDIT: okay I see you have something entered and its IN ERROR!!! GET RID OF THIS FIRST ONE and just keep the second one!!
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=*D pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
(5) DELETE Masquerade rule, serves NO purpose, not required.
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 ipsec-policy=\
out,ipsec src-address=10.1.1.0/24
(6) Modify DNS and remove static default not required..........
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
(7) Firewall rules Fixed
/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="remote admin PC"
add address=192.168.1.YY list=Authorized comment= "remote admin laptop/smartphone"
add address=10.1.1.Z list=Authorized comment="LOCAL admin on boat wired"
add address=10.1.1.A list=Authorized comment=LOCAL admin on boat wifi"
add address=172.16.0.3 list=Authorized comment="remote rw admin laptop"
add address=172.16.0.4 list=Authorized comment="remote rw admin smartphone"
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" in-interface=wg0 dst-address=10.1.1.0/24
add action=accept chain=forward comment="local access to tunnel" src-address=10.1.1.0/24 out-interface=wg0
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
NOTE: The simplicity of the firewall structure provided means they are identical only major difference between the two is:
a. No need for input chain handshake on the boat ( client peer ). One less entry.
b. We simply replace the subnet in the forward chain rules for the traffic flowing in/out of tunnel and only the applicable subnet ( on boat its 10.1.1.0/24 )