Wireguard/RouterOS issue
Posted: Sun Nov 17, 2024 1:51 am
I have converted from a FreshTomato router to Mikrotik and I'm working out some small issues. I have my Wireguard client set up to access any VLAN and the router management remotely. It's working except for a Hyper-V Linux VM. I can't connect to it through the tunnel and I can't ping it. I can RDP to the host machine which is on the same VLAN as the VM. The VM has "external" networking so it has a different IP than the host (again, it's Hyper-V). I've never had an issue like this with WG or the old router where I can't reach one machine on a subnet but can reach another on the same subnet. Other local hosts on the same subnet can ping the Linux VM. I disabled the VM's firewall to rule that out, no help.
Pinging the VM shows as data sent in my clients Wireguard interface but the ping doesn't return, it seems the pings are going into the tunnel and stopping at the router. Any ideas?
Pinging the VM shows as data sent in my clients Wireguard interface but the ping doesn't return, it seems the pings are going into the tunnel and stopping at the router. Any ideas?
Code: Select all
# 2024-11-16 18:46:31 by RouterOS 7.16.1
# software id = 5Z7V-M9DI
#
# model = RB5009UG+S+
# serial number = x
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=39898 mtu=1420 name=wg0
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=home_VLAN vlan-id=11
add interface=BR1 name=printers_VLAN vlan-id=77
add interface=BR1 name=untrusted_VLAN vlan-id=22
add interface=BR1 name=work_VLAN vlan-id=88
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=WORK
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home_POOL ranges=10.3.11.10-10.3.11.254
add name=untrusted_POOL ranges=10.3.22.10-10.3.22.254
add name=printers_POOL ranges=10.3.77.10-10.3.77.254
add name=work_POOL ranges=10.3.88.10-10.3.88.254
/ip dhcp-server
add address-pool=home_POOL interface=home_VLAN name=home_DHCP
add address-pool=untrusted_POOL interface=untrusted_VLAN name=untrusted_DHCP
add address-pool=printers_POOL interface=printers_VLAN name=printers_DHCP
add address-pool=work_POOL interface=work_VLAN name=work_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=11
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=22
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=77
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=88
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=home_VLAN list=VLAN
add interface=untrusted_VLAN list=VLAN
add interface=printers_VLAN list=VLAN
add interface=work_VLAN list=VLAN
add interface=wg0 list=VLAN
add interface=BASE_VLAN list=BASE
add interface=work_VLAN list=WORK
/interface wireguard peers
add allowed-address=10.88.0.2/32 interface=wg0 name=c public-key="x"
/ip address
add address=10.3.0.1/24 interface=BASE_VLAN network=10.3.0.0
add address=10.3.11.1/24 interface=home_VLAN network=10.3.11.0
add address=10.3.22.1/24 interface=untrusted_VLAN network=10.3.22.0
add address=10.3.77.1/24 interface=printers_VLAN network=10.3.77.0
add address=10.3.88.1/24 interface=work_VLAN network=10.3.88.0
add address=10.88.0.1/24 interface=wg0 network=10.88.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.3.11.0/24 dns-server=10.3.0.1 gateway=10.3.11.1
add address=10.3.22.0/24 dns-server=10.3.0.1 gateway=10.3.22.1
add address=10.3.77.0/24 dns-server=10.3.0.1 gateway=10.3.77.1
add address=10.3.88.0/24 dns-server=10.3.0.1 gateway=10.3.88.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=home_VLAN,printers_VLAN,work_VLAN,untrusted_VLAN,BASE_VLAN servers=9.9.9.9
/ip firewall address-list
add address=10.3.88.0/24 comment="work_VLAN admin subnet" list=AUTHORIZED
add address=10.88.0.2 comment="WG Client Admin" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow mDNS" dst-address=224.0.0.251 dst-port=5353 in-interface-list=VLAN log-prefix=mDNS protocol=udp src-port=5353
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="incoming WG handshake" dst-port=39898 protocol=udp
add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53,123 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop printer/cam WAN traffic" in-interface=printers_VLAN out-interface-list=!VLAN
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow access to printer" dst-address=10.3.77.0/24 in-interface-list=VLAN
add action=accept chain=forward comment="Allow WG to VLAN" in-interface=wg0 out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="Brother printer scanning to SMB Windows" dst-address=10.3.88.254 dst-port=445 protocol=tcp src-address=10.3.77.14
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from VLAN" in-interface-list=!VLAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=hs-router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE