Hi all,
after some very good posts here, I sucessfully reconfigured my whole network and started to try out Wireguard.
Connection is established and I can also access the internet with the VPN connection.
I can also access my Proxmox Web Interface (connected to ether3 and has VLAN #100), but I can't access containers running inside my Proxmox which does not make sense to me. Some containers are untagged in Proxmox and some have are tagged. Within my LAN and without Wireguard, access works fine.
I have tested pings from the command line (src 172.17.0.1 which is the Wireguard gateway) in RouterOs which confirms that the given IP addresses can't be reached.
Can someone explain to me why the Wireguard interface can't ping these addresses or what I am missing?
edit: Forgot to mention that I can see icmp in the connections tab of the firewall. But the state always stays with syn start and never changes.
after some very good posts here, I sucessfully reconfigured my whole network and started to try out Wireguard.
Connection is established and I can also access the internet with the VPN connection.
I can also access my Proxmox Web Interface (connected to ether3 and has VLAN #100), but I can't access containers running inside my Proxmox which does not make sense to me. Some containers are untagged in Proxmox and some have are tagged. Within my LAN and without Wireguard, access works fine.
I have tested pings from the command line (src 172.17.0.1 which is the Wireguard gateway) in RouterOs which confirms that the given IP addresses can't be reached.
Can someone explain to me why the Wireguard interface can't ping these addresses or what I am missing?
Code:
# 2025-01-02 21:55:15 by RouterOS 7.15.3# software id = XBVQ-34SC## model = RB5009UG+S+# serial number = xxx/interface bridgeadd name=bridge vlan-filtering=yes/interface ethernetset [ find default-name=ether5 ] name=dedicated-mgmt-ether5set [ find default-name=ether3 ] name=nuc-ether3set [ find default-name=ether1 ] name=trunk-switch1-ether1/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface vlanadd interface=bridge name=CCTV vlan-id=21add interface=bridge name=Clients vlan-id=10add interface=bridge name=Home-Automation vlan-id=50add interface=bridge name=Kids vlan-id=49add interface=bridge name=Management vlan-id=53add interface=bridge name=Servers vlan-id=100add interface=ether2 name=pppoe-na10 vlan-id=10/interface pppoe-clientadd add-default-route=yes allow=pap,chap,mschap2 comment=ISP disabled=no \ interface=pppoe-na10 name=pppoe-na use-peer-dns=yes user=\ notimportant/interface listadd name=MGMTadd name=WAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool0 ranges=10.0.10.20-10.0.10.254add name=dhcp_pool1 ranges=10.0.21.20-10.0.21.254add name=dhcp_pool2 ranges=10.0.50.20-10.0.50.254add name=dhcp_pool3 ranges=10.0.53.20-10.0.53.254/ip dhcp-serveradd address-pool=dhcp_pool0 interface=Clients name=dhcp1add address-pool=dhcp_pool1 interface=CCTV name=dhcp2add address-pool=dhcp_pool2 interface=Home-Automation name=dhcp3add address-pool=dhcp_pool3 interface=Management name=dhcp4/interface bridge portadd bridge=bridge interface=trunk-switch1-ether1add bridge=bridge interface=nuc-ether3 pvid=100add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \ interface=ether4 pvid=53/interface bridge vlanadd bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=10add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 untagged=\ ether4 vlan-ids=53add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=21add bridge=bridge tagged=trunk-switch1-ether1,bridge vlan-ids=49add bridge=bridge tagged=trunk-switch1-ether1,bridge,nuc-ether3 vlan-ids=50add bridge=bridge tagged=trunk-switch1-ether1,bridge untagged=nuc-ether3 \ vlan-ids=100/interface list memberadd interface=Management list=MGMTadd interface=dedicated-mgmt-ether5 list=MGMTadd comment=ISP interface=pppoe-na list=WAN/interface wireguard peersadd allowed-address=172.17.0.2/32 client-address=172.17.0.2/32 client-dns=\ 8.8.8.8 client-endpoint=example.com client-keepalive=10s \ interface=wireguard1 name=Home private-key=\ "redacted" public-key=\ "redacted"/ip addressadd address=10.0.53.1/24 interface=Management network=10.0.53.0add address=10.0.10.1/24 interface=Clients network=10.0.10.0add address=10.0.21.1/24 interface=CCTV network=10.0.21.0add address=10.0.49.1/24 interface=KNX network=10.0.49.0add address=10.0.50.1/24 interface=Home-Automation network=10.0.50.0add address=10.0.100.1/24 interface=Servers network=10.0.100.0add address=172.17.0.1/24 interface=wireguard1 network=172.17.0.0/ip cloudset ddns-enabled=yes/ip dhcp-server networkadd address=10.0.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1add address=10.0.21.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.21.1add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1add address=10.0.53.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.53.1/ip firewall address-listadd address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4/ip firewall filteradd action=accept chain=input comment="defconf: accept ICMP after RAW" \ protocol=icmpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment=Wireguard dst-port=13231 in-interface=\ pppoe-na log=yes log-prefix=wg protocol=udpadd action=drop chain=input comment="defconf: drop all not coming from MGMT" \ in-interface-list=!MGMTadd action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" disabled=yes \ ipsec-policy=in,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv4/ip firewall natadd action=accept chain=srcnat comment=\ "defconf: accept all that matches IPSec policy" disabled=yes \ ipsec-policy=out,ipsecadd action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface-list=WAN/system noteset show-at-login=noedit: Forgot to mention that I can see icmp in the connections tab of the firewall. But the state always stays with syn start and never changes.
Statistics: Posted by stitch84ac — Fri Jan 03, 2025 12:50 am