Hi there,
I want to better understand the wireguard requirements.
a. you have a single user that you wish to go out the internet at the location of the unbuntu server.
b. should the single user be able to access a subnet on ubuntu, in which case you will need an additional route on the MT router
c. should the single user be able to access the ubuntu for config purposes, if so, then you will need applicable firewall rules on the ubuntu OS
d. do you have a requirement to
(1) allow the admin to remotely connect to the ubuntu server via WG ( laptop/smartphone travelling) For the purpose of then connecting to the MT router for config purposes?
(2) allow the admin to remotely connect to the ubuntu server via WG ( laptop/smartphone travelling) For the purpose of then connecting to the MT router to access the LAN on the MT?
For both of these use cases, the ubuntu firewall rules will have to allow such remote client into the wireguard interface and back out the wireguard interface.
A similar type of relay rule on an MT device would look like ( to give you an idea of what you would need to to on the Ubuntu)
add chain=forward action=accept in-interface=wireguard1 out-interface=wireguard1
e. Final question, what happens for whatever reason that the wireguard connection is not available - should the single user have NO internet access or fall back to local WAN access ???
- ubuntu crashes, ISP at ubuntu site crashes, Power at ubuntu location Crashes, etc........
1. As far as the config goes, classic error made for /ip address, the interface is not the default ether2 anymore, its the bridge.
From:
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
TO:
/ip address
add address=192.168.88.1/24 nterface=bridge network=192.168.88.0
2. There are two approaches for one IP address, I prefer using routing rules. Regardless of approach you are missing the necessary routing table for wireguard.
Also I see no IP route for the rest of the LAN traffic, and thus have to assume you have default-route=YES, set in ip dhcp settings. Having a destination address as a local IP is bizarre and should be removed along with any black hole route.
Option:1 - routing rules
/routing table
add fib name=useWG
/routing rules { order of rules is important }
add action=lookup-only-in-table src-address=192.168.88.0/24 dst-address=192.168.88.0 table=main comment="ensures local traffic not affected"
add action=lookup-only-in-table src-address=192.168.53 table=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG
Option 2 - mangle
/routing table
add fib name=useWG
/ip firewall mangle
add action=accept chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=mark-routing chain=prerouting src-address=192.168.88.53 new-routing-mark=useWG passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG
++++++++++++++++++++++++++++++++++
More granularity can be provided once the requirements are well articulated.
I want to better understand the wireguard requirements.
a. you have a single user that you wish to go out the internet at the location of the unbuntu server.
b. should the single user be able to access a subnet on ubuntu, in which case you will need an additional route on the MT router
c. should the single user be able to access the ubuntu for config purposes, if so, then you will need applicable firewall rules on the ubuntu OS
d. do you have a requirement to
(1) allow the admin to remotely connect to the ubuntu server via WG ( laptop/smartphone travelling) For the purpose of then connecting to the MT router for config purposes?
(2) allow the admin to remotely connect to the ubuntu server via WG ( laptop/smartphone travelling) For the purpose of then connecting to the MT router to access the LAN on the MT?
For both of these use cases, the ubuntu firewall rules will have to allow such remote client into the wireguard interface and back out the wireguard interface.
A similar type of relay rule on an MT device would look like ( to give you an idea of what you would need to to on the Ubuntu)
add chain=forward action=accept in-interface=wireguard1 out-interface=wireguard1
e. Final question, what happens for whatever reason that the wireguard connection is not available - should the single user have NO internet access or fall back to local WAN access ???
- ubuntu crashes, ISP at ubuntu site crashes, Power at ubuntu location Crashes, etc........
1. As far as the config goes, classic error made for /ip address, the interface is not the default ether2 anymore, its the bridge.
From:
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
TO:
/ip address
add address=192.168.88.1/24 nterface=bridge network=192.168.88.0
2. There are two approaches for one IP address, I prefer using routing rules. Regardless of approach you are missing the necessary routing table for wireguard.
Also I see no IP route for the rest of the LAN traffic, and thus have to assume you have default-route=YES, set in ip dhcp settings. Having a destination address as a local IP is bizarre and should be removed along with any black hole route.
Option:1 - routing rules
/routing table
add fib name=useWG
/routing rules { order of rules is important }
add action=lookup-only-in-table src-address=192.168.88.0/24 dst-address=192.168.88.0 table=main comment="ensures local traffic not affected"
add action=lookup-only-in-table src-address=192.168.53 table=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG
Option 2 - mangle
/routing table
add fib name=useWG
/ip firewall mangle
add action=accept chain=forward src-address=192.168.88.0/24 dst-address=192.168.88.0/24
add action=mark-routing chain=prerouting src-address=192.168.88.53 new-routing-mark=useWG passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG
++++++++++++++++++++++++++++++++++
More granularity can be provided once the requirements are well articulated.
Statistics: Posted by anav — Wed Mar 12, 2025 5:00 pm