You may think that but Mikrotik is often forgiving and will allow traffic to flow until it does not and you trip over some errors in the config.
By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte
and you called the wireguard interface on the LTE router wg-pubip. ANTI-intuitive LOL.
ROUTER1
/interface wireguard peers
add allowed-address=172.22.1.2/32,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
public-key="<Redacted>" comment=R2
There are several things wrong here. First every client peer ( from the perspective of this Router ( the server for handshake)) must identify the specific peer.
Secondly, ONLY use 0.0.0.0/0 if the intent is to use internet of the other site. This is usually never entered into the peer settings of the Server router.
Think of the logic, this is but one connection on the wireguard interface, imagine besides the other router, you have several users needing secure access to the LAN, or you as the ADMIN need remote access to both routers............
By putting 0.0.0.0/0 ALL traffic heading back into the tunnel will be captured by this first peer and the other wireguard clients will NEVER get any return traffic.
Also 0.0.0.0/0 means ALL possible IP addresses so if it was correct here ( which it is not ), then putting in the other IPs was redundant (useless).
Example: As admin you can put in peer 172.22.1.3 for your home PC and 172.22.1.4 for your laptop when travelling. Each peer entry will be specific to that IP/32
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(2) Probably can delete this old default entry.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(3) I am surprized the IP route you have is working. The gateway is WRONG.
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
main suppress-hw-offload=no
If anything it should be the local gateway ( 172.22.1.1 ), you have used the IP address of the other router.................
Change to:
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=wg-lte
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
ROUTER 2
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
<Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
<Redacted> persistent-keep-alive=35s
The allowed IPs were good but you make the same mistake with 0.0.0.0/0
If the intent is to go out the internet of the main router, then you only need 0.0.0.0/0, and remove the other two entries, OR more likely remove the 0.0.0.0/0
Missing persistent keep alive !!!
Good so far, now we have to mangle so that return traffic to public IPs that came in through wireguard go back via Wireguard, otherwise the R2 router will try to send them out the local WAN.
This method allows the server to record external public IPs hitting the server. Otherwise there was an easier way which avoided mangling.
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=wg-pubip \
new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
new-routing-mark=to-wg passthrough=no
To be accurate the forward chain is where the connection marking is done, the route-mark is correct in chain prerouting.
We also add connection-mark=no mark. This allows us to keep using the fastrack rule for all other traffic on the router!!
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-track=no-track
By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte
and you called the wireguard interface on the LTE router wg-pubip. ANTI-intuitive LOL.
ROUTER1
/interface wireguard peers
add allowed-address=172.22.1.2/32,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
public-key="<Redacted>" comment=R2
There are several things wrong here. First every client peer ( from the perspective of this Router ( the server for handshake)) must identify the specific peer.
Secondly, ONLY use 0.0.0.0/0 if the intent is to use internet of the other site. This is usually never entered into the peer settings of the Server router.
Think of the logic, this is but one connection on the wireguard interface, imagine besides the other router, you have several users needing secure access to the LAN, or you as the ADMIN need remote access to both routers............
By putting 0.0.0.0/0 ALL traffic heading back into the tunnel will be captured by this first peer and the other wireguard clients will NEVER get any return traffic.
Also 0.0.0.0/0 means ALL possible IP addresses so if it was correct here ( which it is not ), then putting in the other IPs was redundant (useless).
Example: As admin you can put in peer 172.22.1.3 for your home PC and 172.22.1.4 for your laptop when travelling. Each peer entry will be specific to that IP/32
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(2) Probably can delete this old default entry.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(3) I am surprized the IP route you have is working. The gateway is WRONG.
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
main suppress-hw-offload=no
If anything it should be the local gateway ( 172.22.1.1 ), you have used the IP address of the other router.................
Change to:
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=wg-lte
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
ROUTER 2
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
<Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
<Redacted> persistent-keep-alive=35s
The allowed IPs were good but you make the same mistake with 0.0.0.0/0
If the intent is to go out the internet of the main router, then you only need 0.0.0.0/0, and remove the other two entries, OR more likely remove the 0.0.0.0/0
Missing persistent keep alive !!!
Good so far, now we have to mangle so that return traffic to public IPs that came in through wireguard go back via Wireguard, otherwise the R2 router will try to send them out the local WAN.
This method allows the server to record external public IPs hitting the server. Otherwise there was an easier way which avoided mangling.
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=wg-pubip \
new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
new-routing-mark=to-wg passthrough=no
To be accurate the forward chain is where the connection marking is done, the route-mark is correct in chain prerouting.
We also add connection-mark=no mark. This allows us to keep using the fastrack rule for all other traffic on the router!!
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-track=no-track
Statistics: Posted by anav — Wed May 15, 2024 3:48 pm