Dear all,
I am setting up a new network and have issues with wireguard and pinging hosts behind the router. I am not super experienced with networking, but I nearly got it to work as I need.
However, there is one connectivity issue that I cannot figure out and I am stuck also how to debug / get more information wher ethe problem might lie. I hope maybe someone here has an idea what's going on or what I could look at closer?
Don't have access to the devices at the moment, so I am the describing the network in the following as precisely as I can:
The network looks as in the attached image.
Router is on latest stable RouterOS 7 version, Switch is on latest stable SwitchOS version 2.
The bridged LAN network 192.168.1.0 works fine and I can ping any device amongst each other, Wifi works just fine etc...
The Wireguard Interface is added to the LAN Interface list.
Additionally. the following firewall rules are in place and way up in the order before any drop rules:
- input accept icmp
- input accept udp on WG endpoint port
- input accept from WG interface
- forward accept 192.168.3.0/42 to 192.168.1.0/42
- forward accept 192.168.1.0/42 to 192.168.3.0/42
The WG on the Router has allowed IPs set to 192.168.1.0/24 and 192.168.3.0/24. The same is set in the Client WG.
On the Router additionally the Client IP is set to 192.168.3.1/24 so it receives this IP on the WG Router side to make sure there is no additional complexity/issue due to DHCP.
Router has IP 192.168.3.254/24 in IP/addresses for WG interface, 192.168.1.254/24 for LAN bridge.
Public Keys are correct and Router WAN IP (fixed) as well as endpoint also are correct on Client Side and Router Side.
Both are set to persistance keep alive of 25s.
Client additionally has fixed IP setting in the Wireguard network as 192.168.3.1/24 with gateway 192.168.3.254 plus added a route
192.168.1.0/24 via 192.168.3.254
Routes are configured as follow in the Router:
0.0.0.0/0 via 192..168.1.254
192.168.1.0/24 via %bridge
192.168.3.0/24 via %wireguard
The DHCP in LAN advertises the following networks:
192.168.1.0/24 via 192.168.1.254
192.168.3.0/24 via 192.168.3.254
The Switch has nothing configured like VLAN or similar, it is acting as an unmanaged Switch.
This is what I observe:
I can connect the wirguard Client to Router, see the handshake in the Router occuring, can ping the Router and the Switch from the Client.
I can ping the Client from the Router.
I can remotely access both WebFig interfaces of Router and Switch, but not of Wifi AP.
I cannot successfully ping the WiFi AP or the Host from the Client.
I do see with torch that the ICMP packages for Host exit the Router on the Interface Port between Router and Switch, however there is no RX coming back.
I tried to ping the Client from the Host, but the Host apparently did not receive the corresponding route from the DHCP server.
Note that the Host is Windows based, however external ping rule in Defender is setup and it can be successfully pinged by the Router.
After adding a manual route to 192.68.3.0/24 via 192.68.1.254 to the Host, I can actually ping the client on IP 192.168.3.1 sucessfully from the Host, and I see both TX and RX in torch on the LAN port between Router and Switch.
However, pinging from Client to Host is still not possible, only TX from 192.168.3.1 is shown, no RX.
I wrote a small python client for the Client and server application for the Host to test if actually other connections are possible.
So the Server listening on Host with a high port via TCP, waiting for data, printing it out and replying.
Client connecting to 192.168.1.2, sending data and waiting for answer.
Indeed, it worked flawlessly to connect, send data and receive an answer.
I am at a loss, my reasoning is being:
- It cannot be the routing, as the python server/client test works and there are no ICMP specific firewall rules.
- It cannot be the firewall, as the Ping in the other direction works without issue and I can ping the Switch behind the router, just not the Host or the WiFi AP
- Host should be configured correctly, as it can be pinged by Router and it can ping the client
- Client should be configured correctly, as it actually can ping the Switch.
There obiously has to be a problem, hope anybody can point me in the right direction.
Thanks in advance for anyone looking into it.
I am setting up a new network and have issues with wireguard and pinging hosts behind the router. I am not super experienced with networking, but I nearly got it to work as I need.
However, there is one connectivity issue that I cannot figure out and I am stuck also how to debug / get more information wher ethe problem might lie. I hope maybe someone here has an idea what's going on or what I could look at closer?
Don't have access to the devices at the moment, so I am the describing the network in the following as precisely as I can:
The network looks as in the attached image.
Router is on latest stable RouterOS 7 version, Switch is on latest stable SwitchOS version 2.
The bridged LAN network 192.168.1.0 works fine and I can ping any device amongst each other, Wifi works just fine etc...
The Wireguard Interface is added to the LAN Interface list.
Additionally. the following firewall rules are in place and way up in the order before any drop rules:
- input accept icmp
- input accept udp on WG endpoint port
- input accept from WG interface
- forward accept 192.168.3.0/42 to 192.168.1.0/42
- forward accept 192.168.1.0/42 to 192.168.3.0/42
The WG on the Router has allowed IPs set to 192.168.1.0/24 and 192.168.3.0/24. The same is set in the Client WG.
On the Router additionally the Client IP is set to 192.168.3.1/24 so it receives this IP on the WG Router side to make sure there is no additional complexity/issue due to DHCP.
Router has IP 192.168.3.254/24 in IP/addresses for WG interface, 192.168.1.254/24 for LAN bridge.
Public Keys are correct and Router WAN IP (fixed) as well as endpoint also are correct on Client Side and Router Side.
Both are set to persistance keep alive of 25s.
Client additionally has fixed IP setting in the Wireguard network as 192.168.3.1/24 with gateway 192.168.3.254 plus added a route
192.168.1.0/24 via 192.168.3.254
Routes are configured as follow in the Router:
0.0.0.0/0 via 192..168.1.254
192.168.1.0/24 via %bridge
192.168.3.0/24 via %wireguard
The DHCP in LAN advertises the following networks:
192.168.1.0/24 via 192.168.1.254
192.168.3.0/24 via 192.168.3.254
The Switch has nothing configured like VLAN or similar, it is acting as an unmanaged Switch.
This is what I observe:
I can connect the wirguard Client to Router, see the handshake in the Router occuring, can ping the Router and the Switch from the Client.
I can ping the Client from the Router.
I can remotely access both WebFig interfaces of Router and Switch, but not of Wifi AP.
I cannot successfully ping the WiFi AP or the Host from the Client.
I do see with torch that the ICMP packages for Host exit the Router on the Interface Port between Router and Switch, however there is no RX coming back.
I tried to ping the Client from the Host, but the Host apparently did not receive the corresponding route from the DHCP server.
Note that the Host is Windows based, however external ping rule in Defender is setup and it can be successfully pinged by the Router.
After adding a manual route to 192.68.3.0/24 via 192.68.1.254 to the Host, I can actually ping the client on IP 192.168.3.1 sucessfully from the Host, and I see both TX and RX in torch on the LAN port between Router and Switch.
However, pinging from Client to Host is still not possible, only TX from 192.168.3.1 is shown, no RX.
I wrote a small python client for the Client and server application for the Host to test if actually other connections are possible.
So the Server listening on Host with a high port via TCP, waiting for data, printing it out and replying.
Client connecting to 192.168.1.2, sending data and waiting for answer.
Indeed, it worked flawlessly to connect, send data and receive an answer.
I am at a loss, my reasoning is being:
- It cannot be the routing, as the python server/client test works and there are no ICMP specific firewall rules.
- It cannot be the firewall, as the Ping in the other direction works without issue and I can ping the Switch behind the router, just not the Host or the WiFi AP
- Host should be configured correctly, as it can be pinged by Router and it can ping the client
- Client should be configured correctly, as it actually can ping the Switch.
There obiously has to be a problem, hope anybody can point me in the right direction.
Thanks in advance for anyone looking into it.
Statistics: Posted by brasssquirrel — Thu May 30, 2024 3:45 pm