Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Post Reply
 
Frostbite1991
just joined
Topic Author
Posts: 3
Joined: Tue Apr 23, 2024 4:09 am

Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Tue Apr 23, 2024 4:32 am

I have CGNAT'd internet at my business, so I created a WG tunnel using my houses static IP to view my business's Blue Iris stream from my phone. WG server is an RB5009 at home. It all worked great (albeit slow) on the old RB2011 router at my business. I upgraded from the RB2011 to an L009UiGS-RM and set up the tunnel and required subnet filter and WG nat rules that worked on the RB2011. Got a handshake and that was it. For whatever reason my first "defconf: drop all not coming from LAN" filter keeps dropping connection. This was not the case on the RB2011. I have 2 filter rules to allow my home subnet to talk to my business subnet above the drop filter, and have NAT'd WG interface. I have quadruple-checked everything and it all looks the same, minus a few rules after the drop rule that were on the RB's default config. When I load my BI server on my phone, I can get to the login page then the winbox logs get flooded with dropped packets and eventually my phone gives up trying to load (here is censored log- input: in:ether1 out:(unknown 0), connection-state:new src-mac #xx:xx:xx:xx:xx:xx#, proto UDP, #Home Public IPV4#:13231->#Business Public IPV4#:17821, len 540)

I've spent hours trying to figure this out, so any help would be greatly appreciated!
Code: Select all
[admin@MikroTik] > export hide-sensitive
# 2024-04-22 19:29:10 by RouterOS 7.12
# software id = R2GP-5W16
#
# model = L009UiGS
# serial number = HFK095KC49K
/interface bridge
add admin-mac=78:9A:18:FA:58:B8 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=WG1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.0.100-172.16.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.0.10.0/24,192.168.32.1/32,192.168.32.3/32 \
    endpoint-address=174.126.54.183 endpoint-port=13231 interface=WG1 \
    persistent-keepalive=25s public-key=\
    "jllEjjGRGGv5y6M2ZLyPEy5abvCLLxTKdqOVuCLVdGo="
/ip address
add address=172.16.0.1/24 comment=defconf interface=bridge network=172.16.0.0
add address=192.168.32.2/24 interface=WG1 network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 comment=defconf dns-server=172.16.0.1 gateway=\
    172.16.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="WG Shop To Home" dst-address=\
    10.0.10.0/24 src-address=172.16.0.0/24
add action=accept chain=forward comment="WG Home To Shop" dst-address=\
    172.16.0.0/24 src-address=10.0.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WG1
/ip route
add disabled=no dst-address=10.0.10.0/24 gateway=WG1 routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Boise
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
Top
 
rplant
Member
Member
Posts: 325
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Tue Apr 23, 2024 10:25 am

Perhaps add the wireguard interface to the Lan interface list.
Top
 
jaclaz
Forum Veteran
Forum Veteran
Posts: 709
Joined: Tue Oct 03, 2023 4:21 pm

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Tue Apr 23, 2024 1:38 pm

To expand, the rule on /ip firewall filter:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
has !LAN so the wireguard WG1 interface which is not LAN nor WAN (it is "undefined" under /interface list member) is catched and packets are dropped.

But as OP stated there are two accept rules above that one:
Code: Select all
add action=accept chain=forward comment="WG Shop To Home" dst-address=\
    10.0.10.0/24 src-address=172.16.0.0/24
add action=accept chain=forward comment="WG Home To Shop" dst-address=\
    172.16.0.0/24 src-address=10.0.10.0/24
that evidently do not catch the wireguard packets and accept them.

I would try replacing them with something based on interface *like*:
Code: Select all
add action=accept chain=forward comment="allow wireguard" in-interface=WG1 log=yes
and see if it changes the behaviour.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19563
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Tue Apr 23, 2024 11:12 pm

Your wording and config is very confusing a network diagram would be good.
Its not clear to me which MT is at work and which is at home and which is acting as server for handshake.
Top
 
Frostbite1991
just joined
Topic Author
Posts: 3
Joined: Tue Apr 23, 2024 4:09 am

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Wed Apr 24, 2024 1:25 am

Your wording and config is very confusing a network diagram would be good.
Its not clear to me which MT is at work and which is at home and which is acting as server for handshake.
RB5009 is WG server based at home under static IP from cable ISP. L009 is WG peer based at shop behind T-Mobile CGNAT, which has Blue Iris (BI) server. I connect to BI server from my phone through WG using it's LAN address (172.16.0.254:82). BI's WAN Webserver will never work behind my CGNAT

You will see BI uses port 82, I do have port 82 forwarded through WG on the WG Server (RB5009), and I have not changed anything on Server since swapping out the RB2011 to the L009, since it worked prior.

This all worked fine on the old RB2011 router, but for some reason the L009's first "Drop all not coming from LAN" filter is dropping incoming packets from my Home (RB5009) WAN IP to shop's L009 router's assigned IPV4 in ether1, effectively dropping WG access, though I do receive handshake between all 3 devices.

I do notice the L009 default config does not have filter rules for allowing IPSEC in/out like the RB2011 did, could that be a problem?

I will also provide the config for the RB2011 here to compare.

Diagram (hopefully it shows)
Image

RB2011 Config
Code: Select all
[admin@MikroTik] > export hide-sensitive
# 2024-04-23 18:11:27 by RouterOS 7.14.2
# software id = 7KK5-4QXR
#
# model = RB2011UiAS-2HnD
# serial number = 444B04C0009B
/interface bridge
add admin-mac=4C:5E:0C:21:CD:F5 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=WG1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=172.16.0.10-172.16.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=*C internal-path-cost=10 path-cost=\
    10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="PC VLAN" interface=lo list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.10.0/24,192.168.32.1/32,192.168.32.3/32 \
    endpoint-address=174.126.54.183 endpoint-port=13231 interface=WG1 \
    persistent-keepalive=25s public-key=\
    "jllEjjGRGGv5y6M2ZLyPEy5abvCLLxTKdqOVuCLVdGo="
/ip address
add address=172.16.0.1/24 comment=defconf interface=bridge network=172.16.0.0
add address=192.168.32.2/24 interface=*E network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 comment=defconf gateway=172.16.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="Accept Shop to Home" dst-address=\
    10.0.10.0/24 log=yes src-address=172.16.0.0/24
add action=accept chain=forward comment="Accept Home to Shop" dst-address=\
    172.16.0.0/24 src-address=10.0.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=*E
/ip route
add disabled=no distance=1 dst-address=10.0.10.0/24 gateway=*E pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19563
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Wed Apr 24, 2024 2:07 am

Well if you are using your phone to connect to the RB5009 which then allows you to connect to the L009, then you also need to post the 5009.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19563
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Wed Apr 24, 2024 2:11 am

Looking then at the L0009
++++++++++

(1) Allowed IPs review.
/interface wireguard peers
add allowed-address=10.0.10.0/24,192.168.32.1/32,192.168.32.3/32 \
endpoint-address=174.126.54.183 endpoint-port=13231 interface=WG1 \
persistent-keepalive=25s public-key"="

a. I will assume that somewhere on the home router is a subnet that you wish to reach from work of 10.0.10.0/24 YES NO??
OR
Its a remote subnet at home that needs to reach the business router?? [/b] YES NO??

b. The IP address to cover off wireguard users should be 192.168.32.0/24 and no other entries.

(2) You have a WAN error, you can use a static IP address as you do, OR you can use IP DHCP client, but not both ????

(3) Review this line and remove netmask, especially if entered manually, not required.
/ip dhcp-server network
add address=172.16.0.0/24 comment=defconf dns-server=172.16.0.1 gateway=\
172.16.0.1 netmask=24

(5) If IPV6 is not uilized, disable it in settings and remove all the associated noise of firewall rules and lists.......

(6) Firewall rules........... order and correctness, fixed: will need firewall address list to ensure only ADMIN can config router!

/ip firewall address-list { using static DHCP leases and any applicable wireguard addresses }
add address=172.16.0.X/32 list=Authorized comment="Admin desktop"
add address=172.16.0.Y/32 list=Authorized comment="Admin laptop"
add address=192.168.32.A/32 list=Authorized comment="Admin remote laptop -wg client "
add address=192.168.32.B/32 list=Authorized comment="Admin remote phone/ipad- wg client"
add address=10.0.10.CC /32 list=Authorized comment="Admin At Home desktop/laptop - thru 5009 wg connection"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=Loopback dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="DNS services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="DNS services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { add this rule at the end or you will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG Shop To Home" dst-address=\
10.0.10.0/24 src-address=172.16.0.0/24 out-interface=WG1
add action=accept chain=forward comment="WG Home To Shop" dst-address=\
172.16.0.0/24 src-address=10.0.10.0/24 in-interface=WG1
add action=accept chain=forward comment="remote WG to Shop" dst-address=\
172.16.0.0/24 src-address=192.168.32.0/24 in-interface=WG1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment-="Drop all else"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19563
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Wed Apr 24, 2024 2:39 am

1. Do not require to masquerade your wireguard as you have both ends as MT devices and full control of rules and routes and allowed IP.s Remove the orange rule.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WG1

2. add wg to lan list
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=WG1 list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19563
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Wed Apr 24, 2024 2:48 am

RB5009 (home)

/interface wireguard peers
add allowed-address=172.16.0.0/24,192.168.32.2/32 interface=WG-5009 public key="***" comment="Work Router (L009)"
add allowed-address=192.168.32.3/32 interface=WG-5009 public key="*+++" comment=RemoteUser1
add allowed-address=192.168.32.4/32 interface=WG-5009 public key="*+++" comment=RemoteUser2
etc.

/ip route
add dst-address=172.16.0.0/24 gateway=WG-5009 routing-table=main

KEY FIREWALL RULE (Relay Rule!)
add chain=forward action=accept in-interface=WG-5009 out-interface=WG5009.

In effect this allows any remote user to connect to the RB5009 at home, exit the tunnel and then reenter the tunnel for the L009 router.
Top
 
Frostbite1991
just joined
Topic Author
Posts: 3
Joined: Tue Apr 23, 2024 4:09 am

Re: Wireguard connection being dropped by firewall on new router, worked fine on old router with same settings.

Thu Apr 25, 2024 4:15 am

Sorry for late reply, Starting a business while working full time, not much time for side activities lol. Anywho, I got it working again by changing the port for the Wireguard, maybe a MT glitch, maybe T-Mobile being dumb with port 13231. I have zero control over the T-Mobile router, cant even change DHCP settings, so it sucks but it's really my only option due to the shops location. Hopefully it stays working.CGNAT suuucks.
Top
Post Reply

Who is online

Users browsing this forum: codebreaker and 70 guests
  4. RouterOS
  5. General