Community discussions

MikroTik App
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

wireguard site to site routing problem

Sun Nov 13, 2022 5:09 pm

Hello,

I am trying to setup wireguard site to site. I am so close, but for some reason I can not ping or connect between sites. What am I missing? Handshake is there. Routing seems to work, but there is no connection. I flipped through the firewall, but no luck

SITE A:
reducted

SITE B
reducted

Last edited by ahmet82 on Sun Nov 13, 2022 5:53 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: wireguard site to site routing problem  [SOLVED]

Sun Nov 13, 2022 5:45 pm

I think you are missing routes. The Wireguard's allowed-address works different from IPsec policies - whereas IPsec policies override the result of routing, each Wireguard interface works as an autonomous router that only handles traffic the "main" router has handed over to it. So on SITE A, you need to add routes to 10.4.60.0/24 and 10.4.20.0/24 via WIREGUARD, and on SITE B, you need to add routes to 10.97.60.0/24 and 10.97.20.0/24 via WIREGUARD.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site routing problem

Sun Nov 13, 2022 5:53 pm

viewtopic.php?t=182340

(1) Your first config is totally hosed, there is no bridge and yet you invoke some bridge firewall settings that are rarely used (exception vice the horm).
(2) You also use vlan-id=1 for some reason which is the standard default vlan on the MT bridge if used and not recommended to be identified or used for anything else aka no actual vlans carrying data.
(3) found it very confusing that you called ether1 LAN, and thus your LAN and an etherport have the same name,,,,,,,,,, I wouldnt do it to reduce any confusion.


(3) okay on the second device you at least define a bridge! :-)

(4) I would use a different wireguard name on the two devices, reduces any confusion in the mind. Same with wireguard listen port.

(5) Would be good if you used the same bridge construct on Device 1 as you use on Device 2, wehre the vlans are identifed as being part of bridge and not ether1

(6) You do the same silly thing with vlan1 on device 2. :-(

(7 ) YOu use bridge firewall filtering where it is probably not required and could get in the way.

(8) Clearly there is a gross lack of understanding of how vlans work in conjuction with trunk ports ( carry all tagged vlans between smart devices ), and access ports ( which carry one untagged vlan) and hybrid ports ( which carry one untagged vlan and as many tagged vlans as required )
++++++++++++++++
wireguard errors
++++++++++++++++

(9) Wireguard peers on DEVICE 1, should include the other device wireguard as shown and what is the point of keep alive if device A is the server/receiving initial handshake???
/interface wireguard peers
add allowed-address=10.4.60.2/32,10.4.20.0/24 interface=WIREGUARD persistent-keepalive=25s public-key=\

"****"

(10) You have one correct route for Device 1, you need an additional route for the other subnet traversing the tunnel.
This is the same problem on Device 2, you need an additional router for the other subnet traversing the tunnel.

By that I mean, the local subnet you need to tell router to route it out tunnel and the remote subnet coming in, will need to know where to route the return traffic back through the tunnel.
add dst-address=localSubnet gwy=Wireguard table=main
add dst-address=remoteSubnet gwy=Wireguard table=main

(11) Wireguard Addres on Device2 is WRONG, it cannot be the same as Device 1, so change it too:
add address=10.4.60.2/24 interface=WIREGUARD network=10.4.60.0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard site to site routing problem

Sun Nov 13, 2022 6:00 pm

Sindy you are partially correct, the routes missing were not for the WIREGUARD itself, these are created automatically by proper appliicatioin of the wireguard address structure which was only partially correct as the address on device 2 was the same as on device 1 10.4.60.1/24 (vice it should be 10.4.60.2/24)

But yes One local subnet on each device was visiting the other router and thus each router needed two routes, where he had only one.
One route to tell the router where to send the local subnet ( hey enter the tunnel)
Second route to tell the router where to send the return traffic of the remote subnet after visiting the local subnet.


There are other issues but the OP seems not to keen on fixing them LOL
 
ahmet82
newbie
Topic Author
Posts: 47
Joined: Thu Aug 20, 2020 12:26 am

Re: wireguard site to site routing problem

Sun Nov 13, 2022 7:08 pm

Hello

Sindy’s answer worked. I was following https://help.mikrotik.com/docs/display/ROS/WireGuard which has only one new manually added route. It fixed the problem. I am just curious why the documentation wasnt showing it


As for not having a bridge for site 1, i was told on this forum that i didnt need one if i have a seperate switch that handles switching. I am just using a single port on the router to connect to a switch

Anav,
As for site 2, yes it is messy. I am looking to clean it. I am not sure where you got the idea that I am not keen on fixing them

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot] and 18 guests