Community discussions

MikroTik App
 
Testingtest
just joined
Topic Author
Posts: 2
Joined: Mon Sep 19, 2022 3:01 pm

WireGuard Router not all Websites Work

Sun Nov 20, 2022 1:11 pm

Hello guys,

I just installed my MikroTik Router (CCR1009) with the newest ROS Version (7.6 Stable) to use it as a WireGuard Router.
On the WireGuard Server I installed evrything with this script: https://github.com/angristan/wireguard-install

For testing if the server works, i added my mobile as a client to check the connection. Evrything works, I can open all websites, apps and so on.
I also added my MikroTik router as a client, added the default route and can ping the internet, DNS also works fine.
All traffic from VPN network should use the wireguard interface as default gateway, so all traffic is routed over the VPN.
My problem now is: not all websites and apps are working. For example www.reddit.com is not working.
My idea is, that maybe it is a problem with IPv6 connections, but I am not sure.
I can ping the website, but when I try to open it in the browser, no connection can be established and it is loading until abortion.

Here is my config. I hope someone had the same issue before and can help out.
# nov/20/2022 09:29:41 by RouterOS 7.6
# software id = <ID>
#
# model = CCR1009-7G-1C-1S+
# serial number = <SNR>
/interface bridge
add name=VPN
add name=Online
/interface ethernet
set [ find default-name=combo1 ] combo-mode=copper
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_out
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vpn ranges=172.19.100.100-172.19.100.199
/ip dhcp-server
add address-pool=dhcp_pool_vpn interface=VPN name=dhcp_vpn
/interface bridge port
add bridge=Online interface=combo1
add bridge=Online interface=ether1
add bridge=Online interface=ether2
add bridge=Online interface=ether3
add bridge=VPN interface=ether4
add bridge=VPN interface=ether5
add bridge=VPN interface=ether6
add bridge=VPN interface=ether7
add bridge=VPN interface=sfp-sfpplus1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=185.248.140.124 endpoint-port=51997 interface=wireguard_out persistent-keepalive=10s public-key="aUzcDSApNNaiHLQmfWT+TGDOAN5ixfbQ7igWywpMmX4="
/ip address
add address=10.66.66.2/24 interface=wireguard_out network=10.66.66.0
add address=172.19.100.254/24 interface=VPN network=172.19.100.0
/ip dhcp-client
add add-default-route=no interface=Online use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.19.100.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=172.19.100.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard_out
/ip route
add disabled=no dst-address=<VPN-SERVER-IP>/32 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard_out routing-table=main suppress-hw-offload=no
If something is missing, just ask.

Thanks a lot in advance
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2390
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: WireGuard Router not all Websites Work

Mon Nov 21, 2022 9:46 pm

MTU size problem?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard Router not all Websites Work

Mon Nov 21, 2022 11:38 pm

Your are using IPV6???
so you have your own linux server at another location? AWS? or are you using a third party provider?
so you have 3/4 WAN connections??

Missing basic SRCNAT RULE......
/ip firewall nat
??? add action=masquerade chain=srcnat out-interface=Online ??
add action=masquerade chain=srcnat out-interface=wireguard_out

Im starting to think you have a weird wan setup...
Where is the normal wan route?? and what the heck is vpn server...........
/ip route
add disabled=no dst-address=<VPN-SERVER-IP>/32 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard_out routing-table=main suppress-hw-offload=no

Yes too much missing.
/export file=anynameyouwish (minus router serial number and any publicWANIP info)
 
Testingtest
just joined
Topic Author
Posts: 2
Joined: Mon Sep 19, 2022 3:01 pm

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 1:26 pm

Hello again,
thanks for the fast reply. I should have explained my setup more in detail.

Here it comes:
My ISP provides me a fiber modem. Sadly, not many changes can be made there. That's why I want to use my MikroTik router (CCR1009).
The ISP modem uses the network 192.168.1.0/24 with the IP: 192.168.1.1. The modem also runs an DHCP server for the network.
In my setup, I want devices to be able to use the "regular / non-VPN" internet (in the config "Open_LAN", others should use the "VPN" internet (in the config VPN_LAN). For the VPN internet, I rent have a virtual server in a datacenter (1 public IPv4) and run the WireGuard server on it.
I can also confirm that the Server side is working, because i also use my mobile phone with it and there evrything works.

So to get it to work, I bridged 4 ports (combo1, ether1-3) for "without VPN" internet clients and 4 ports (ether4-7) for "VPN" internet clients.
The combo1 port is the link to the ISP modem, the DHCP client runs on the bridge and gets an IP-address.
For my "VPN LAN" I run a DHCP server on network 172.19.100.0/24.

I added a route for <Public-VPN-Server-IP>/32 over 192.168.1.1 (ISP modem), so that that the wireguard interface is able to connect to the VPN-Server. Its a public IPv4.
Then I added a 0.0.0.0/0 route over the wireguard interface to push all other traffic over the wireguard interface.
The src-nat masquerade I put only over the wireguard interface, not the combo1 port (link to ISP modem), because I also have "non VPN" clients who getting there own 192.168.1.0/24 address from the ISP modem.

So, that's my setup, I hope this time you can follow me. Basically I think it is a simple setup, but I don't know what I am missing.

Also, here is the whole config:
# nov/23/2022 11:15:33 by RouterOS 7.6
# software id = MFE2-4SAH
#
# model = CCR1009-7G-1C-1S+
# serial number = <SNr>
/interface bridge
add name=Open_LAN
add name=VPN_LAN
/interface ethernet
set [ find default-name=combo1 ] combo-mode=copper
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_out
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vpn_lan ranges=172.19.100.100-172.19.100.199
/ip dhcp-server
add address-pool=dhcp_pool_vpn_lan interface=VPN_LAN name=dhcp_vpn_lan
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=Open_LAN interface=combo1
add bridge=Open_LAN interface=ether1
add bridge=Open_LAN interface=ether2
add bridge=Open_LAN interface=ether3
add bridge=VPN_LAN interface=ether4
add bridge=VPN_LAN interface=ether5
add bridge=VPN_LAN interface=ether6
add bridge=VPN_LAN interface=ether7
add bridge=VPN_LAN interface=sfp-sfpplus1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=<VPN-Server-Public-IP> endpoint-port=<VPN-Server-Port> interface=wireguard_out persistent-keepalive=10s public-key="<KEY>"
/ip address
add address=10.66.66.2/24 interface=wireguard_out network=10.66.66.0
add address=172.19.100.254/24 interface=VPN_LAN network=172.19.100.0
/ip dhcp-client
add add-default-route=no interface=Open_LAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.19.100.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=172.19.100.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard_out
/ip route
add disabled=no dst-address=<VPN-Server-public-IP/32 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard_out routing-table=main suppress-hw-offload=no
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system identity
set name=internet_router
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool graphing interface
add allow-address=172.19.100.0/24
/tool graphing resource
add allow-address=172.19.100.0/24
The firewall I want to add when everything works fine.

As mentioned in the first post:
I don't understand, why some websites are working, and others don't. Reddit, Stackoverflow for example are not working, while many others are working.
Same with mobile apps, Instagram and many others are working, some apps are running in a timeout.
It seems then, that no response at all is reaching the clients.

This time, I hope, i handed over enough information to understand my setup.
If not please let me know, then i can make some drawings.

I also read about MTU problems, but changing it to 1200 or 1000 doesn't fix my problem.


Best regards
 
Guscht
Member Candidate
Member Candidate
Posts: 189
Joined: Thu Jul 01, 2010 5:32 pm

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 1:49 pm

It sounds to me like a MTU issue. This random "this website works, this not..." is typically for that kind error.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 2:11 pm

What kind of virtual server are you running,,,,,,,,,, linux? MS CHR?
Settings at server for wireguard?
Any MTU setting options at server?
 
Guscht
Member Candidate
Member Candidate
Posts: 189
Joined: Thu Jul 01, 2010 5:32 pm

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 2:20 pm

Try adding:
/interface bridge
add ... mtu=1500
to your bridges and see if it works.

Reducing the MTU too much results in fragmentet packets. Each part of the connection has to know it have to send smaller packets, thats signalled via ICMP.
If ICMP is somewhere blocked/droped, at least one side of the connection does not know this and the frames are silently dropped somewhere.

MTs bridges have an automatic, which sets the bridges MTU to the samllest MTU of any member interface if not set by the admin.
Check for this and check your "VPN-Server" for MTU related things.
Last edited by Guscht on Wed Nov 23, 2022 2:26 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 2:22 pm

Why the bridges and not the wireguard interface???
 
BillyVan
newbie
Posts: 27
Joined: Tue Sep 04, 2018 10:29 pm
Location: Greece

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 4:49 pm

last week i have same problem

for example i have problem with gmail, yahoo.com, duckduckgo.com

after many test with size of mtu

on server 1500

on all clients 1420

and
/ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
on Mikrotik client site

so after changes all web sites open even gmail from all my clients

from Wireguard server
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14362
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard Router not all Websites Work

Wed Nov 23, 2022 5:43 pm

That is well described here at viewtopic.php?t=182340

Para 9. d.
D. MTU-MSS ISSUES Typically observed when unable to browse or very very slow through wireguard tunnel.

If that doesnt work there is another possibility in para 10.

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], Semrush [Bot] and 17 guests