Hello.
I am switching from ipsec to wireguard. But for some reason one branch can communicate with the main location while the other branch not. Configs seem to me identical, but maybe I am missing something.
Sites overview
Site 1 - main site:
Public IP: 1.1.1.1
Local networks: 10.201.22.0/24, 10.201.25.0/24, ... (+ some other, but not relevant for this topic)
Wireguard interface (wgEDI) addresses:
172.16.0.1/30
172.16.1.1/30
172.16.3.1/30
Port: 12321 (udp allowed on firewall input)
Static routes defined for branches' LANs with gateway being the wireguard interface wgEDI
Site 2 - working branch:
Public IP: 2.2.2.2
Local networks: 10.201.1.0/24
Wireguard interface (wgSKL) addresses:
172.16.1.2/30
Port: 12321 (udp allowed on firewall input)
Static routes to 10.201.22.0/24 and to 10.201.25.0/24 defined with gateway wgSKL
Site 3 - not working branch:
Public IP: NO (behind NAT)
Local networks: 10.201.3.0/24
Wireguard interface (wgHOD) addresses:
172.16.3.2/30
Port: 12321 (udp allowed on firewall input)
Static routes to 10.201.22.0/24 and to 10.201.25.0/24 defined with gateway wgHOD
On ether1 ("WAN") I have address 192.168.100.2 and gateway 192.168.100.1. This is from ISP's router. I have full access to that router, but I cannot replace it with Mikrotik. So I must be behind it's NAT. I have disabled firewall on that router just to make sure the issue is not there.
The actual WAN address for that ISP router is dynamic one.
[ ISP ] <---> [ Zyxel ISP router ] (192.168.100.1) <---> (192.168.100.2) [ Mikrotik ] (10.201.3.1) <---> [ LAN 10.201.3.0/24 ]
CONFIGs
Site1Site2Site3Connection between Site1 and Site2 works perfectly. I have removed ipsec and everything works fine.
Connection between Site1 and Site3 does not work. Seems wg connection is established - I can ping wg interfaces (from Site 1 I can ping Site's 3 wg interfaces address 172.16.3.2 and vice versa, from Site 3 I can ping 172.16.3.1). Please note, that ipsec tunnel is up, but the pings work with ipsec enabled or disabled, thus I believe the wireguard connection is up and running.
I cannot reach LANs however. E.g. when I ping from Site 3 a server address 10.201.25.9, it works if ipsec tunnel is up, but as soon as I shut it down, the ping times-out.
I suspected a routing issue. But since the routes are set-up the same way as for Site 2, I really do not know where the problem could be.
Any advice is appreciated!
Thank you!
I am switching from ipsec to wireguard. But for some reason one branch can communicate with the main location while the other branch not. Configs seem to me identical, but maybe I am missing something.
Sites overview
Site 1 - main site:
Public IP: 1.1.1.1
Local networks: 10.201.22.0/24, 10.201.25.0/24, ... (+ some other, but not relevant for this topic)
Wireguard interface (wgEDI) addresses:
172.16.0.1/30
172.16.1.1/30
172.16.3.1/30
Port: 12321 (udp allowed on firewall input)
Static routes defined for branches' LANs with gateway being the wireguard interface wgEDI
Site 2 - working branch:
Public IP: 2.2.2.2
Local networks: 10.201.1.0/24
Wireguard interface (wgSKL) addresses:
172.16.1.2/30
Port: 12321 (udp allowed on firewall input)
Static routes to 10.201.22.0/24 and to 10.201.25.0/24 defined with gateway wgSKL
Site 3 - not working branch:
Public IP: NO (behind NAT)
Local networks: 10.201.3.0/24
Wireguard interface (wgHOD) addresses:
172.16.3.2/30
Port: 12321 (udp allowed on firewall input)
Static routes to 10.201.22.0/24 and to 10.201.25.0/24 defined with gateway wgHOD
On ether1 ("WAN") I have address 192.168.100.2 and gateway 192.168.100.1. This is from ISP's router. I have full access to that router, but I cannot replace it with Mikrotik. So I must be behind it's NAT. I have disabled firewall on that router just to make sure the issue is not there.
The actual WAN address for that ISP router is dynamic one.
[ ISP ] <---> [ Zyxel ISP router ] (192.168.100.1) <---> (192.168.100.2) [ Mikrotik ] (10.201.3.1) <---> [ LAN 10.201.3.0/24 ]
CONFIGs
Site1
Code:
# 2024-02-10 20:37:22 by RouterOS 7.13.2# software id = GEFA-6CF8## model = RB4011iGS+# serial number = D4440D1022D0#NOTE: Do not mind the bridge and vlan setups = work in progress.../interface bridgeadd admin-mac=08:55:31:12:92:3B auto-mac=no comment=defconf name=bridge.local \ priority=0x9000add name=bridge.servers/interface ethernetset [ find default-name=ether1 ] name=e1.WANset [ find default-name=ether2 ] comment="LAN - trunk to crs109 - 22, 1978" \ name=e2.t.crs109set [ find default-name=ether3 ] comment="LAN - tbd - free" name=e3set [ find default-name=ether4 ] name=e4.srvs.private.vlanset [ find default-name=ether5 ] name=e5.free/interface wireguardadd listen-port=13231 mtu=1420 name=wgEDI/interface vlanadd comment="LAN + WiFi" interface=bridge.local name=vlan22 vlan-id=22add interface=bridge.local name=vlan25 vlan-id=25add comment="Servers private vlan" interface=e4.srvs.private.vlan name=\ vlan1112 vlan-id=1112add comment=Management interface=bridge.local name=vlan9999 vlan-id=1978/interface listadd comment=defconf name=WANadd comment="Local + VPN clients" include=dynamic name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip ipsec profileadd dh-group=modp1024 enc-algorithm=aes-128 name=prof-Sushinet-S2S/ip ipsec peeradd address=2.2.2.2/32 disabled=yes exchange-mode=ike2 name=SKL \ profile=prof-Sushinet-S2Sadd address=3.3.3.3/19 exchange-mode=ike2 name=HOD passive=yes \ profile=prof-Sushinet-S2S send-initial-contact=no/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\ aes-256-cbc,aes-128-cbcadd auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=4h name=\ prop-Sushinet-S2S pfs-group=none/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254add name=dhcp_servers ranges=10.201.25.100-10.201.25.254add name=dhcp_emerg.mgmt ranges=192.168.98.2-192.168.98.254add name=dhcp_lan.and.wifi ranges=10.201.22.100-10.201.22.254add name=dhcp_management ranges=10.99.99.100-10.99.99.254add name=pool_l2tp ranges=10.201.22.70-10.201.22.79add name=dhcp_servers.private ranges=10.11.12.200-10.11.12.220/ip dhcp-serveradd address-pool=default-dhcp disabled=yes interface=bridge.local lease-time=\ 10m name=defconfadd address-pool=dhcp_servers interface=bridge.servers name=dhcp.serversadd address-pool=dhcp_emerg.mgmt interface=sfp-sfpplus1 name=\ dhcp.emer.managementadd address-pool=dhcp_lan.and.wifi interface=vlan22 name=dhcp.vlan22add address-pool=dhcp_management interface=vlan9999 name=dhcp.managementadd address-pool=dhcp_servers.private interface=vlan1112 name=\ dhcp.private.servers/ppp profileset *FFFFFFFE bridge=bridge.local dns-server=10.201.22.1,10.201.25.5 \ local-address=10.201.22.1 remote-address=pool_l2tp/interface bridge portadd bridge=bridge.local comment=defconf interface=e2.t.crs109add bridge=bridge.local comment=defconf interface=e3add bridge=bridge.local comment=defconf interface=e5.freeadd bridge=bridge.servers comment=defconf interface=ether6add bridge=bridge.servers comment=defconf interface=ether7add bridge=bridge.servers comment=defconf interface=ether8add bridge=bridge.servers comment=defconf interface=ether9add bridge=bridge.servers comment=defconf interface=ether10/ip neighbor discovery-settingsset discover-interface-list=LAN/interface bridge vlanadd bridge=bridge.local comment="LAN & WiFi" tagged=e2.t.crs109,bridge.local \ vlan-ids=22add bridge=bridge.local comment=Management tagged=e2.t.crs109,bridge.local \ vlan-ids=1978add bridge=bridge.local comment="Servers private" tagged=e4.srvs.private.vlan \ vlan-ids=1112add bridge=bridge.local comment=Servers tagged=e2.t.crs109,bridge.local \ vlan-ids=25/interface l2tp-server serverset enabled=yes use-ipsec=yes/interface list memberadd comment=defconf interface=bridge.local list=LANadd comment=defconf interface=e1.WAN list=WANadd interface=bridge.servers list=LANadd interface=vlan22 list=LANadd interface=vlan9999 list=LANadd interface=ether7 list=LANadd interface=ether8 list=LANadd interface=ether9 list=LANadd interface=ether10 list=LAN/interface wireguard peersadd allowed-address=172.16.0.2/32,10.201.19.0/24 comment="PST mAPlite" \ interface=wgEDI public-key=\ "9999..."add allowed-address=172.16.1.2/32,10.201.1.0/24 comment=SKL \ endpoint-address=2.2.2.2 endpoint-port=13231 interface=wgEDI \ public-key="2222..."add allowed-address=172.16.3.2/32,10.201.3.0/24,192.168.100.0/24 comment=\ HOD interface=wgEDI public-key=\ "3333..."/ip addressadd address=192.168.88.1/24 comment=defconf disabled=yes interface=\ bridge.local network=192.168.88.0add address=1.1.1.1 comment="ISP public IP" interface=e1.WAN \ network=1.1.1.1add address=10.201.25.1/24 comment="LAN - servers" interface=bridge.servers \ network=10.201.25.0add address=192.168.98.1/24 comment="emerg. management" interface=\ sfp-sfpplus1 network=192.168.98.0add address=10.201.22.1/24 comment="VLAN + wifi" interface=vlan22 network=\ 10.201.22.0add address=10.99.99.1/24 comment="VLAN Management" interface=vlan9999 \ network=10.99.99.0add address=10.11.12.1/24 comment="Servers private vlan" interface=vlan1112 \ network=10.11.12.0add address=172.16.0.1/30 comment="Wireguard Local" interface=wgEDI network=172.16.0.0add address=172.16.3.1/30 interface=wgEDI network=172.16.3.0add address=172.16.1.1/30 interface=wgEDI network=172.16.1.0/ip dhcp-clientadd comment=defconf interface=e1.WANadd interface=e4.srvs.private.vlan/ip dhcp-server networkadd address=10.11.12.0/24 comment="Servers private" dns-server=10.11.12.1 \ gateway=10.11.12.1add address=10.99.99.0/24 gateway=10.99.99.1add address=10.201.22.0/24 dns-server=10.201.25.5,88.212.8.8,88.212.8.88 \ gateway=10.201.22.1add address=10.201.25.0/24 dns-server=10.201.25.5,88.212.8.8,88.212.8.88 \ gateway=10.201.25.1add address=192.168.88.0/24 comment=defconf dns-server=\ 10.201.25.5,192.168.88.1 gateway=192.168.88.1add address=192.168.98.0/24 gateway=192.168.98.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lanadd forward-to=10.201.25.5 regexp=".*\\.mydomain\\.com\$" type=FWD/ip firewall address-listadd address=10.201.19.0/24 list="PST"add address=10.201.22.90-10.201.22.99 list=Managementadd address=10.201.22.129 comment=Test list=Management/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input dst-port=8291 in-interface-list=LAN \ protocol=tcpadd action=accept chain=input comment="Wireguard - EDI" dst-port=13231 \ in-interface-list=WAN protocol=udpadd action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \ in-interface=e1.WAN protocol=udpadd action=accept chain=input comment="L2TP VPN" in-interface=e1.WAN \ protocol=ipsec-espadd action=accept chain=input comment="L2TP VPN" in-interface=e1.WAN \ protocol=ipencapadd action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=tcpadd action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udpadd action=add-src-to-address-list address-list=HODO_new_IP \ ...add action=add-src-to-address-list address-list=ping-knock2 \ ...add action=add-src-to-address-list address-list=ping-knock1 \ ...add action=add-src-to-address-list address-list=ping-knock1 \ ...add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward dst-address=10.99.99.0/24 src-address-list=\ !Managementadd action=accept chain=forward dst-address=10.201.25.0/24 in-interface=wgEDIadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip ipsec identityadd disabled=yes peer=SKLadd peer=HOD/ip ipsec policyadd disabled=yes dst-address=\ 10.201.1.0/24 peer=SKL proposal=prop-Sushinet-S2S src-address=\ 10.201.16.0/20 tunnel=yesadd comment="HOD-LAN" dst-address=10.201.3.0/24 level=unique peer=\ HOD proposal=prop-Sushinet-S2S src-address=10.201.16.0/20 tunnel=\ yesadd comment="HOD-to-intermediateNAT" dst-address=\ 192.168.100.0/24 level=unique peer=HOD proposal=prop-Sushinet-S2S \ src-address=10.201.16.0/20 tunnel=yes/ip routeadd disabled=no dst-address=10.201.1.0/24 gateway=wgEDI routing-table=\ main suppress-hw-offload=noadd disabled=no distance=1 dst-address=10.201.3.0/24 gateway=wgEDI \ pref-src="" routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10add disabled=no dst-address=192.168.100.0/24 gateway=wgEDI \ routing-table=main suppress-hw-offload=no/ppp secretadd name=xxx profile=default-encryption service=l2tp/tool netwatchadd disabled=no down-script="/system script run newHODOip" host=10.201.3.1 \ interval=1m timeout=1s type=simpleCode:
# 2024-02-10 20:42:35 by RouterOS 7.10.2# software id = U7D4-T1XK## model = RB750Gr3# serial number = CC210E3A152D/interface bridgeadd admin-mac=2C:C8:1B:9F:3E:B8 auto-mac=no comment=defconf name=bridge-local/interface l2tp-serveradd name=l2tp-in1-xxx user=xxx/interface wireguardadd listen-port=13231 mtu=1420 name=wgSKL/caps-man datapathadd bridge=bridge-local client-to-client-forwarding=yes local-forwarding=yes \ name=dtpSushinet/caps-man securityadd authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \ name=secLAN/caps-man configurationadd datapath=dtpSushinet mode=ap name=sushinet security=\ secLAN ssid=Sushinet/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip ipsec profileset [ find default=yes ] dh-group=modp1024 nat-traversal=no/ip ipsec proposalset [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbcadd enc-algorithms=3des name=l2tp_vpn/ip pooladd name=default-dhcp ranges=10.201.1.150-10.201.1.220/ip dhcp-serveradd address-pool=default-dhcp authoritative=after-2sec-delay interface=\ bridge-local lease-time=2h name=default/portset 0 name=serial0/ppp profileadd dns-server=10.201.1.1 local-address=10.201.1.1 name=sstp remote-address=\ default-dhcpadd bridge=bridge-local local-address=10.201.1.1 name=l2tp remote-address=\ default-dhcp/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2/caps-man access-listadd action=accept disabled=no interface=any signal-range=-100..120 \ ssid-regexp=""add action=reject disabled=no interface=any signal-range=-120..-101 \ ssid-regexp=""/caps-man managerset enabled=yes/caps-man provisioningadd action=create-dynamic-enabled master-configuration=sushinet name-format=\ prefix-identity name-prefix=cap-SKL/interface bridge portadd bridge=bridge-local comment=defconf ingress-filtering=no interface=ether2add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether3add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether4add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether5/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface l2tp-server serverset allow-fast-path=yes default-profile=l2tp use-ipsec=required/interface list memberadd comment=defconf interface=bridge-local list=LANadd comment=defconf interface=ether1 list=WAN/interface ovpn-server serverset auth=sha1,md5/interface wireguard peersadd allowed-address=172.16.1.1/32,10.201.25.0/24,10.201.22.0/24 \ endpoint-address=1.1.1.1 endpoint-port=13231 interface=wgSKL \ public-key="1111..."/ip addressadd address=192.168.88.1/24 comment=defconf disabled=yes interface=\ bridge-local network=192.168.88.0add address=10.201.1.1/24 comment="default configuration" interface=\ bridge-local network=10.201.1.0add address=2.2.2.2 comment="WAN public address" interface=ether1 \ network=2.2.2.2add address=172.16.1.2/30 interface=wgSKL network=172.16.1.0/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server networkadd address=10.201.1.0/24 comment="default configuration" dns-server=\ 10.201.1.1 gateway=10.201.1.1/ip dnsset allow-remote-requests=yes cache-max-ttl=2d/ip dns staticadd forward-to=10.201.25.5 regexp=".*\\.mydomain\\.com\$" type=FWDadd address=10.201.1.1 name=routeradd address=192.168.88.1 comment=defconf name=router.lan/ip firewall address-listadd address=1.1.1.1 comment=Edisonova list="Trusted IPs"add address=1.1.1.1 comment=Edisonova list=Sushinet_Networksadd address=10.201.3.0/24 list=Sushinet_Networksadd address=10.201.1.0/24 list=Sushinet_Networksadd address=10.201.22.0/24 list=Sushinet_Networksadd address=10.201.25.0/24 list=Sushinet_Networksadd address=10.19.78.0/24 list=Sushinet_Networksadd address=192.168.88.0/24 list=Sushinet_Networks/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=input comment="intruders DROP" src-address-list=\ Intrudersadd action=accept chain=input comment="DNS only internal requests" dst-port=\ 53 in-interface-list=!WAN protocol=tcpadd action=accept chain=input comment="DNS only internal requests" dst-port=\ 53 in-interface-list=!WAN protocol=udpadd action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=\ udpadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input dst-port=22 protocol=tcp src-address-list=\ Sushinet_Networksadd action=accept chain=input comment="mikrotik WinBox" dst-port=8291 \ protocol=tcp src-address-list=Sushinet_Networksadd action=accept chain=input comment="L2TP VPN" in-interface-list=WAN \ protocol=ipsec-espadd action=jump chain=input comment="Brute-force UDP CHECK" connection-state=\ new dst-port=500,1701,4500 in-interface-list=WAN jump-target=ipsec_chain \ protocol=udpadd action=accept chain=input comment=ipsec dst-port=500,1701,4500 \ in-interface=ether1 protocol=udpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=forward comment="SECURE DROP ALL - forward" disabled=\ yesadd action=drop chain=input comment="SECURE DROP ALL - input" disabled=yesadd action=add-src-to-address-list address-list=Intruders \ ...add action=add-src-to-address-list address-list=ipsec_stage2 \ ...add action=add-src-to-address-list address-list=ipsec_stage1 \ ...add action=return chain=ipsec_chain/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip firewall rawadd action=drop chain=prerouting in-interface-list=WAN src-address-list=\ Intruders/ip routeadd disabled=no dst-address=10.201.25.0/24 gateway=wgSKL routing-table=\ main suppress-hw-offload=noadd disabled=no dst-address=10.201.22.0/24 gateway=wgSKL routing-table=\ main suppress-hw-offload=no/ppp secretadd name=xxx profile=l2tp service=l2tp/routing bfd configurationadd disabled=no/system identityset name=SKL-router-hEXCode:
# 2024-02-10 20:41:19 by RouterOS 7.13.2# software id = KDL8-VF33## model = RBD53iG-5HacD2HnD# serial number = E7290E690E26/interface bridgeadd admin-mac=2C:C8:1B:C5:FE:22 auto-mac=no comment=defconf name=bridge \ port-cost-mode=short/interface wireguardadd listen-port=13231 mtu=1420 name=wgHOD/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/ip ipsec profileadd dh-group=modp1024 enc-algorithm=aes-128 name=prof-Sushinet-S2S/ip ipsec peeradd address=88.212.60.238/32 exchange-mode=ike2 name=EDI profile=\ prof-Sushinet-S2S/ip ipsec proposalset [ find default=yes ] disabled=yes enc-algorithms=aes-256-cbc,aes-192-cbcadd auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=4h name=\ prop-Sushinet-S2S pfs-group=none/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254add name=dhcp ranges=10.201.3.100-10.201.3.254/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=10m name=defconf/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2/interface bridge portadd bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 \ internal-path-cost=10 path-cost=10/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface detect-internetset lan-interface-list=LAN wan-interface-list=WAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WANadd interface=wgHOD list=LAN/interface ovpn-server serverset auth=sha1,md5/interface wireguard peersadd allowed-address=172.16.3.1/32,10.201.25.0/24,10.201.22.0/24 endpoint-address=\1.1.1.1 endpoint-port=13231 interface=\ wgHOD public-key="1111..."/ip addressadd address=10.201.3.1/24 interface=bridge network=10.201.3.0add address=172.16.3.2/30 interface=wgHOD network=172.16.3.0/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server leaseadd address=10.201.3.10 client-id=1:0:1d:ec:17:3c:f8 mac-address=\ 00:1D:EC:17:3C:F8 server=defconfadd address=10.201.3.11 client-id=1:7c:dd:90:d6:dc:9f mac-address=\ 7C:DD:90:D6:DC:9F server=defconf/ip dhcp-server networkadd address=10.201.3.0/24 comment=defconf dns-server=10.201.3.1 gateway=\ 10.201.3.1/ip dnsset allow-remote-requests=yes servers=8.8.8.8/ip dns staticadd address=192.168.88.1 comment=defconf disabled=yes name=router.lanadd forward-to=10.201.25.5 regexp=".*\\.mydomain\\.com\$" type=FWDadd address=10.201.3.1 name=router.lan/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="Wireguard EDI" dst-port=13231 \ in-interface-list=WAN protocol=udpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input dst-port=500,4500 protocol=udpadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=accept chain=forward disabled=yes dst-address=10.201.16.0/20 \ src-address=10.201.3.0/24add action=accept chain=forward disabled=yes dst-address=10.201.3.0/24 \ src-address=10.201.16.0/20add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip ipsec identityadd peer=EDI/ip ipsec policyset 0 disabled=yesadd dst-address=10.201.16.0/20 level=unique peer=\ EDI proposal=prop-Sushinet-S2S src-address=10.201.3.0/24 tunnel=yesadd dst-address=10.201.16.0/20 peer=EDI proposal=prop-Sushinet-S2S src-address=\ 192.168.100.0/24 tunnel=yes/ip routeadd comment="Wireguard - Enable" disabled=no distance=1 dst-address=\ 10.201.22.0/24 gateway=wgHOD pref-src="" routing-table=main scope=\ 30 suppress-hw-offload=no target-scope=10add comment="Wireguard - Enable" disabled=no distance=1 dst-address=\ 10.201.25.0/24 gateway=wgHOD pref-src="" routing-table=main scope=\ 30 suppress-hw-offload=no target-scope=10/routing bfd configurationadd disabled=no/system identityset name=HOD-hAPac3Connection between Site1 and Site3 does not work. Seems wg connection is established - I can ping wg interfaces (from Site 1 I can ping Site's 3 wg interfaces address 172.16.3.2 and vice versa, from Site 3 I can ping 172.16.3.1). Please note, that ipsec tunnel is up, but the pings work with ipsec enabled or disabled, thus I believe the wireguard connection is up and running.
I cannot reach LANs however. E.g. when I ping from Site 3 a server address 10.201.25.9, it works if ipsec tunnel is up, but as soon as I shut it down, the ping times-out.
I suspected a routing issue. But since the routes are set-up the same way as for Site 2, I really do not know where the problem could be.
Any advice is appreciated!
Thank you!
Statistics: Posted by BrandonSk — Sat Feb 10, 2024 11:38 pm