Hi,
I have had a working Brigde Vlan Setup with my Hex for years now and am trying to set up wireguard now. The connections from the roadwarrior clients are working and I can access the router via https and ssh on all interface IPs (not just the one in the wireguard network).
Quick rundown of my setup (config and rough diagram attached): External Router that connects to the Internet. This is connected at the Hex on eth5 and tagged as vlan 200. The other vlans are in part associated to ports and go as trunks to other switches. 2 are also natted to the 200 vlan for internet access, the guest vlan is completely separate. That part is working fine since basically forever![:)]( "Smile")
.
VLAN 200: 192.168.2.0/24, Router is 192.168.2.1, Hex 192.168.2.2
VLAN 800/900 are 192.168.8.0/24 and .9.0/24 respectively, Hex has .x.2 on each network.
Now I am adding wireguard for vpn access. Connections from 2 roadwarrior peers is working to the hex, what is missing is access to the computers beyond the hex. In future I might also want to add internet access via wireguard, for now access to the other 3 192.168.x.0 networks is enough.
Wireguard uses 192.168.253.0/24 network. Hex has 192.168.253.2, clients use .100/101. Firewall is configured to accept and forward packets from the wg interface to the all vlans interface group:
Ping to the addresses of the Hex directly works, however ping to other ip's does not, neither does it using the routerOS ping utility from the wireguard ip:
So what am I doing wrong?
Thanks for your advice![:)]( "Smile")
I have had a working Brigde Vlan Setup with my Hex for years now and am trying to set up wireguard now. The connections from the roadwarrior clients are working and I can access the router via https and ssh on all interface IPs (not just the one in the wireguard network).
Quick rundown of my setup (config and rough diagram attached): External Router that connects to the Internet. This is connected at the Hex on eth5 and tagged as vlan 200. The other vlans are in part associated to ports and go as trunks to other switches. 2 are also natted to the 200 vlan for internet access, the guest vlan is completely separate. That part is working fine since basically forever
.VLAN 200: 192.168.2.0/24, Router is 192.168.2.1, Hex 192.168.2.2
VLAN 800/900 are 192.168.8.0/24 and .9.0/24 respectively, Hex has .x.2 on each network.
Now I am adding wireguard for vpn access. Connections from 2 roadwarrior peers is working to the hex, what is missing is access to the computers beyond the hex. In future I might also want to add internet access via wireguard, for now access to the other 3 192.168.x.0 networks is enough.
Wireguard uses 192.168.253.0/24 network. Hex has 192.168.253.2, clients use .100/101. Firewall is configured to accept and forward packets from the wg interface to the all vlans interface group:
Code:
[admin@Hex] /ip/firewall/filter> printFlags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; accept wireguard chain=input action=accept protocol=udp dst-port=51820 log=no log-prefix="" 2 ;;; allow WireGuard traffic chain=input action=accept src-address=192.168.253.0/24 in-interface=wg-all log=no log-prefix="" 3 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 4 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 5 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp log=yes log-prefix="PING" 6 ;;; forward WireGuard Traffic to all VLans chain=forward action=accept in-interface=wg-all out-interface-list=VLAN log=no log-prefix="wg_forward" 7 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 8 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 9 ;;; defconf: fasttrack chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 10 ;;; defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 11 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid 12 X ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""Code:
[admin@Hex] > /ping address=192.168.2.2 src-address=192.168.253.2 SEQ HOST SIZE TTL TIME STATUS 0 192.168.2.2 56 64 508us 1 192.168.2.2 56 64 498us 2 192.168.2.2 56 64 489us sent=3 received=3 packet-loss=0% min-rtt=489us avg-rtt=498us max-rtt=508us [admin@Hex] > /ping address=192.168.2.1 src-address=192.168.253.2 SEQ HOST SIZE TTL TIME STATUS 0 192.168.2.1 timeout 1 192.168.2.1 timeout 2 192.168.2.1 timeout sent=3 received=0 packet-loss=100% Thanks for your advice
Statistics: Posted by phlinx — Fri Dec 29, 2023 5:59 pm