Hello! Fellow Mikrotikers, Recently I decided to join the Mikrotik community changing over from Ubiquiti. I'm more of a hobbyist than a professional. So far the setup of my HAP Ax3 and been successful except during the setup of Wireguard. I've been following the guides I've found on the internet.
What I've done
I've been cracking my head for over 2 days and losing sleep over this. Please help!
Below is my router config
What I've done
- I've a static Public IP
- Setup Wireguard
- My mobile is able to connect to wireguard
I've been cracking my head for over 2 days and losing sleep over this. Please help!
Below is my router config
Code:
# 2024-02-17 08:39:20 by RouterOS 7.13.4# software id = A2BN-0QWI## model = C53UiG+5HPaxD2HPaxD# serial number = /interface bridgeadd admin-mac= arp=proxy-arp auto-mac=no comment=defconf \ name=Bridge port-cost-mode=short/interface ethernetset [ find default-name=ether1 ] name="ether1[WAN]"/interface wifiset [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \ configuration.country=Singapore .mode=ap .ssid=Hoooob!-R \ security.authentication-types=wpa2-psk,wpa3-pskset [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \ configuration.country=Singapore .mode=ap .ssid=Hoooob!-R \ security.authentication-types=wpa2-psk,wpa3-psk/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/ip pooladd name=dhcp ranges=192.168.1.100-192.168.1.254/ip dhcp-serveradd address-pool=dhcp interface=Bridge lease-time=8h name=defconf/interface bridge portadd bridge=Bridge comment=defconf interface=ether2 internal-path-cost=10 \ path-cost=10add bridge=Bridge comment=defconf interface=ether3 internal-path-cost=10 \ path-cost=10add bridge=Bridge comment=defconf interface=ether4 internal-path-cost=10 \ path-cost=10add bridge=Bridge comment=defconf interface=ether5 internal-path-cost=10 \ path-cost=10add bridge=Bridge comment=defconf interface=wifi1 internal-path-cost=10 \ path-cost=10add bridge=Bridge comment=defconf interface=wifi2 internal-path-cost=10 \ path-cost=10/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes/interface list memberadd comment=defconf interface=Bridge list=LANadd comment=defconf interface="ether1[WAN]" list=WANadd interface=wireguard1 list=LAN/interface ovpn-server serverset auth=sha512 certificate=server-cert cipher=aes256-cbc,aes256-gcm \ default-profile=VPN-Profile require-client-certificate=yes tls-version=\ only-1.2/interface wireguard peersadd allowed-address=192.168.2.0/24,192.168.1.0/24 comment="to Mobile" \ interface=wireguard1 persistent-keepalive=10s private-key=\ "QEViNZIGCLluhnsDDKSsnKkLMg4cLfCZ/OAjx9KNmHk=" public-key=\ "AivpyqJAhzUujEtpz9yWmW5hE0NMAk61Qiah76OSLVQ="/ip addressadd address=192.168.1.1/24 comment=defconf interface=Bridge network=\ 192.168.1.0add address=192.168.2.1/24 interface=wireguard1 network=192.168.2.0/ip dhcp-clientadd comment=defconf interface="ether1[WAN]"/ip dhcp-server networkadd address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\ 192.168.1.1 netmask=24/ip dnsset allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4/ip dns staticadd address=192.168.1.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment="Allow wireguard" dst-port=13231 \ protocol=udpadd action=accept chain=forward comment="Wg to Internet" in-interface=\ wireguard1 out-interface-list=WANadd action=accept chain=forward comment="Wg to Lan Traffic" in-interface=\ wireguard1 out-interface-list=LANadd action=accept chain=input comment="allow WireGuard Traffic" src-address=\ 192.168.2.0/24add chain=forward in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward connection-nat-state=dstnatadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ disabled=yes in-interface-list=!LAN log=yesadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new disabled=yes in-interface-list=WANadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface=wireguard1add action=dst-nat chain=dstnat comment=OpenVPN-NAS dst-port=4500 \ in-interface-list=WAN protocol=udp to-addresses=192.168.1.4 to-ports=4500/ip serviceset telnet disabled=yesset ftp disabled=yesset www address=192.168.1.0/24,192.168.2.0/24set ssh disabled=yesset api disabled=yesset api-ssl disabled=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system clockset time-zone-name=Asia/Singapore/system loggingadd topics=ovpn,infoadd topics=ovpn,debug/system noteset show-at-login=no/system routerboard settingsset auto-upgrade=yes/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by Zazaer — Sat Feb 17, 2024 2:53 am