I think your best option is to reset to the default config and work from there.
Once reset,
You can choose from the following as suits your requirements.
Set up the name for the Router
Set up the password for the Router.
Set up your wireless as required.
/ip services, Turn off unneeded services (I rarely use anything but winbox)
/ip firewall service-port, (Commonly I disable the Sip ALG)
Note: I don't know this type of lte unit, I assume you can work your way
around it.
Note: If ether1 is setup as an (unwanted) wan port, you can attach
ether1 to the bridge, and disable the dhcp client.
You could perhaps make a backup of this configuration.
Next:
Set up Wireguard.
Modified from https://protonvpn.com/support/wireguard ... k-routers/
You will likely need to open this URL to make sense of some of the following.
Step 3:
Step 4: (Take care with this, They are the server, you get 10.2.0.2, they get 10.2.0.1)
Step 5
Add the endpoint address, endpoint port, and public key from the
WireGuard config file. Look for the lines starting PublicKey= and
Endpoint=.
Step 6
Rather than just applying masquerade, Make the interface a WAN interface,
(This both causes it to masquerade, and also firewalls it)
Step 7
Do this later.Step 8In lte apn interface configuration turn off peer-dns.
**Possibly**** Testing **
At this point you should be able to test if wireguard is working.
(You will only be able to ping 10.2.0.1 (Assuming they have set it up to answer pings), and get dns things from it)
Turn on the wireguard interface.
You should if configured correctly get tx, rx and handshake.
Try the following from the mikrotik.Try pinging 10.2.0.1 from your laptop.
do nslookup/dig from laptop to 10.2.0.1
** End testing **
Step 9 (Once testing is successful)
Replace x.x.x.x in the following with the endpoint address from the config file (Endpoint=).I assume the above should work correctly, otherwise you may need to play with it a little.
Step 9A (was step 7)
Enable the wireguard inteface. (May still be enabled from testing above)
Then check that a traceroute to x.x.x.x still goes via the main lte interface.
Check that a traceroute to 8.8.8.8 goes via the wireguard interface.Edit: Hopefully near working...
You will still likely need:
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=yes protocol=tcp tcp-flags=syn
And perhaps reduce the wireguard mtu if required.
Once reset,
You can choose from the following as suits your requirements.
Set up the name for the Router
Set up the password for the Router.
Set up your wireless as required.
/ip services, Turn off unneeded services (I rarely use anything but winbox)
/ip firewall service-port, (Commonly I disable the Sip ALG)
Note: I don't know this type of lte unit, I assume you can work your way
around it.
Note: If ether1 is setup as an (unwanted) wan port, you can attach
ether1 to the bridge, and disable the dhcp client.
You could perhaps make a backup of this configuration.
Next:
Set up Wireguard.
Modified from https://protonvpn.com/support/wireguard ... k-routers/
You will likely need to open this URL to make sense of some of the following.
Step 3:
Code:
/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard-inet private-key="your private key"**choose your own listen port**Step 4: (Take care with this, They are the server, you get 10.2.0.2, they get 10.2.0.1)
Code:
/ip addressadd address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0 Add the endpoint address, endpoint port, and public key from the
WireGuard config file. Look for the lines starting PublicKey= and
Endpoint=.
Code:
/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key="your public key" Rather than just applying masquerade, Make the interface a WAN interface,
(This both causes it to masquerade, and also firewalls it)
Code:
/interface list memberadd interface=wireguard-inet list=WANDo this later.
Code:
#/ip route#add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10#add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10Code:
/ip dnsset servers=10.2.0.1**Possibly**
Code:
/interface lte apnset 0 use-peer-dns=noAt this point you should be able to test if wireguard is working.
(You will only be able to ping 10.2.0.1 (Assuming they have set it up to answer pings), and get dns things from it)
Turn on the wireguard interface.
You should if configured correctly get tx, rx and handshake.
Try the following from the mikrotik.
Code:
/ping 10.2.0.1:put [/resolve google.com server=10.2.0.1]do nslookup/dig from laptop to 10.2.0.1
** End testing **
Step 9 (Once testing is successful)
Replace x.x.x.x in the following with the endpoint address from the config file (Endpoint=).
Code:
/ip routeadd disabled=no dst-address=x.x.x.x/32 gateway=lte1 routing-table=main suppress-hw-offload=noStep 9A (was step 7)
Code:
/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10Then check that a traceroute to x.x.x.x still goes via the main lte interface.
Code:
/tool traceroute x.x.x.xCode:
/tool traceroute 8.8.8.8You will still likely need:
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=yes protocol=tcp tcp-flags=syn
And perhaps reduce the wireguard mtu if required.
Statistics: Posted by rplant — Sun Mar 03, 2024 1:45 pm