Hello!
For the past few days I have been trying to set up my new router (hAP ax3) for my home. I don't need anything to complicated for now. Just a handful of clients and a few resources I want to access securely from remote. Now I have been trying out the Back-To-Home feature and this works like a charm.
I wanted to try to set it up by myself as I wasn't satisfied with the speed. I think the slow connection of the BTH VPN is cause by going trough Mikrotiks relay server. This assumption is based on that in the BTH config window the following message is dispayed at the bottom: "Router is behind NAT. Remote connection might not work". As mentioned this does work - even for multiple clients at once. I am really struggling with setting up Wireguard by myself as I just can't understand why I am not able to reach my LAN.
The following represents the topology:My ISP has the requirement to use their modem but it is possible to switch it over to a bridge mode which in essence relays everything to my Home Gateway - so my Home Gateway is setup as a DHCP client on the WAN side (eth1).
I would like to be able to access the A-Network(Home) from B with Wireguard server running on my Home Gateway and furthermore I would like to be able to access the resources at Home from my mobile phone.
I don't know what I am doing wrong here and what I am missing?
The config of my Home Gateway:The Wireguard server is the interface wireguard1 and the BTH is running in parallel as I am currently in location B.
I really don't know what to try - I am out of ideas here...
Thank you in advance!
For the past few days I have been trying to set up my new router (hAP ax3) for my home. I don't need anything to complicated for now. Just a handful of clients and a few resources I want to access securely from remote. Now I have been trying out the Back-To-Home feature and this works like a charm.
I wanted to try to set it up by myself as I wasn't satisfied with the speed. I think the slow connection of the BTH VPN is cause by going trough Mikrotiks relay server. This assumption is based on that in the BTH config window the following message is dispayed at the bottom: "Router is behind NAT. Remote connection might not work". As mentioned this does work - even for multiple clients at once. I am really struggling with setting up Wireguard by myself as I just can't understand why I am not able to reach my LAN.
The following represents the topology:My ISP has the requirement to use their modem but it is possible to switch it over to a bridge mode which in essence relays everything to my Home Gateway - so my Home Gateway is setup as a DHCP client on the WAN side (eth1).
I would like to be able to access the A-Network(Home) from B with Wireguard server running on my Home Gateway and furthermore I would like to be able to access the resources at Home from my mobile phone.
I don't know what I am doing wrong here and what I am missing?
The config of my Home Gateway:
Code:
/interface bridgeadd admin-mac=78:9A:18:8C:1A:AC auto-mac=no comment=defconf name=bridge \ port-cost-mode=short/interface wifiset [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\ 10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MySSID-5GHz \ disabled=no security.authentication-types=wpa2-psk,wpa3-pskset [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\ 10min-cac .width=20/40mhz configuration.mode=ap .ssid=MySSID disabled=no \ security.authentication-types=wpa2-psk,wpa3-psk/interface wireguardadd comment=back-to-home-vpn listen-port=3496 mtu=1420 name=back-to-home-vpnadd comment=wireguard1 listen-port=13231 mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254/ip dhcp-serveradd address-pool=default-dhcp interface=bridge lease-time=10m name=defconf/interface bridge portadd bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \ path-cost=10/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WANadd comment=wireguard1 interface=wireguard1 list=LAN/interface wireguard peersadd allowed-address=192.168.216.3/32 comment=\ "back-to-home-vpn | Phone" interface=back-to-home-vpn \ persistent-keepalive=5s public-key=\ "PK"add allowed-address=192.168.100.2/32 comment="wireguard1 | Phone" \ interface=wireguard1 public-key=\ "PK"/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0add address=192.168.100.1/24 comment=wireguard1 interface=wireguard1 network=\ 192.168.100.0/ip cloudset back-to-home-vpn=enabled ddns-enabled=yes/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server networkadd address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ 192.168.88.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment=wireguard1 dst-port=13231 log=yes \ log-prefix="[WG1]" protocol=udpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid log=yes log-prefix="[DROP-5]"add action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN log=yes log-prefix="[DROP-8]"add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalid log=yes log-prefix="[DROP-13]"add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \ log=yes log-prefix="[DROP-14]"/ip firewall natadd action=masquerade chain=srcnat comment=wireguard1 log=yes log-prefix=\ "[WG1]" src-address=192.168.100.0/24add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\ out,none out-interface-list=WAN/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \ src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \ dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=!LAN/system clockset time-zone-name=MyTZ/system identityset name=HomeGW/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool snifferset filter-interface=ether1 filter-port=13231I really don't know what to try - I am out of ideas here...
Thank you in advance!
Statistics: Posted by confusedRamen — Sat Jan 06, 2024 11:11 pm