Hey everyone,
As title suggests, I am having an issue where, when trying to ping / connect to a subnet on a vlan, the connection tries to go out the WAN, in this case, WG2 connection.
Setup as follows
2 WANS
2 Wireguard VPN's
Routing tables setup to route specific traffic out wans, generally WG1/2 are the primary route out
10.20.20.0/24 is Primary Lan
10.21.21.0/24 is Docker network on Vlan50
I have setup mangle rules to mark connections so it's easier to track via logging.
I know I am missing something, possible a firewall rule but I just can't get my head around what, would appreciate some other eyes over my config to check it out
When pinging from the router, I can ping 10.21.21.100 fine
When pinging from 10.20.20.0/24 I get nothing, firewall rules show it trying to get masqueraded by WG2, and traceroute confirms this.
From 10.21.21.100/24 I can get to the gateway fine, but not into 10.20.20.0/24
As title suggests, I am having an issue where, when trying to ping / connect to a subnet on a vlan, the connection tries to go out the WAN, in this case, WG2 connection.
Setup as follows
2 WANS
2 Wireguard VPN's
Routing tables setup to route specific traffic out wans, generally WG1/2 are the primary route out
10.20.20.0/24 is Primary Lan
10.21.21.0/24 is Docker network on Vlan50
I have setup mangle rules to mark connections so it's easier to track via logging.
I know I am missing something, possible a firewall rule but I just can't get my head around what, would appreciate some other eyes over my config to check it out
Code:
# 2024-03-07 08:40:39 by RouterOS 7.14# software id = ########### model = C53UiG+5HPaxD2HPaxD# serial number = #########/interface bridgeadd ingress-filtering=no name=BR1 port-cost-mode=short vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] name=ether1-Lan_Out poe-out=offset [ find default-name=ether2 ] disabled=yes name=ether2-Spareset [ find default-name=ether3 ] name=ether3-WAN-Sparkset [ find default-name=ether4 ] name=ether4-TRUNKset [ find default-name=ether5 ] name=ether5-Spare/interface wireguardadd listen-port=13827 mtu=1420 name=WG-1add listen-port=13820 mtu=1420 name=WG-2/interface vlanadd interface=ether4-TRUNK name=v30.wifi vlan-id=30add interface=ether4-TRUNK name=v40.guest vlan-id=40add interface=ether4-TRUNK name=v50.docker vlan-id=50add interface=ether4-TRUNK name=v66.unit vlan-id=66add interface=ether4-TRUNK name=v99.lan vlan-id=99/interface listadd name=wanadd name=lan/ip pooladd name=guest_pool ranges=192.168.40.2-192.168.40.254add name=docker_pool ranges=10.21.21.2-10.21.21.127/ip dhcp-serveradd address-pool=guest_pool interface=v40.guest name=guest_dhcpadd address-pool=docker_pool interface=v50.docker name=docker_dhcp/ip smb usersset [ find default=yes ] disabled=yes/routing tableadd disabled=no fib name=sparkadd disabled=no fib name=WGadd disabled=no fib name=WG-2add disabled=no fib name=unit/interface bridge portadd bridge=BR1 interface=ether5-Spare internal-path-cost=10 path-cost=10add bridge=BR1 interface=AC_2.4 internal-path-cost=10 path-cost=10add bridge=BR1 interface=AX_5 internal-path-cost=10 path-cost=10add bridge=BR1 disabled=yes interface=tempadd bridge=BR1 interface=ether1-Lan_Outadd bridge=BR1 interface=v30.wifiadd bridge=BR1 interface=v99.lan/ip firewall connection trackingset tcp-established-timeout=1h tcp-syn-received-timeout=10s \ tcp-syn-sent-timeout=10s udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=lan/ip settingsset max-neighbor-entries=8192/ipv6 settingsset max-neighbor-entries=15360/interface list memberadd interface=BR1 list=lanadd interface=WG-1 list=wanadd interface=WG-2 list=wanadd interface=ether3-WAN-Spark list=wanadd interface=v66.unit list=wan/interface wireguard peersadd allowed-address=0.0.0.0/0 client-listen-port=51621 comment=150 \ endpoint-address=123.123.123.123 endpoint-port=51820 interface=WG-1 \ persistent-keepalive=26s public-key=\ "%%%%%%%%%%%%%%%%%%%%%%%%%%"add allowed-address=0.0.0.0/0 client-listen-port=51825 comment=225 \ endpoint-address=123.123.123.123 endpoint-port=51820 interface=WG-2 \ persistent-keepalive=25s public-key=\ "%%%%%%%%%%%%%%%%%%%%%%%"/ip addressadd address=10.20.20.1/24 interface=BR1 network=10.20.20.0add address=192.168.10.10/24 comment=WAN1 interface=ether3-WAN-Spark network=\ 192.168.10.0add address=10.2.0.2/30 interface=WG-1 network=10.2.0.0add address=10.3.0.2/30 interface=WG-2 network=10.3.0.0add address=192.168.88.100/24 interface=v66.unit network=192.168.88.0add address=192.168.40.1/24 interface=v40.guest network=192.168.40.0add address=10.21.21.1/24 interface=v50.docker network=10.21.21.0/ip dhcp-serveradd address-pool=primary_pool interface=BR1 lease-time=1d name=primary_dhcp/ip dhcp-server networkadd address=10.20.20.0/24 comment=Main_DHCP dns-server=10.20.20.6,10.20.20.7 \ gateway=10.20.20.1add address=10.21.21.0/24 comment="Docker DHCP" dns-server=10.21.21.1 \ gateway=10.21.21.1add address=192.168.40.0/24 dns-server=192.168.40.1,1.0.0.1 gateway=\ 192.168.40.1/ip dnsset allow-remote-requests=yes doh-timeout=10s max-udp-packet-size=512 \ use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes/ip dns staticadd address=1.1.1.1 name=cloudflare-dns.com/ip firewall address-listadd address=10.20.20.0/24 list=trusted_adminadd address=10.20.20.161 comment=Book list=my_devicesadd address=10.20.20.162 comment=Max list=my_devicesadd address=10.20.20.7 comment="PiHole Wireguard" list=my_devicesadd address=10.20.20.69 comment=nvr list=blocked_wanadd address=10.20.20.136 comment=reolink list=blocked_wan/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid log=yes log-prefix=FI_D_Invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \ src-address-list=trusted_adminadd action=accept chain=input comment="defconf: allow admin to router" \ in-interface-list=lan log=yes log-prefix=FI_A_Lanadd action=accept chain=input comment="defconf: allow admin to router" \ in-interface=v50.docker log=yes log-prefix=FI_A_Dockeradd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=\ "Allow lan DNS queries-UDP and NTP services" dst-port=53,123 \ in-interface-list=lan log-prefix=DNS>> protocol=udpadd action=accept chain=input comment="Allow lan DNS queries - TCP" dst-port=\ 53 in-interface-list=lan log-prefix=TCPDNS>> protocol=tcpadd action=drop chain=input comment="drop all else" log=yes log-prefix=\ FI_D_Otheradd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid log=yes log-prefix=FF_D_Invalidadd action=accept chain=forward comment="allow internet traffic" \ in-interface-list=lan out-interface-list=wanadd action=accept chain=forward comment="Docker Accept" in-interface=\ v50.docker log=yes log-prefix=FF_A_BR1-DOCKER src-address-list=\ my_devicesadd action=accept chain=forward comment="Guest Out" in-interface=v40.guest \ out-interface=v66.unitadd action=accept chain=forward comment="allow WG traffic" in-interface-list=\ lan log=yes log-prefix=FF_A_145 out-interface=WG-1add action=accept chain=forward comment="allow WG traffic" in-interface-list=\ lan log=yes log-prefix=FF_A_221 out-interface=WG-2add action=accept chain=forward comment="port forwarding" \ connection-nat-state=dstnat log=yes log-prefix=FF_A_PortFwdadd action=drop chain=forward comment="drop all else" log=yes log-prefix=\ FF_D_Other/ip firewall mangleadd action=mark-connection chain=prerouting comment="Spark Mark" \ connection-mark=no-mark in-interface=ether3-WAN-Spark \ new-connection-mark=spark_conn passthrough=yesadd action=mark-connection chain=postrouting connection-mark=no-mark \ new-connection-mark=spark_conn out-interface=ether3-WAN-Spark \ passthrough=yesadd action=mark-connection chain=prerouting comment="1WG Mark" \ connection-mark=no-mark in-interface=WG-1 new-connection-mark=1_WG_conn \ passthrough=yesadd action=mark-connection chain=postrouting connection-mark=no-mark \ new-connection-mark=1_WG_conn out-interface=WG-1 passthrough=yesadd action=mark-connection chain=prerouting comment="2WG Mark" \ connection-mark=no-mark in-interface=WG-2 new-connection-mark=2_WG_conn \ passthrough=yesadd action=mark-connection chain=postrouting connection-mark=no-mark \ new-connection-mark=2_WG_conn out-interface=WG-2 passthrough=yesadd action=mark-connection chain=prerouting comment="2D Mark" \ connection-mark=no-mark in-interface=ether2-Spare new-connection-mark=\ 2d_conn passthrough=yesadd action=mark-connection chain=postrouting connection-mark=no-mark \ new-connection-mark=2d_conn out-interface=ether2-Spare passthrough=yesadd action=mark-connection chain=prerouting comment="wg Mark" \ connection-mark=no-mark in-interface=v66.unit new-connection-mark=\ unit_conn passthrough=yesadd action=mark-connection chain=postrouting comment="wg Mark" \ connection-mark=no-mark new-connection-mark=unit_conn out-interface=\ v66.unit passthrough=yesadd action=mark-routing chain=prerouting comment="Spark Return Mark" \ connection-mark=spark_conn disabled=yes in-interface-list=lan log-prefix=\ ServReturn>> new-routing-mark=spark passthrough=yesadd action=mark-routing chain=prerouting comment="2D Return Mark" \ connection-mark=2d_conn disabled=yes in-interface-list=lan log-prefix=\ ServReturn>> new-routing-mark=main passthrough=yesadd action=mark-routing chain=prerouting comment="WG Return Mark" \ connection-mark=wg_conn disabled=yes in-interface=*C log-prefix=\ WGReturn>> new-routing-mark=WG passthrough=yesadd action=mark-routing chain=output comment="Spark Return Traffic" \ connection-mark=spark_conn disabled=yes log-prefix=Spark-R>> \ new-routing-mark=spark passthrough=noadd action=mark-routing chain=output comment="2D Return Traffic" \ connection-mark=2d_conn disabled=yes log-prefix=2DReturn>> \ new-routing-mark=*401 passthrough=noadd action=mark-routing chain=output comment="WG Return Traffic" \ connection-mark=wg_conn disabled=yes log-prefix=WGReturn>> \ new-routing-mark=WG passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="MASQ Unit" log=yes log-prefix=\ NS_M_Unit out-interface=v66.unitadd action=masquerade chain=srcnat comment="MASQ Spark" connection-mark=\ spark_conn log=yes log-prefix=NS_M_Spark out-interface=ether3-WAN-Sparkadd action=masquerade chain=srcnat comment="MASQ WG45" log=yes log-prefix=\ NS_M_WG1 out-interface=WG-1add action=masquerade chain=srcnat comment="MASQ WG21" log=yes log-prefix=\ NS_M_WG2 out-interface=WG-2/ip pooladd name=primary_pool next-pool=primary_pool ranges=10.20.20.224/28/ip routeadd comment=WAN1 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\ 192.168.10.254 pref-src="" routing-table=spark scope=30 \ suppress-hw-offload=no target-scope=10add comment=PrimaryRoute disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=192.168.10.254 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10add comment="WG 145" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\ 10.2.0.1 pref-src="" routing-table=WG scope=30 suppress-hw-offload=no \ target-scope=10add comment="WG 221" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\ 10.3.0.1 pref-src="" routing-table=WG-2 scope=30 suppress-hw-offload=no \ target-scope=10add comment=UNIT_WAN disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\ 192.168.88.1 pref-src="" routing-table=unit scope=30 suppress-hw-offload=\ no target-scope=10add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=\ 192.168.10.254 pref-src="" routing-table=WG-2 scope=30 \ suppress-hw-offload=no target-scope=10/routing ruleadd action=lookup-only-in-table comment="Unit WG2" disabled=no dst-address=\ 123.123.123.123/32 table=unitadd action=lookup-only-in-table comment="Unit WG1" disabled=no dst-address=\ 123.123.123.123/32 table=unitadd action=lookup comment=IoT disabled=no src-address=10.20.20.128/27 table=\ WG-2add action=lookup comment=Personal disabled=no src-address=10.20.20.160/27 \ table=WG-2add action=lookup comment=TurtGamer disabled=no src-address=10.20.20.220/32 \ table=unitadd action=lookup comment="Gaming " disabled=no src-address=10.20.20.192/27 \ table=WGadd action=lookup comment=DHCP disabled=no src-address=10.20.20.224/28 table=\ unitadd action=lookup comment=SPare disabled=no src-address=10.20.20.240/28 \ table=WGadd action=lookup comment=GUEST_DHCP disabled=no src-address=192.168.40.0/24 \ table=unitadd action=lookup comment=Docker disabled=no src-address=10.21.21.0/24 table=\ WG-2/system clockset time-zone-name=Pacific/Auckland/system identityset name=AtlasV2/system loggingset 0 topics=info,!firewalladd action=Splunk prefix=MikroTik topics=!packet,!debug,!snmpadd topics=scriptadd action=MinervaSyslog disabled=yes prefix=MikroTik topics=\ !packet,!debug,!snmp/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=101.100.146.146add address=202.68.92.244add address=43.252.70.34add address=162.159.200.123/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=lan/tool mac-server mac-winboxset allowed-interface-list=lan/tool snifferset filter-interface=v66.unit streaming-enabled=yes streaming-server=\ 10.20.20.10:5555
When pinging from 10.20.20.0/24 I get nothing, firewall rules show it trying to get masqueraded by WG2, and traceroute confirms this.
From 10.21.21.100/24 I can get to the gateway fine, but not into 10.20.20.0/24
Statistics: Posted by FlippinTurt — Wed Mar 06, 2024 10:22 pm