On Sat, 2023-10-14 at 12:11 +1100, Roger Plant wrote:
Well that was entertaining.
One niggle left. I'm not sure if it's operationally relevant, but it's annoying that I can't figure it out. BTW this setup doesn't involve Starlink (it will eventually) Basically I cannot ping one end of the Wireguard link from the other end. I can ping each LAN from the LAN at the other end of the Wireguard VPN. I can ping each router's LAN address from the router at the other end of the VPN. But I cannot ping one router's Wireguard address (the address on its Wireguard interface) from the other router. I get "host unreachable" when I try (or timeouts, see below). Server (LAN is 192.168.102.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.102.1/24 192.168.102.0 e2-master 3 192.168.16.1/24 192.168.16.0 wg0 /ip route print 0 As 192.168.1.0/24 192.168.16.3 1 DAc 192.168.16.0/24 wg0 0 wg0 allowed-address=192.168.1.0/24 Client (LAN is 192.168.1.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.1.1/24 192.168.1.0 bridge 5 192.168.16.3/24 192.168.16.0 wg0 /ip route print DAc 192.168.16.0/24 wg0 0 0 As 192.168.102.0/24 192.168.16.1 1 wg0 allowed-address=192.168.102.0/24 Hope I haven't elided too much. The error message attempting to ping the client end (192.168.16.3) from the server end is: 0 161 (No error information) 0 192.168.16.1 84 64 2ms93us host unreachable The error message attempting to ping the server end (192.168.16.1) from the client end is: 0 126 (No error information) 0 192.168.16.3 84 64 494us host unreachable There's an added wrinkle. Both client and server have an additional peer configured. These have been disabled and the system configured to be that peer is not running (or at least is physically unreachable). If I enable that other peer on the server, the error when I try to ping the client from the server changes to a straight timeout. That feels like it should be a clue, but to what I am not sure. If I enable the one on the client, the error when I try to ping the server does not change. If I add ",192.168.16.0/24" to the allowed-address on each end, I get a timeout in both directions (i.e., only the behaviour on the client end changes, from the error 126 to a timeout). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160