Hi, It all looks pretty well ok I think. My new guess is that there may still be some ipsec policies and settings configured. Requiring traffic from X to Y be tunnelled with ipsec. Hopefully :) Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Date sent: Wed, 18 Oct 2023 14:15:08 +1100 Organization: Nullarbor Consulting pty Ltd Subject: Re: [MT-AU Public] Mikrotik and Starlink Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Mon, 2023-10-16 at 11:00 +1100, Karl Auer wrote:
it worked.
I spoke too soon. I can ping addresses in each connected LAN from the router at the other end of the wireguard link. But I cannot ping LAN-to-LAN (or make other connections LAN-to-LAN). Sniffing shows the pings from a LAN-connected device are arriving at the local router interface (e.g. wlan1 or ether3), but getting no response. Sniffing the wireguard interface shows those pings are not arriving there, i.e. they are not getting from the ingress interface to wg0. For pings sent from the router itself, sniffing shows those pings do arrive at the wireguard interface. Experimentally I allowed all traffic on the input, output and forward chains on both ends; this made no difference. I'm stumped. Server end: /interface wireguard add comment="wireguard interface" listen-port=14149 mtu=1420 name=wg0 /interface wireguard peers add allowed-address=192.168.103.0/24,192.168.16.0/24 comment="X" \ interface=wg0 persistent-keepalive=30s public-key=\ "KpVHU/XirostgcJMFXXXXXXXXXXsVJi58VBkueYLW24=" Routes: DAd 0.0.0.0/0 99.85.36.1 1 DAc 99.85.36.0/22 e1-uplink 0 0 As 192.168.1.0/24 192.168.16.3 1 DAc 192.168.16.0/24 wg0 0 DIcH 192.168.88.0/24 e5-management 0 DAc 192.168.102.0/24 bridge-local 0 1 As 192.168.103.0/24 192.168.16.2 1 Addresses (LAN is 102): 0 192.168.88.1/24 192.168.88.0 e5-management 1 192.168.102.1/24 192.168.102.0 e2-master 2 D 99.85.38.31/22 99.85.36.0 e1-uplink 3 192.168.16.1/24 192.168.16.0 wg0 Client (Starlink) end: /interface wireguard add comment="wireguard interface" listen-port=27547 mtu=1420 name=wg0 /interface wireguard peers add allowed-address=192.168.102.0/24,192.168.16.0/24 comment="Y" \ endpoint-address=99.85.38.31 endpoint-port=14149 interface=wg0 \ persistent-keepalive=30s public-key=\ "ZWxg5TXKRJ3zaHS7oXXXXXXXXXXpJmCdNxLirHwQsHM=" Routes: DAd 0.0.0.0/0 192.168.1.1 1 DAc 192.168.1.0/24 e1-uplink 0 DAc 192.168.16.0/24 wg0 0 DIcH 192.168.88.0/24 e5-management 0 0 As 192.168.102.0/24 192.168.16.1 1 DAc 192.168.103.0/24 bridge-local 0 Addresses (LAN is 103.0/24): 0 192.168.88.1/24 192.168.88.0 e5-management 1 192.168.103.1/24 192.168.103.0 e2-master 2 192.168.16.2/24 192.168.16.0 wg0 3 D 192.168.1.21/24 192.168.1.0 e1-uplink Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant