Wireguard and, I think, DNS

howdey57 · Fri Apr 05, 2024 10:39 am

I have a frustrating situation. I have a working wireguard connection between the UK and France except that when I use Routing to push some clients through the vpn, those clients cannot see particular websites (eg bbc.co.uk, bbc.com). If I don't use Routing, those clients can see sites (eg bbc.com). Also when trying to start Webex conference calls with the Routing turned on, it takes about 3 minutes to start the call.

The thing I suspect is that the DNS is not working - should be using local (French) DNS, or remote (UK) DNS?

It would be great if someone could have a look at the French config here:

# 2024-04-05 09:18:50 by RouterOS 7.14.1
#
# model = C52iG-5HaxD2HaxD
/interface bridge add name=bridge_guest_67
/interface bridge add admin-mac=48:A9:8A:C7:F6:8E auto-mac=no comment=defconf name=bridge_main_65
/interface ethernet set [ find default-name=ether1 ] mac-address=CC:2D:E0:EB:1D:79 poe-out=off
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=athome datapath.bridge=bridge_main_65 disabled=no name=wifi1_athome_5GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=athome datapath.bridge=bridge_main_65 disabled=no name=wifi2_athome_2GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wireguard add listen-port=xx mtu=1420 name=Wireguard
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=security_athome
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=security_athome_guest
/interface wifi configuration add disabled=no name=cfg_athome security=security_athome ssid=athome
/interface wifi configuration add disabled=no name=cfg_athome_guest security=security_athome_guest ssid=athome_guest
/interface wifi add configuration=cfg_athome_guest configuration.mode=ap datapath.bridge=bridge_guest_67 disabled=no mac-address=4A:A9:8A:C7:F6:92 master-interface=wifi1_athome_5GHz name=wifi3_athome_guest_5GHz
/ip pool add name=default-dhcp ranges=192.168.65.10-192.168.65.254
/ip pool add name=pool_guest_67 ranges=192.168.67.10-192.168.67.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge_main_65 lease-time=2m name=defconf
/ip dhcp-server add address-pool=pool_guest_67 interface=bridge_guest_67 lease-time=10m name=dhcp_guest
/routing table add disabled=no fib name=use-WG
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether2
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether3
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether4
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether5
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=wifi1_athome_5GHz
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=wifi2_athome_2GHz
/interface bridge port add bridge=bridge_guest_67 interface=wifi3_athome_guest_5GHz
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge_main_65 list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=Wireguard list=LAN
/interface list member add interface=bridge_guest_67 list=LAN
/interface wifi access-list add action=accept comment="Pixel 7" disabled=no mac-address=24:95:2F:4F:6D:DE signal-range=0 time=0s-0s
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx endpoint-port=xx interface=Wireguard persistent-keepalive=25s public-key=""
/ip address add address=192.168.65.1/24 comment=defconf interface=bridge_main_65 network=192.168.65.0
/ip address add address=10.64.0.3/24 interface=Wireguard network=10.64.0.0
/ip address add address=192.168.67.1/24 interface=bridge_guest_67 network=192.168.67.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server lease add address=192.168.65.23 client-id=1:10:3d:1c:e8:5f:d0 comment="T14" mac-address=10:3D:1C:E8:5F:D0 server=defconf
/ip dhcp-server lease add address=192.168.65.30 client-id=1:24:95:2f:4f:6d:de comment="Pixel-7 " mac-address=24:95:2F:4F:6D:DE server=defconf
/ip dhcp-server lease add address=192.168.65.240 client-id=1:cc:2d:e0:eb:1d:79 mac-address=CC:2D:E0:EB:1D:79 server=defconf
/ip dhcp-server network add address=192.168.65.0/24 comment=defconf dns-server=192.168.65.1,9.9.9.9,149.112.112.112 gateway=192.168.65.1
/ip dhcp-server network add address=192.168.67.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.67.1
/ip dns set allow-remote-requests=yes servers=8.8.8.8,149.112.112.112
/ip firewall address-list add address=192.168.65.28 comment="E1 PTZ" list=Camera
/ip firewall address-list add address=192.168.65.7 comment=R4 list=Camera
/ip firewall address-list add address=192.168.65.12 comment="Back Door" list=Camera
/ip firewall address-list add address=8.8.8.8 list=CameraAllowed
/ip firewall address-list add address=9.9.9.9 list=CameraAllowed
/ip firewall address-list add address=8.8.4.4 list=CameraAllowed
/ip firewall address-list add address=149.112.112.112 list=CameraAllowed
/ip firewall address-list add address=192.168.64.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.65.0/24 list=AllowedToRouter
/ip firewall address-list add address=10.64.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=chazoopa-h.synology.me list=AllowedToRouter
/ip firewall address-list add address=192.168.10.0/24 list=AllowedToRouter
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=192.168.65.0/24 list=WireguardTraffic
/ip firewall address-list add address=192.168.10.0/24 list=WireguardTraffic
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept DNS, NTP for udp" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS for tcp" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow from nice IPs from Wireguard" in-interface=Wireguard src-address-list=AllowedToRouter
/ip firewall filter add action=drop chain=input comment="drop from guest bridge" src-address=192.168.67.0/24
/ip firewall filter add action=accept chain=input comment="Accept all from LAN" in-interface-list=LAN
/ip firewall filter add action=drop chain=input comment="drop all else"
/ip firewall filter add action=log chain=forward disabled=yes log-prefix=xxx src-address=192.168.65.23
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Drop guests to locals" out-interface-list=!WAN src-address=192.168.67.0/24
/ip firewall filter add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN
/ip firewall filter add action=drop chain=forward comment="Drop Cameras" dst-address-list=!CameraAllowed log-prefix=Camera out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" log=yes src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
/ip firewall filter add action=accept chain=forward comment="Allow internet access" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow wireguard traffic" out-interface=Wireguard src-address-list=WireguardTraffic
/ip firewall filter add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="drop all else"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface=Wireguard
/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=Wireguard pref-src=0.0.0.0 routing-table=main suppress-hw-offload=no
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard pref-src="" routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=10.200.0.0/24 gateway=Wireguard routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=10.100.0.0/24 gateway=Wireguard routing-table=main suppress-hw-offload=no
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
/ipv6 firewall address-list add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule add action=lookup-only-in-table comment="Pixel-7 " disabled=no src-address=192.168.65.30/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=TV disabled=no src-address=192.168.65.26/32 table=use-WG
/routing rule add action=lookup-only-in-table comment="Surface" disabled=yes src-address=192.168.65.27/32 table=use-WG
/routing rule add action=lookup-only-in-table comment="T14" disabled=no src-address=192.168.65.23/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=T480 disabled=no src-address=192.168.65.18/32 table=use-WG
/system clock set time-zone-name=Europe/Paris
/system identity set name="France HAP ax2"
/system logging set 0 topics=info,!dhcp,!wireless
/system note set show-at-login=no
/tool graphing interface add interface=ether1
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

TheCat12 · Fri Apr 05, 2024 10:53 am

Why not use a universal one - 8.8.8.8

Based on the symptoms I also think it's the DNS

howdey57 · Fri Apr 05, 2024 11:13 am

Thanks for the reply.

I tried that - no change!

pimmie · Fri Apr 05, 2024 12:35 pm

Slow network could also be an indication of a MTU/MSS issue. You dont seem to have any change-mss mangle rules?

My advise would be to start with a ping and follow those packets to see if they follow the expected path both in FR as UK using torch/tcpdump. If a standard ping works, try to set the size of the ping to the size of your mtu and set dont-fragment. If that also works, try to figure out if the issue is in FR or in UK, ie when using torch/tcpdump do you see return traffic when browsing to bbc.com (again both in FR as UK)?

anav · Fri Apr 05, 2024 1:33 pm

Besides the usual bloat of filtering to block traffic instead of simply allowing needed traffic and drop everything else....

I am curious, as to how you separate those needing access to the tunnel.
Firstly which router is server for handshake
Which end needs to access the internet of the other.
Are those users needing access organized into a subnet?

howdey57 · Fri Apr 05, 2024 1:53 pm

Hi anav,

I love a bit of bloatware!

Your questions:
Firstly which router is server for handshake
--- France is behind CGNAT so initiates the connection to the UK
Which end needs to access the internet of the other.
--- France needs to come out of the UK IP (so it looks like I'm in the UK)
Are those users needing access organized into a subnet?
--- No, just individual Rules in Routing - I actually want to do it on a machine by machine basis

anav · Fri Apr 05, 2024 6:59 pm

okay machine by machine basis means you have to mangle in most cases.....
Thus use of firewall address list makes sense. If it was just a few, routing rules would work.......

Amm0 · Fri Apr 05, 2024 7:16 pm

Slow network could also be an indication of a MTU/MSS issue. You dont seem to have any change-mss mangle rules?

My advise would be to start with a ping and follow those packets to see if they follow the expected path both in FR as UK using torch/tcpdump. If a standard ping works, try to set the size of the ping to the size of your mtu and set dont-fragment. If that also works, try to figure out if the issue is in FR or in UK, ie when using torch/tcpdump do you see return traffic when browsing to bbc.com (again both in FR as UK)?

Yup, all true. A quick test be just guess and lower WG's MTU to something like 1348.

anav · Fri Apr 05, 2024 10:08 pm

I wouldnt lower the mtu right away, instead I would keep both ends at the default 1420 and add a mangle rule to the french side.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=Wireguard passthrough=yes protocol=tcp tcp-flags=syn

Amm0 · Fri Apr 05, 2024 10:33 pm

Perhaps. But TCP MSS adjust doesn't help UDP nor allow normal PMTUD to work.

But running a ping test with DF bits be right call – you'd know if it's an MTU issue.

anav · Sat Apr 06, 2024 4:18 am

Nix on that,,,,,, if the clamp rule doesnt work next try
add action=change-mss chain=forward new-mss=1380 out-interface=Wireguard protocol=tcp tcp-flags=syn tcp-mss=1381-65535

howdey57 · Sat Apr 06, 2024 10:06 am

I think this is going on the wrong direction. The speed is ok.

It's the ability to connect to some websites which, to me, indicates DNS. As soon as I turn off the routing rule and the machine uses the local French exit point, the websites are available.

Is there anything special I should have in wireguard or elsewhere to force DNS to either be in France or UK? I'd like to use the UK DNS if possible so I get the right geographic entries.

I'm not sure I want to use mangle rules when I don't need.

pimmie · Sat Apr 06, 2024 11:44 am

Also when trying to start Webex conference calls with the Routing turned on, it takes about 3 minutes to start the call

@howdey57 If speed is ok then why did you mention the above?

Which DNS servers do you expect the clients to exit in the UK to use? In your config all 65.x clients seem to use `dns-server=192.168.65.1,9.9.9.9,149.112.112.112`. If those clients use 192.168.65.1 as DNS then they won't ever hit a routing rule unless you disable hardware offloading for the bridge ports those clients are connected to. Note that the requests from the DNS server on your hAP/192.168.65.1 will not be forwarded to the UK.

So remove your local dns-server from the dhcp network config to ensure the clients are hitting the routing table on your hAP so all DNS requests are also routed to the UK

howdey57 · Sat Apr 06, 2024 12:17 pm

Sorry all. I decided I should try the mangle rule - just in case - and, or course it worked!

chain=forward action=change-mss new-mss=1300 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=no-mark out-interface=Wireguard tcp-mss=1301-65535 log=no log-prefix=""

Taken from the last section of this page: https://help.mikrotik.com/docs/display/ROS/Mangle

I added "no-mark" so Fastrack would work (I think that is correct).

I gave the Webex example to illustrate the initial connection was very slow - after that, it was ok.

Thank you all for the help.

Wireguard and, I think, DNS

Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Re: Wireguard and, I think, DNS

Who is online