Hello everyone. I need help. I have a VyOS which is receiving multiple tunnels. The task is to connect another Mikrotik there. I have successfully established a connection through wireguard. Routers ping each other. VyOS sees the neighbor. Mikrotik sends Hello every two seconds. But it does not receive Hello in response. And neighborly relations are not established. On Mikrotik, all traffic through the Wireguard interface is completely open. On VyOS, no firewall rule is bound to the wireguard interface.
I tried the point -to-point network option and tried the broadcast network option. It did not help establish the neighborhood. Please check the configuration and point me to the error:
set interfaces wireguard wg01 address â10.1.0.1/30â
set interfaces wireguard wg01 description âVPN-to-wg02â
set interfaces wireguard wg01 ip ospf authentication plaintext-password âospfâ
set interfaces wireguard wg01 ip ospf bfd
set interfaces wireguard wg01 ip ospf cost â10â
set interfaces wireguard wg01 ip ospf dead-interval â6â
set interfaces wireguard wg01 ip ospf hello-interval â2â
set interfaces wireguard wg01 ip ospf network âpoint-to-pointâ
set interfaces wireguard wg01 ip ospf priority â0â
set interfaces wireguard wg01 ip ospf retransmit-interval â5â
set interfaces wireguard wg01 ip ospf transmit-delay â1â
set interfaces wireguard wg01 peer to-wg02 allowed-ips â192.168.5.0/24â
set interfaces wireguard wg01 peer to-wg02 allowed-ips â10.1.0.0/30â
set interfaces wireguard wg01 peer to-wg02 pubkey âxxxxxxxxxxxxxxxxxxxxxxx=â
set interfaces wireguard wg01 port â51820â
set policy route-map CONNECT rule 10 action âpermitâ
set policy route-map CONNECT rule 10 match interface âwg01â
set protocols ospf passive-interface-exclude âwg01â
set protocols static interface-route 192.168.5.0/24 next-hop-interface wg01
I am using 0.0.0.0/0 as allowed IPs, because I dont know what networks I will receive from the other end. I am not sure, but maybe you need to add the multicast addresses to allowed-IPs, because otherwise wireguard wont be allowed to send packets with ospf-multicast address out of that wireguard interface.
Thanks a lot for the tip. Indeed, there was not enough broadcast address on both ends of the tunnel. I did two things:
1.allowed both sides of the âallow-networkâ 224.0.0.5/32
2.network type chose âbroadcastâ from two sides
and my Mikrotik saw a neighbor.
In this case, both routers have Neighbor status in â2-Way/DROtherâ state. But dynamical routes do not distribute
If I set the network type to âpoint-to-pointâ on both sides, the storm starts at both router: dynamic routes appear and disappear, ping to WAN and ping to the ospf-Peer disappears and resumes. But the Neighbor status excellen - âFull DROtherâ
Thus, the question is: How to fix the storm?
I think you should be using `âallow-networkâ 224.0.0.4/30`` , itâs because ospf use 224.0.0.5 and 224.0.0.6 or you can configure âallow-networkâ 0.0.0.0/0. Please itâs possible to check if both have the same area (0.0.0.0 in your case) and if there arenât any fw rules that block this traffic.
Do you get a default route from the other side? It might effectively kill the tunnel. Then OSPF default route disappears, and tunnel will re-establish. And on and on âŠ
I am sorry. I distributed âStaticâ and âConnectedâ routes at my OSPF-Instance in Redistributed section of Mikrotik. That was the problem with the neighborhood drop. I checked the âVPNâ checkbox instead and it worked.
Thank you all for your participation and replies.
Finally, allowed-networks on WireGuard-interface of my Mikrotik look like this:
10.1.0.0/30 - wireguard
224.0.0.4/30 - broadcast
172.20.0.0/24 - branch offices
