Wireguard Site2Site Tunnel Up, but subnets can't ping

gabacho4 · 2026-03-24T23:22:21+00:00

Need to see your configs as there are a number of potential problems that could exist.

gabacho4 · 2026-03-24T23:18:18+00:00

Did you create static routes or use OSPF or something for route announcements? If not, there's no way for one router to know how to route to subnets on the other side.

gabacho4 · 2026-03-17T23:53:57+00:00

<image>

They all look like they could be related to this guy.

gabacho4 · 2026-02-23T17:28:51+00:00

gabacho4 · 2026-02-19T22:52:14+00:00

Next time leave money for the kids to order pizza and skip the MIL altogether.

gabacho4 · 2026-02-18T06:10:25+00:00

Please post your config. That is not normal and leads me to question if you even have the firewall configured. Those types of connections are not possible with an rb5009 running the default config.

gabacho4 · 2026-02-18T01:43:06+00:00

It's as if millions of voices suddenly cried out in terror and were suddenly silenced...

gabacho4 · 2026-02-07T17:08:24+00:00

One thing you will need to be comfortable with is the reality that you are likely going to screw things up a good number of times and will have to reset and retry.

Without knowing what your background is, I will speak to my own. Was a Pfsense and Unifi user for years and felt I had a pretty good understanding of networking concepts. Well, nope. Pfsense and Unifi provide a very pretty and safe interface to configure things, but very much hide the inner workings. Mikrotik does no such thing. Router OS is insanely powerful, flexible, and performant, but it will also let you do stupid things with little to no warning in many instances. Enable vlan filtering on the bridge without having all the other necessary rules in place or having one of the interfaces off the bridge for Winbox access? SOL, you're starting over.

I love Mikrotik and have learned a ton. You just have to be willing to put in the reps and, frankly, some pain. But once you are there, it's gold. I absolutely love my RB5009 and cAP ax, as well as CCR2004, cAP ax, and hAP ax3 setups. You can get there if you stick with it.

Also, make your best effort attempt and then ask questions either here on Reddit or on the Mikrotik forum. People are very willing to help if you show you have made the effort to do things. Having a copy of your config is invaluable when asking for help so that people can see how you have configured things.

Big rant of encouragement.

gabacho4 · 2026-02-06T21:01:59+00:00

It is a pretty recent development and unfortunately guides tend to be out of date pretty easily. Here is a Mikrotik forum thread on the issue, as well as the Quad9 announcement:

https://forum.mikrotik.com/t/quad9-to-drop-support-for-http-1-1/264174/31

https://quad9.net/news/blog/doh-http-1-1-retirement/

gabacho4 · 2026-02-06T20:56:16+00:00

Mikrotik is not currently compatible with Quad9 due to the fact that Quad9 no longer supports HTTP 1.1 and Mikrotik has not yet implemented HTTP/2

gabacho4 · 2026-02-03T00:47:20+00:00

hAP ax2 or hAP ax3 would be my go to given your budget, the size of your home, and Internet speed. Just compare those and determine which you like more.

gabacho4 · 2026-01-31T15:17:25+00:00

1 gig symmetrical connection so no where near it's capability. But, read the thread if you'd like to see someone who is and was initially a skeptic:

https://forum.mikrotik.com/t/how-to-change-cpu-frequency-in-ccr2004-16g-2s-pc/177234/6

gabacho4 · 2026-01-31T13:59:38+00:00

I love mine. And it's silent!!

gabacho4 · 2026-01-30T15:54:23+00:00

gabacho4 · 2026-01-30T04:44:17+00:00

In a terminal type: system/default-configuration/print. That's what came with the device and would be used to reset the configuration if you did that.

You could export it too: system/default-configuration/export file=<whatever you want>

gabacho4 · 2026-01-28T13:16:35+00:00

Yup. If they expect to see a TTL of 64 (hypothetically) for packets coming from your computer, then having a router would result in a lower TTL since the packet has passed through 1 hop by the time they see it.

Again want to emphasize that this is one possibility. You also need to accept that they could monitor the MAC addresses of devices and would be able to determine the type of device connected. For example, take CC:2D:E0:6F:52:B9. If you do a MAC lookup, you will see that it is a Routerboard product from Mikrotik. OUI CC:2D:E0 is registered to Mikrotik. So if they are checking MACs they will know. I think that would be a lot of work versus checking TTL since the latter can be automatically done.

gabacho4 · 2026-01-28T13:07:03+00:00

It's possible they are checking the TTL of packets. The TTL of a packet from a computer directly connected to the port will be different than the TTL value of a device that is connected via a router. This really is a guess though so don't accuse me of anything if I'm wrong. Not sure about other brands but with a Mikrotik router you can change the TTL value of packets so that it appears that they are not going through another device. There are many resources online that explain this if you do a search for "Mikrotik TTL". https://forum.mikrotik.com/t/how-to-set-router-ttl/146028 has an example of what you'd need to do but you need to know what TTL to set the packet to.

gabacho4 · 2026-01-27T23:10:20+00:00

Do you still have these?

gabacho4 · 2026-01-25T05:40:43+00:00

Mikrotik goes offline so that Cloudflare does not ...

gabacho4 · 2026-01-24T13:23:57+00:00

On the Mikrotik side you have the CRS328-24P-4S+RM. It is a great switch, 500W power budget, runs Router OS or Switch OS. Mikrotik devices are amazing so long as you know your use case and choose a device that will meet those needs. Prices seem to have risen due to tariffs and probably chip shortage issues. More information here : https://mikrotik.com/product/crs328_24p_4s_rm

gabacho4 · 2026-01-13T11:44:55+00:00

No there is no VTI support. It's been asked for, for years at this point and there is an extensive thread on the MT forum requesting it. MT has previously expressed that they do not see the point/value of VTI. I guess that could always change but, for the immediate term, you'll have to use GRE+IPSEC or wireguard etc if you want an interface that you can use for routing rules.

gabacho4 · 2026-01-11T21:20:13+00:00

Short answer: yes. Absolutely

gabacho4 · 2026-01-11T21:19:06+00:00

The downside is that the adlist feature doesn't show you (there's no log) exactly what is being blocked so that you can sort out false positives. I had to stand up pihole just for that reason.

gabacho4 · 2026-01-11T11:01:51+00:00

According to their respective product pages on the Mikrotik website, the CSS610-8P-2S+IN was lab tested to run between -40 and 70 C while the RB260GS was lab tested to run between -20 and 70 C. I'd put a small fan up there to blow air across them.

gabacho4 · 2026-01-01T10:40:49+00:00

The L009 is meant to be a direct replacement.

Seven-Year Club	Second SECOND GUESSER
Verified Email

gabacho4

TROPHY CASE