Hi
Suddenly, I could no longer connect to my wireguard on my home router.
Also, some services (also a ovpn backup) that are running in a NAS stopped working .
When I came back home, after reseting the counters, I checked that most filter and nat counters are almost zero (shouldn't!). The counter for the wireguard port (filter) is zero, although I attempt to connect. The counter for the port of the NAS ovpn (NAT) increases when I attempt to connect, always without success.
The router stands behind an ISP router with DMZ, which was last upgraded in 2018.
I've had this setup working for years and when it stopped working I wasn't even connected to my wireguard. Last time I was connected to the wireguard I did nothing to the router's configuration.
All this led me to believe something got spontaneously messed up with the RB5009. I did a netinstall with the same firmware (7.10.2) and put back the last configuration. Nothing changed.

I'm going away tomorrow for 2 weeks and I really need the wireguard and also the services that I run 24/7 on the NAS. Has anybody got a suggestion? What can I do that I haven't done?
thanks!

Sounds like you should put your critical components on UPS? Power bumps/outages are not friendly on equipment.
Did the ISP do something funky at their end??

Check dmz settings and ip address rb got.

And enable BTH and/or Zerotier. Easiest way out, I think. You should always have one option back in then.

Sounds like you should put your critical components on UPS? Power bumps/outages are not friendly on equipment.
Did the ISP do something funky at their end??

I do have a UPS holding the net and the NAS...
First I thought it must have been the ISP. But their router seems fine (very simple configuration, just DMZ) and it was not upgraded. And some packets do reach the MT from outside (ovpn on the NAS, though it doesn't connect). What could they have done?

Check dmz settings and ip address rb got.

And enable BTH and/or Zerotier. Easiest way out, I think. You should always have one option back in then.

I did check DMZ and the router's IP (static). All fine.
I don't know what BTH is. The NAS ovpn was the backup.
I guess zerotier could work. Connections from outside are started from the clients inside, I guess...

Mikrotik BTH
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Both BTH and Zerotier will start connection from inside.

Our providers are switching to CGNAT which causes these symptoms you are experiencing. Contact support (service provider, not MikroTik) and request a routable address. Check DHCP assigned addresses to be sure (10.x.y.z/100.x.y.z)

Our providers are switching to CGNAT which causes these symptoms you are experiencing. Contact support (service provider, not MikroTik) and request a routable address. Check DHCP assigned addresses to be sure (10.x.y.z/100.x.y.z)

I have a public address from my ISP. CGNAT implies a private address, right?
The DHCP addresses are fine. Every device is working with the usual IP, just not accepting connections from outside.

Not accepting or nothing is coming in ?

Best bet if short on time, zerotier or BTH ... then you have 2 weeks to figure things out

Not accepting or nothing is coming in ?

Best bet if short on time, zerotier or BTH ... then you have 2 weeks to figure things out

Well, something is coming in..... just not much....
Like I said, I try to connect to the wireguard and the counter doesn't increase. But when I try to connect to the ovpn, the counter adds up. ICMP also goes in. (I do this on my mac while connected to my phone's hot spot).
Been reading about BTH. Looks like wireguard....

Yes, it is wireguard.
Only difference is that (if no fixed IP is detected) it uses a relay server from Mikrotik.

To be clear, BTH treats your local router as a client and thus the router will send out a join request to the MT cloud and then the tunnel will be established. Remote clients reach your router through the cloud connection (aka relay)
If you have a reachable public IP, then I think the BTH bypasses the MT cloud......... and your router acts like he server (direct connection)........ ( could be wrong though )

To be clear, BTH treats your local router as a client and thus the router will send out a join request to the MT cloud and then the tunnel will be established. Remote clients reach your router through the cloud connection (aka relay)
If you have a reachable public IP, then I think the BTH bypasses the MT cloud......... and your router acts like he server (direct connection)........ ( could be wrong though )

yep. That's what I was thinking. The minute my public IP is detected BTH will not be relayed and then it won't work just like my wireguard doesn't.
Oh, how I wish I had a private IP....

Anyway, installed zerotier (I'm working against the clock here).
MT, phone and macbook.
I can visit the MT webpage from my phone (while using mobile data). I can visit the MT webpage from my macbook when I'm using my wifi. But when the macbook is connected to the phone's hot spot I can't ping the router.

ok, it was cgnat after all.
I was on the phone with my ISP, asked about the cgnat and they told me they “added” the “cgnat service” to my router but that it wouldn’t cost me anything more

I told them I would change ISP if they didn’t “remove the service” and they said they would do it today.
Thanks to all.

Hahaha, we are going to ram this up your &SS for free LOL Nice ISP.

Sorry: should've adviced to check the dhcp *client* (acquired) address, not the dhcp server leases.

Good to hear it's (or will be) fixed now.