Port forwarding over site-to-site wireguard

cpc0307 · Tue May 14, 2024 6:41 pm

Hi everyone, I'm having some trouble setting up a port forwarding over a wireguard tunnel.
Here's my network diagram

Router R2 is connecting using an E3372 LTE dongle that has no public IP, I would like to use public IP from R1 and setup a port forwarding rule, so I can access the HTTP server behind R2 using public IP from R1
Currently I can access R2 HTTP server from the computer within the LAN of R1 (using LAN IP from R2) , but when I try to access it from another computer (different network) using R1's public IP, that didn't work.
I also tried setting up mangle rules on R2, but I don't think that is working, or maybe my rules are wrong ?
Hope someone can help me shed some light on this issue. Thanks

Here are my router configs, both R1 and R2

# 2024-05-14 23:12:31 by RouterOS 7.14.3
# 
#
# model = RB960PGS
# Router R1
/interface bridge
add admin-mac=<Redacted> auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-lte
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    1111@example.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.22.1.0/24,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
    public-key="<Redacted>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.22.1.1/24 interface=wg-lte network=172.22.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1111 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=10.10.0.60 to-ports=8080
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Taipei
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN





# 2024-05-14 23:09:22 by RouterOS 7.14.3
# 
#
# model = RBD52G-5HacD2HnD
# R2 LTE Router
/interface bridge
add admin-mac=<Redacted> auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-pubip
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.10.0.10-10.10.0.60
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=to-wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
    <Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
    <Redacted>
/ip address
add address=10.10.0.254/24 comment=defconf interface=bridge network=10.10.0.0
add address=172.22.1.2/24 interface=wg-pubip network=172.22.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=10.10.0.254 gateway=\
    10.10.0.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=wg-pubip \
    new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
    new-routing-mark=to-wg passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.22.1.1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=172.22.1.1 routing-table=to-wg \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Taipei
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Tue May 14, 2024 7:42 pm

One question needs to be answered.
Is it important to you that the originating external WANIP is seen at the server at the second router?

There are two options
a. receive the incoming external requests from WANIPs, sourcenat them to the wireguard IP of the first router, send them to the server at R2 over wireguard.
You should be able to determine in logging on R1, those external IP, if required.

b. as noted above you need to keep those external IPs right to the actual server.
In this case you will need to mangle that incoming traffic for the purposes of return traffic back through wireguard.

The reason being, otherwise the router will not know where to return the traffic to, and more specifically being a source with external address, will try to send it out the local WAN.

Both options are legit, depends what you need.

cpc0307 · Tue May 14, 2024 7:50 pm

One question needs to be answered.
Is it important to you that the originating external WANIP is seen at the server at the second router?

There are two options
a. receive the incoming external requests from WANIPs, sourcenat them to the wireguard IP of the first router, send them to the server at R2 over wireguard.
You should be able to determine in logging on R1, those external IP, if required.

b. as noted above you need to keep those external IPs right to the actual server.
In this case you will need to mangle that incoming traffic for the purposes of return traffic back through wireguard.

The reason being, otherwise the router will not know where to return the traffic to, and more specifically being a source with external address, will try to send it out the local WAN.

Both options are legit, depends what you need.

Well, it's definitely nice to have, as I also want to do IP access logging on the HTTP server.

anav · Tue May 14, 2024 8:03 pm

Need to see config for BOTH routers.

cpc0307 · Tue May 14, 2024 8:19 pm

Need to see config for BOTH routers.

Sure
I've combined them into the same code block.

# 2024-05-14 23:12:31 by RouterOS 7.14.3
# 
#
# model = RB960PGS
# Router R1
/interface bridge
add admin-mac=<Redacted> auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-lte
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    1111@example.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.22.1.0/24,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
    public-key="<Redacted>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.22.1.1/24 interface=wg-lte network=172.22.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1111 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=10.10.0.60 to-ports=8080
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Taipei
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN





# 2024-05-14 23:09:22 by RouterOS 7.14.3
# 
#
# model = RBD52G-5HacD2HnD
# R2 LTE Router
/interface bridge
add admin-mac=<Redacted> auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-pubip
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.10.0.10-10.10.0.60
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=to-wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
    <Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
    <Redacted>
/ip address
add address=10.10.0.254/24 comment=defconf interface=bridge network=10.10.0.0
add address=172.22.1.2/24 interface=wg-pubip network=172.22.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=10.10.0.254 gateway=\
    10.10.0.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=wg-pubip \
    new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
    new-routing-mark=to-wg passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.22.1.1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=172.22.1.1 routing-table=to-wg \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Taipei
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Wed May 15, 2024 3:41 am

Your allowed IP settings are wrong, but ran out of time to look at this today.

DeadStik · Wed May 15, 2024 6:04 am

On R2, disable this firewall rule:

ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes

It will keep your Mangle rules from working correctly.

cpc0307 · Wed May 15, 2024 6:17 am

I've managed to get it working,using the following configs

Wireguard on R1:
Allowed Address: 172.22.1.2/32, 10.10.0.0/24

Routing and NAT config
On R1 it's just a simple dst-nat to R2 LAN IP

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1111 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=10.10.0.60 to-ports=8080
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=main \
    suppress-hw-offload=no

Wireguard on R2:
Allowed Address: 172.22.1.1/32, 192.168.88.0/24, 0.0.0.0/0

Mangled rules

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=wg-pubip log=no \
    new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn log=no \
    new-routing-mark=to-wg passthrough=no src-address=\
    10.10.0.0/24

Routing config

/routing table add disabled=no fib name=to-wg
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.22.1.1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=172.22.1.1 routing-table=to-wg \
    suppress-hw-offload=no

Also disabling fasttrack on R2, just like what @DeadStik mentioned

anav · Wed May 15, 2024 3:48 pm

You may think that but Mikrotik is often forgiving and will allow traffic to flow until it does not and you trip over some errors in the config.

By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte
and you called the wireguard interface on the LTE router wg-pubip. ANTI-intuitive LOL.

ROUTER1
/interface wireguard peers
add allowed-address=172.22.1.2/32,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
public-key="<Redacted>" comment=R2

There are several things wrong here. First every client peer ( from the perspective of this Router ( the server for handshake)) must identify the specific peer.
Secondly, ONLY use 0.0.0.0/0 if the intent is to use internet of the other site. This is usually never entered into the peer settings of the Server router.
Think of the logic, this is but one connection on the wireguard interface, imagine besides the other router, you have several users needing secure access to the LAN, or you as the ADMIN need remote access to both routers............

By putting 0.0.0.0/0 ALL traffic heading back into the tunnel will be captured by this first peer and the other wireguard clients will NEVER get any return traffic.

Also 0.0.0.0/0 means ALL possible IP addresses so if it was correct here ( which it is not ), then putting in the other IPs was redundant (useless).

Example: As admin you can put in peer 172.22.1.3 for your home PC and 172.22.1.4 for your laptop when travelling. Each peer entry will be specific to that IP/32
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(2) Probably can delete this old default entry.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(3) I am surprized the IP route you have is working. The gateway is WRONG.
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
main suppress-hw-offload=no

If anything it should be the local gateway ( 172.22.1.1 ), you have used the IP address of the other router.................
Change to:
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=wg-lte

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\

ROUTER 2
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
<Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
<Redacted> persistent-keep-alive=35s

The allowed IPs were good but you make the same mistake with 0.0.0.0/0
If the intent is to go out the internet of the main router, then you only need 0.0.0.0/0, and remove the other two entries, OR more likely remove the 0.0.0.0/0
Missing persistent keep alive !!!

Good so far, now we have to mangle so that return traffic to public IPs that came in through wireguard go back via Wireguard, otherwise the R2 router will try to send them out the local WAN.
This method allows the server to record external public IPs hitting the server. Otherwise there was an easier way which avoided mangling.

/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=wg-pubip \
new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
new-routing-mark=to-wg passthrough=no

To be accurate the forward chain is where the connection marking is done, the route-mark is correct in chain prerouting.
We also add connection-mark=no mark. This allows us to keep using the fastrack rule for all other traffic on the router!!

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-track=no-track

cpc0307 · Wed May 15, 2024 5:46 pm

You may think that but Mikrotik is often forgiving and will allow traffic to flow until it does not and you trip over some errors in the config.

By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte
and you called the wireguard interface on the LTE router wg-pubip. ANTI-intuitive LOL.

ROUTER1
/interface wireguard peers
add allowed-address=172.22.1.2/32,10.10.0.0/24,0.0.0.0/0 interface=wg-lte \
public-key="<Redacted>" comment=R2

There are several things wrong here. First every client peer ( from the perspective of this Router ( the server for handshake)) must identify the specific peer.
Secondly, ONLY use 0.0.0.0/0 if the intent is to use internet of the other site. This is usually never entered into the peer settings of the Server router.
Think of the logic, this is but one connection on the wireguard interface, imagine besides the other router, you have several users needing secure access to the LAN, or you as the ADMIN need remote access to both routers............

By putting 0.0.0.0/0 ALL traffic heading back into the tunnel will be captured by this first peer and the other wireguard clients will NEVER get any return traffic.

Also 0.0.0.0/0 means ALL possible IP addresses so if it was correct here ( which it is not ), then putting in the other IPs was redundant (useless).

Example: As admin you can put in peer 172.22.1.3 for your home PC and 172.22.1.4 for your laptop when travelling. Each peer entry will be specific to that IP/32
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(2) Probably can delete this old default entry.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(3) I am surprized the IP route you have is working. The gateway is WRONG.
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=172.22.1.2 routing-table=\
main suppress-hw-offload=no

If anything it should be the local gateway ( 172.22.1.1 ), you have used the IP address of the other router.................
Change to:
/ip route
add disabled=no dst-address=10.10.0.0/24 gateway=wg-lte

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\

ROUTER 2
/interface wireguard peers
add allowed-address=172.22.1.0/24,192.168.88.0/24,0.0.0.0/0 endpoint-address=\
<Redacted> endpoint-port=13231 interface=wg-pubip public-key=\
<Redacted> persistent-keep-alive=35s

The allowed IPs were good but you make the same mistake with 0.0.0.0/0
If the intent is to go out the internet of the main router, then you only need 0.0.0.0/0, and remove the other two entries, OR more likely remove the 0.0.0.0/0
Missing persistent keep alive !!!

Good so far, now we have to mangle so that return traffic to public IPs that came in through wireguard go back via Wireguard, otherwise the R2 router will try to send them out the local WAN.
This method allows the server to record external public IPs hitting the server. Otherwise there was an easier way which avoided mangling.

/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=wg-pubip \
new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn \
new-routing-mark=to-wg passthrough=no

To be accurate the forward chain is where the connection marking is done, the route-mark is correct in chain prerouting.
We also add connection-mark=no mark. This allows us to keep using the fastrack rule for all other traffic on the router!!

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-track=no-track

Thank you for the reply, it's really nice that we have this great community that can help us learn new things and correct our wrong configs : )

anav · Wed May 15, 2024 6:45 pm

The learning is the important part, copying blindly, never leads to success down the line, although it feels good to see traffic flowing.

Port forwarding over site-to-site wireguard [SOLVED]

Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard [SOLVED]

Re: Port forwarding over site-to-site wireguard

Re: Port forwarding over site-to-site wireguard