Hi, i have created a wireguard profile to connect my phone to the network.
The connection appears to connect ok, but on my Android phone i get an error about no DNS.
I also have a site - to - site that runs just fine.
i have tried several times to sort this problem out, so there may be some old config lying around from previous attempts...
here's my config
thanks.
```
# 2024-10-12 12:50:10 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
add interface=*E list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=192.168.100.2/32 interface=wg0 name=wg1 private-key=\
"" public-key=\
""
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="allow colin wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" log=\
yes log-prefix="colin WG" src-address=192.168.100.0/24
add action=accept chain=input dst-port=51820 log=yes log-prefix=\
"Incoming Wireguard" protocol=udp
add action=accept chain=input dst-port=51821 log=yes log-prefix=colinvpn \
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=drop chain=input comment="block everything else" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
# no interface
add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp \
to-ports=51821
add action=masquerade chain=srcnat disabled=yes out-interface=*F
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
```
Re: Wireguard connects - no connectivity
Your problem is simple get rid of the second wireguard its causing you all sorts of problems and not needed.
Your allowed peers identifies the wrong thing...
Adjusted:
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"" public-key=\
""
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
Your allowed peers identifies the wrong thing...
Adjusted:
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"" public-key=\
""
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
Re: Wireguard connects - no connectivity
Thanks for the reply. changes made as suggested, same symptom...
Updated config
# 2024-10-12 15:44:18 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
add interface=*E list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"=" public-key=\
"="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="allow colin wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" log=\
yes log-prefix="colin WG" src-address=192.168.100.0/24
add action=accept chain=input dst-port=51820 log=yes log-prefix=\
"Incoming Wireguard" protocol=udp
add action=accept chain=input dst-port=51821 log=yes log-prefix=colinvpn \
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=drop chain=input comment="block everything else" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
# no interface
add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp \
to-ports=51821
add action=masquerade chain=srcnat disabled=yes out-interface=*F
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Updated config
# 2024-10-12 15:44:18 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
add interface=*E list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"=" public-key=\
"="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="allow colin wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" log=\
yes log-prefix="colin WG" src-address=192.168.100.0/24
add action=accept chain=input dst-port=51820 log=yes log-prefix=\
"Incoming Wireguard" protocol=udp
add action=accept chain=input dst-port=51821 log=yes log-prefix=colinvpn \
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=drop chain=input comment="block everything else" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
# no interface
add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp \
to-ports=51821
add action=masquerade chain=srcnat disabled=yes out-interface=*F
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard connects - no connectivity
1. You also have this config error but not sure what you have put here to cause this?
add interface=*E list=LAN
Related to the mostly likely incorrectly or not needed attempt to port forward using wireguard??
# no interface
add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp \
to-ports=51821
Suggest you remove these rule for starters!
3. There is no need to state the private key here.......
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"=" public-key=\
4. If the intent is for colin to be able to reach and config the router via wireguard the correct port needs to be used!
add action=accept chain=input comment="allow colin wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow colin wireguard" dst-port=51820 \
protocol=udp
5. Another error here, also remove this.....
add action=masquerade chain=srcnat disabled=yes out-interface=*F
6. These routes also are showing errors and must be removed.
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
7. CLEANUP ORGANIZE FIREWALL RULES
/ip firewall address-list
add address=192.168.1.X list=TRUSTED comment="admin pc on local subnet"
add address=172.16.0.3 list=TRUSTED comment="remote admin smartphone"
add address=192.168.100.Y list=TRUSTED comment="remote admin on secondary router subnet
ADD AS NECESSARY
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51821 protocol=udp \
log=yes log-prefix=incoming-wireguard
add action=accept chain=input comment="admin access" src-address-list=TRUSTED log=yes log-prefix=adminaccess
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add interface=*E list=LAN
Related to the mostly likely incorrectly or not needed attempt to port forward using wireguard??
# no interface
add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp \
to-ports=51821
Suggest you remove these rule for starters!
3. There is no need to state the private key here.......
add allowed-address=172.16.0.3/32 interface=wg0 name=wg1 private-key=\
"=" public-key=\
4. If the intent is for colin to be able to reach and config the router via wireguard the correct port needs to be used!
add action=accept chain=input comment="allow colin wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow colin wireguard" dst-port=51820 \
protocol=udp
5. Another error here, also remove this.....
add action=masquerade chain=srcnat disabled=yes out-interface=*F
6. These routes also are showing errors and must be removed.
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
7. CLEANUP ORGANIZE FIREWALL RULES
/ip firewall address-list
add address=192.168.1.X list=TRUSTED comment="admin pc on local subnet"
add address=172.16.0.3 list=TRUSTED comment="remote admin smartphone"
add address=192.168.100.Y list=TRUSTED comment="remote admin on secondary router subnet
ADD AS NECESSARY
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51821 protocol=udp \
log=yes log-prefix=incoming-wireguard
add action=accept chain=input comment="admin access" src-address-list=TRUSTED log=yes log-prefix=adminaccess
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Re: Wireguard connects - no connectivity
Thanks again.
I've implemented your suggestion 1 - 6
for item 7, should i replace ALL my current firewall rules with your suggestions?
Is the line of +++++++++++++++++++++++++++
only to highlight the split between the different chains??
I've implemented your suggestion 1 - 6
for item 7, should i replace ALL my current firewall rules with your suggestions?
Is the line of +++++++++++++++++++++++++++
only to highlight the split between the different chains??
Re: Wireguard connects - no connectivity
Yes and yes LOL.
Be careful NOT to put in the drop all rule as the last rule in the input chain UNTIL your ALLOW trusted rule is in place and properly configured, otherwise you will lock yourself out.
On that note, typically if I have a spare port, I take it off the bridge give it an IP of 192.168.55.1/30 for example,
Make sure its part of the TRUSTED firewall address list and also make it part of LAN interface list, if something funny happens on the bridge etc.... you still have access.
Just plug in a laptop on that port with IPV4 address 192.168.55.2 and your in.
Be careful NOT to put in the drop all rule as the last rule in the input chain UNTIL your ALLOW trusted rule is in place and properly configured, otherwise you will lock yourself out.
On that note, typically if I have a spare port, I take it off the bridge give it an IP of 192.168.55.1/30 for example,
Make sure its part of the TRUSTED firewall address list and also make it part of LAN interface list, if something funny happens on the bridge etc.... you still have access.
Just plug in a laptop on that port with IPV4 address 192.168.55.2 and your in.
Re: Wireguard connects - no connectivity
Couple of questions if i may please
In suggestion 4, you mention port 51820, should this be part of the cleaned up rules in suggestion 7?
Suggestion 7 mentions port 51821, should this read as 51820 as per suggestion 4?
In suggestion 4, you mention port 51820, should this be part of the cleaned up rules in suggestion 7?
Suggestion 7 mentions port 51821, should this read as 51820 as per suggestion 4?
Re: Wireguard connects - no connectivity
updated config...my mobile appears to connect but i cant get connectivity either to the lan or external...
# 2024-10-13 00:27:46 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32,192.168.1.0/24 interface=wg0 name=wg1 \
public-key=""
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
add address=172.16.0.3 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
add address=192.168.1.96 client-id=1:50:1a:c5:e8:92:1b mac-address=\
50:1A:C5:E8:92:1B server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.1.96 list=Trusted
add address=192.168.1.10 list=Trusted
add address=192.168.1.16 list=Trusted
add address=192.168.1.11 list=Trusted
add address=172.16.0.3 list=Trusted
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51820 \
log=yes log-prefix="Incoming Wireguard" protocol=udp
add action=accept chain=input comment="admin access" log=yes log-prefix=\
adminaccess src-address-list=Trusted
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" in-interface=ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
add action=accept chain=input disabled=yes dst-port=51821 log=yes log-prefix=\
colinvpn protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=accept chain=input comment="allow colin wireguard" disabled=yes \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" \
disabled=yes log=yes log-prefix="colin WG" src-address=192.168.100.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# 2024-10-13 00:27:46 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.2/32,10.1.1.0/24 interface=wg0 name=peer2 \
public-key=""
add allowed-address=172.16.0.3/32,192.168.1.0/24 interface=wg0 name=wg1 \
public-key=""
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
add address=172.16.0.3 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
add address=192.168.1.96 client-id=1:50:1a:c5:e8:92:1b mac-address=\
50:1A:C5:E8:92:1B server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.1.96 list=Trusted
add address=192.168.1.10 list=Trusted
add address=192.168.1.16 list=Trusted
add address=192.168.1.11 list=Trusted
add address=172.16.0.3 list=Trusted
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51820 \
log=yes log-prefix="Incoming Wireguard" protocol=udp
add action=accept chain=input comment="admin access" log=yes log-prefix=\
adminaccess src-address-list=Trusted
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" in-interface=ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to local LAN" \
dst-address=192.168.1.0/24 in-interface=wg0 log=yes log-prefix=boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
add action=accept chain=input disabled=yes dst-port=51821 log=yes log-prefix=\
colinvpn protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=accept chain=input comment="allow colin wireguard" disabled=yes \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" \
disabled=yes log=yes log-prefix="colin WG" src-address=192.168.100.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard connects - no connectivity
1. Allowed IPs identifies remote addresses and thus this is not correct and should be removed.
add allowed-address=172.16.0.3/32,192.168.1.0/24 interface=wg0 name=wg1 \
public-key=""
2. Why did you create another wireguard address, the router only uses one address in this configuration.......
Remove it.
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
add address=172.16.0.3 interface=wg0 network=172.16.0.0
3. Just to be clear you will never be at the other site 192.168.100.X and require the ability to configure this router over the wireguard?
Reason I ask is that you gave in the original config, the whole .100 subnet access on the input chain??
4. Why do you add back in ether1 here, get rid of it, the block rule drops everything from both LAN and WAN so dont add limitations....
add action=drop chain=input comment="drop all else" in-interface=ether1
5. Duplicate rules, get rid of one of them..............
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
6. Remove all junk rules after teh forward chain drop rule.........
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
add action=accept chain=input disabled=yes dst-port=51821 log=yes log-prefix=\
colinvpn protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=accept chain=input comment="allow colin wireguard" disabled=yes \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" \
disabled=yes log=yes log-prefix="colin WG" src-address=192.168.100.0/24
If you fix all that up, there should be no reason for not connecting to the Router LAN.
Would have to look at your wireguard settings on remote devices..
add allowed-address=172.16.0.3/32,192.168.1.0/24 interface=wg0 name=wg1 \
public-key=""
2. Why did you create another wireguard address, the router only uses one address in this configuration.......
Remove it.
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
add address=172.16.0.3 interface=wg0 network=172.16.0.0
3. Just to be clear you will never be at the other site 192.168.100.X and require the ability to configure this router over the wireguard?
Reason I ask is that you gave in the original config, the whole .100 subnet access on the input chain??
4. Why do you add back in ether1 here, get rid of it, the block rule drops everything from both LAN and WAN so dont add limitations....
add action=drop chain=input comment="drop all else" in-interface=ether1
5. Duplicate rules, get rid of one of them..............
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
6. Remove all junk rules after teh forward chain drop rule.........
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward disabled=yes in-interface=wg0 out-interface=\
bridge1
add action=accept chain=input disabled=yes dst-port=51821 log=yes log-prefix=\
colinvpn protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=tcp \
src-port=443
add action=accept chain=input comment="allow colin wireguard" disabled=yes \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic - colin" \
disabled=yes log=yes log-prefix="colin WG" src-address=192.168.100.0/24
If you fix all that up, there should be no reason for not connecting to the Router LAN.
Would have to look at your wireguard settings on remote devices..
Re: Wireguard connects - no connectivity
Thanks for explaining, all implemented.
regarding your question:
3. Just to be clear you will never be at the other site 192.168.100.X and require the ability to configure this router over the wireguard?
Reason I ask is that you gave in the original config, the whole .100 subnet access on the input chain??
I added 192.168.100.x when i was following this Mikrotik YouTube video https://www.youtube.com/watch?v=vn9ky7p5ESM
This didn't work for me so I believe I've deleted all reference to it now.
The other site uses 10.1.1.x, which users the site to site wireguard connection.. and i need connectivity between both sites. this works ok at the moment
regarding your question:
3. Just to be clear you will never be at the other site 192.168.100.X and require the ability to configure this router over the wireguard?
Reason I ask is that you gave in the original config, the whole .100 subnet access on the input chain??
I added 192.168.100.x when i was following this Mikrotik YouTube video https://www.youtube.com/watch?v=vn9ky7p5ESM
This didn't work for me so I believe I've deleted all reference to it now.
The other site uses 10.1.1.x, which users the site to site wireguard connection.. and i need connectivity between both sites. this works ok at the moment
Re: Wireguard connects - no connectivity
Thanks for your continued support.
I can now connect to wireguard from 2 phones, view devices on both home (local) and boat lans and the site to site is also still working.
Thankyou!!!
current config:
# 2024-10-13 13:19:11 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.0/24,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=colin public-key=\
"="
add allowed-address=172.16.0.4/32 interface=wg0 name=chris public-key=\
"="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
add address=192.168.1.96 client-id=1:50:1a:c5:e8:92:1b mac-address=\
50:1A:C5:E8:92:1B server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.1.96 list=Trusted
add address=192.168.1.10 list=Trusted
add address=192.168.1.16 list=Trusted
add address=192.168.1.11 list=Trusted
add address=172.16.0.3 list=Trusted
add address=10.1.1.0/24 list=home-boat
add address=192.168.1.0/24 list=home-boat
add address=172.16.0.4 disabled=yes list=Trusted
add address=172.16.0.0/24 list=Trusted
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51820 \
log-prefix="Incoming Wireguard" protocol=udp
add action=accept chain=input comment="admin access" log-prefix=adminaccess \
src-address-list=Trusted
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
droped-input
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to home-boat lans" \
dst-address-list=home-boat in-interface=wg0 log-prefix=home-boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log-prefix=dropped-fwd
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I can now connect to wireguard from 2 phones, view devices on both home (local) and boat lans and the site to site is also still working.
Thankyou!!!
current config:
# 2024-10-13 13:19:11 by RouterOS 7.15.2
# software id = UCH8-EMCD
#
# model = RB750Gr3
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
bthomehub@btbroadband.com
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg0 list=LAN
/interface ovpn-server server
set certificate=server enabled=yes
/interface wireguard peers
add allowed-address=172.16.0.0/24,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=colin public-key=\
"="
add allowed-address=172.16.0.4/32 interface=wg0 name=chris public-key=\
"="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.1/24 interface=wg0 network=172.16.0.0
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:dc:a6:32:e1:8a:81 mac-address=\
DC:A6:32:E1:8A:81 server=dhcp1
add address=192.168.1.120 client-id=1:8e:41:c0:f0:3a:cd mac-address=\
8E:41:C0:F0:3A:CD server=dhcp1
add address=192.168.1.80 client-id=1:0:e:58:34:c:f2 mac-address=\
00:0E:58:34:0C:F2 server=dhcp1
add address=192.168.1.81 client-id=1:5c:aa:fd:42:9e:e4 mac-address=\
5C:AA:FD:42:9E:E4 server=dhcp1
add address=192.168.1.82 client-id=1:78:28:ca:5d:f:20 mac-address=\
78:28:CA:5D:0F:20 server=dhcp1
add address=192.168.1.83 client-id=1:0:e:58:d0:6b:34 mac-address=\
00:0E:58:D0:6B:34 server=dhcp1
add address=192.168.1.84 client-id=1:0:e:58:7c:ff:48 mac-address=\
00:0E:58:7C:FF:48 server=dhcp1
add address=192.168.1.85 client-id=1:94:9f:3e:e1:ac:ca mac-address=\
94:9F:3E:E1:AC:CA server=dhcp1
add address=192.168.1.86 client-id=1:b8:e9:37:e2:77:66 mac-address=\
B8:E9:37:E2:77:66 server=dhcp1
add address=192.168.1.87 client-id=1:94:9f:3e:72:29:b8 mac-address=\
94:9F:3E:72:29:B8 server=dhcp1
add address=192.168.1.130 mac-address=7C:F6:66:4A:7A:9A server=dhcp1
add address=192.168.1.132 client-id=1:c8:d7:78:aa:fd:6f mac-address=\
C8:D7:78:AA:FD:6F server=dhcp1
add address=192.168.1.140 client-id=1:64:16:66:75:7a:22 mac-address=\
64:16:66:75:7A:22 server=dhcp1
add address=192.168.1.142 mac-address=6C:FF:CE:95:5B:5F server=dhcp1
add address=192.168.1.143 mac-address=68:54:FD:EC:CE:9B server=dhcp1
add address=192.168.1.100 mac-address=60:32:B1:48:5D:32 server=dhcp1
add address=192.168.1.101 client-id=1:d8:d:17:23:48:d9 mac-address=\
D8:0D:17:23:48:D9 server=dhcp1
add address=192.168.1.102 client-id=1:ac:84:c6:2:ba:51 mac-address=\
AC:84:C6:02:BA:51 server=dhcp1
add address=192.168.1.144 mac-address=1C:F2:9A:46:87:58 server=dhcp1
add address=192.168.1.88 client-id=1:0:e:58:26:2e:8e mac-address=\
00:0E:58:26:2E:8E server=dhcp1
add address=192.168.1.141 mac-address=D8:EB:46:94:4B:78 server=dhcp1
add address=192.168.1.103 mac-address=00:17:88:69:60:2D server=dhcp1
add address=192.168.1.104 mac-address=DC:4F:22:93:91:37 server=dhcp1
add address=192.168.1.96 client-id=1:50:1a:c5:e8:92:1b mac-address=\
50:1A:C5:E8:92:1B server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.1.96 list=Trusted
add address=192.168.1.10 list=Trusted
add address=192.168.1.16 list=Trusted
add address=192.168.1.11 list=Trusted
add address=172.16.0.3 list=Trusted
add address=10.1.1.0/24 list=home-boat
add address=192.168.1.0/24 list=home-boat
add address=172.16.0.4 disabled=yes list=Trusted
add address=172.16.0.0/24 list=Trusted
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=51820 \
log-prefix="Incoming Wireguard" protocol=udp
add action=accept chain=input comment="admin access" log-prefix=adminaccess \
src-address-list=Trusted
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
droped-input
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="remote access to home-boat lans" \
dst-address-list=home-boat in-interface=wg0 log-prefix=home-boat
add action=accept chain=forward comment="local access to tunnel" \
out-interface=wg0 src-address=192.168.1.0/24
add action=accept chain=forward comment="port forwarding" connection-mark="" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log-prefix=dropped-fwd
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=wg0 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Wireguard connects - no connectivity
Okay, so basically asking how to reach the other remote site from the android device.........
The other remote site being a router with subnet 10.1.1.0/24.
Lets say someone from 192.168.1.0 local subnet wants to reach 10.1.1.X....................
The main router doesnt know about this remote subnet at all.......so we have to tell it....
Same goes for the android traffic after it hits the main router.
Yes, the single extra route required (get rid of the rest, they also show errors) is:
/ip route
add dst-address=10.1.1.0/24 gateway=wg0 routing-table=main
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
One last point on the main router!
Since the connection are peer to peer, the traffic from the android coming through wireguard exits the tunnel on the main router with destination
of the remote site subnet. To ensure this occurs we add a relay forward chain firewall rule......
add chain=forward action=accept comment="relay wg traffic" in-interface=wg0 out-interface=wg0
Once again though you have taken creative license to make changes that get in the way..
This is wrong the peers on the main router need to be identified singularly...... like the rest of the peers. ( aka should be 172.16.0.2/32 )
/interface wireguard peers
add allowed-address=172.16.0.0/24,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=colin public-key=\
"="
add allowed-address=172.16.0.4/32 interface=wg0 name=chris public-key=\
"="
Remote Site:
On the remote site router, ensure allowed IPs is set to 172.16.0.0/24,192.168.1.0/24 ...................................
The other remote site being a router with subnet 10.1.1.0/24.
Lets say someone from 192.168.1.0 local subnet wants to reach 10.1.1.X....................
The main router doesnt know about this remote subnet at all.......so we have to tell it....
Same goes for the android traffic after it hits the main router.
Yes, the single extra route required (get rid of the rest, they also show errors) is:
/ip route
add dst-address=10.1.1.0/24 gateway=wg0 routing-table=main
add dst-address=192.168.1.0/24 gateway=*F
add dst-address=10.1.1.0/24 gateway=*F
One last point on the main router!
Since the connection are peer to peer, the traffic from the android coming through wireguard exits the tunnel on the main router with destination
of the remote site subnet. To ensure this occurs we add a relay forward chain firewall rule......
add chain=forward action=accept comment="relay wg traffic" in-interface=wg0 out-interface=wg0
Once again though you have taken creative license to make changes that get in the way..
This is wrong the peers on the main router need to be identified singularly...... like the rest of the peers. ( aka should be 172.16.0.2/32 )
/interface wireguard peers
add allowed-address=172.16.0.0/24,10.1.1.0/24 interface=wg0 name=peer2 \
public-key="="
add allowed-address=172.16.0.3/32 interface=wg0 name=colin public-key=\
"="
add allowed-address=172.16.0.4/32 interface=wg0 name=chris public-key=\
"="
Remote Site:
On the remote site router, ensure allowed IPs is set to 172.16.0.0/24,192.168.1.0/24 ...................................
Re: Wireguard connects - no connectivity [SOLVED]
All working perfectly now, thankyou so much, not just for the direction, but for explaining, I've learnt stuff thus weekend.