Hello guys, I come to this forum seeking help with a configuration that I have been trying to implement unsuccessfully.

I am currently connected to the internet with an ISP that only provides IPv4 with CGNAT, so I have no way of redirecting ports.

I was given a WireGuard VPN that points directly to a public IP, and my goal is to use this VPN on my RB5009 to be able to forward ports, but without routing internet traffic through the VPN.

I have tried adding the VPN to the router, but I can't access the public IP from external networks. If I ping from other networks, it doesn't respond, but if I ping from the Mikrotik via the wireguard1 interface, it works fine. In practice, traffic from the router to the outside works, but from the outside to the router, it doesn't.

I am attaching the configuration I made to add the WireGuard VPN.

Any help is appreciated.

Not sure what you mean by given wireguard.
Do you have access to CHR on cloud server.
Do you have access to a friends MT router??

Or do you have a third party VPN server like nordvpn.
If its the latter thats a one way transmission out from your device and out the nordvpn end for internet.
There is no traffic path through the nordpvn back to your router for externals users.........

You may want consider using BTH wireguard VPN for that, but as indicated what you want is not clear.

Not sure what you mean by given wireguard.
Do you have access to CHR on cloud server.
Do you have access to a friends MT router??

Or do you have a third party VPN server like nordvpn.
If its the latter thats a one way transmission out from your device and out the nordvpn end for internet.
There is no traffic path through the nordpvn back to your router for externals users.........

You may want consider using BTH wireguard VPN for that, but as indicated what you want is not clear.

A friend has a public /24 IPv4 pool and a CHR where he manages it. I don't have access to that device, but I can request certain adjustments. The main idea is to use the IP he provides me through the VPN to perform port forwarding for certain services I have on my network, as if it were a 'normal public IP.'

Most excellent.
The work needs to be done at his/her end to some extent.
Basically on the CHR
/ip firewall nat
add chain=srcnat action=masquerade out-interface=wireguard-interface-name
add chain=dstnat action=dst-nat dst-address=CHR-IP-ADDRESS dst-port=ServerPort protocol=??? to-address=ServerLAN-IP
/ip route
add dst-address=[ SUBNET of SERVER or IP address of Server**** ] gateway=wireguard-interface-name routing-table=main
/ip firewall forward chain
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat

**** If you just have one server then use that IP address, if multliple servers, then use the subnet.


YOUR ROUTER

The MTU should be 1420 ( the default) why did you change to 1380?? If having issues.
Best bet is
a. to ensure MTU at both ends is the same and
b. at the client peer router (for handshake) your router, add the following mangle rule.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

Next fix is the IP address should be in the format:
/ip address
/ip address add address=wireguardIPaddress/24 interface=wireguard1 network=subnet
(example if chr wireguard is 192.168.80.1)
/ip address add address=192.168.80.2/24 interface=wireguard1 network=192.168.80.0

Also I would change allowed IPs to the following
/interface wireguard peers add interface=wireguard1 public-key="redacted" endpoint-address=xxx.xxx.xxx.xxx endpoint-port=65331 allowed-address=192.168.80.0/24 persistent-keepalive=25

Question: Why do you have this route in your config????
/ip route add dst-address=WGEndpointAdress/32 gateway=pppoe-out1 routing-table=main

Question: WHy do you not have a fullconfig or full set of firewall rules????

Question: Why do you have this rule, its useless for outside users coming in via wireguard..
/ip firewall nat add chain=dstnat action=dst-nat in-interface=wireguard1 protocol=tcp dst-port=8 to-addresses=192.168.87.100 to-ports=80

The port forwarding is already done on the CHR, such traffic is already hitting the LAN after exiting wireguard directly and is permitted by your rule.
/ip firewall filter add chain=forward action=accept in-interface=wireguard1 out-interface=bridge1 dst-address=192.168.87.0/24