HI I have setup a wireguard server that works pretty well and a wire client router using v7.1 Beta4, problem is that after creating the interface and some rules for policy base routing is like have the internet traffic does not work meaning for example if someone in the network tries to access "duckduckgo.com", if I set up the wireclient on a PC using windows or linux all traffic works fine, this only happens with the router as client here is kind of the configuration I created:

>wg genkey | tee privatekey | wg pubkey > publickey
>interface wireguard add listen-port=12345 mtu=1420 name=WG1 private-key="abc=="
>interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=SERVER_IP endpoint-address=12345 interface=WG1 persistent-keepalive=15 public-key="SERVER_Public_Key"
>ip address add address=10.XX.XX.XX/16 interface=WG1

test the interface by pining google DNS servers:

> ping interface=WG1 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 121 178ms882us
1 8.8.8.8 56 121 103ms804us
2 8.8.8.8 56 121 71ms521us
sent=3 received=3 packet-loss=0% min-rtt=71ms521us avg-rtt=118ms69us max-rtt=178ms882us

After this set Policy based routing for full internal subnet, some host or based on content using mangle rules(this example is for the whole internal subnet):

>routing table add name=Through_WG fib
>ip route add dst-address=0.0.0.0/0 gateway=WG1 routing-table=Through_WG
>ip firewall nat chain=srcnat src-address=192.168.150.0/24 out-interface="WG1" action=masquerade
>ip firewall mangle add chain=prerouting src-address=192.168.150.0/24 action=mark-routing routing-table=Through_WG

Any ideas how can I debug this issue?

I think the problem is gateway=WG1 in your ip route - you can only set gateway to an interface if it is a PPP interface. For any other interface type it must be an IP address.

got it, so I added the wireguard server IP in the route, but I still have the same issue, only some traffic makes it through the wireguard tunnel, adde something like this


ip route add dst-address=0.0.0.0/0 gateway=Wirteguard_server_IP@main routing-table=Through_WG

Could it be something in firewall stopping the traffic or should it be allowed some where?

Why do you need to put the src address in the masquerade rule?

Why do you need to put the src address in the masquerade rule?

It really does not ned it, just try a few different things to try to make it work.

Perhaps

ip firewall nat chain=srcnat out-interface="WG1" action=masquerade

Alternate to above:
If config is based on default config, can just add WG1 as a WAN interfaces
(Which has advantage of firewalling as well as Natting it)

/interface list member
add interface WG1 list=WAN


Then use a routing rule (or 2)

/routing rule
; might need this first rule to stop you being locked out from the router, when the following rule is added.
add action=lookup disabled=no src-address=192.168.150.0/24 dst-address=192.168.150.0/24 table=main

add action=lookup disabled=no src-address=192.168.150.0/24 dst-address=0.0.0.0 table=Through_WG

(maybe action=lookup-only-in-table, might make internet inaccessible if wireguard disabled/unconnected)

Also need

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=Through_WG suppress-hw-offload=no


Hopefully no need for any packet mangling rules.

Has there been a solution for this? I have exactly the same problem.
Mikrotik site to site WG several sites do not load in browser (duckduckgo.com, yahoo.com, and others.)
Windows 11 WG client to Mikrotik server works fine.

Has there been a solution for this? I have exactly the same problem.
Mikrotik site to site WG several sites do not load in browser (duckduckgo.com, yahoo.com, and others.)
Windows 11 WG client to Mikrotik server works fine.

Without seeing your config, everyone can only guess as to what your particular issue is, but here are a few things to try

a) add a src-nat (masquerade) rule to the WG interface on the client mikrotik
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=wireguard1

b) MSS Clamp traffic going out the wireguard interface
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=no protocol=tcp tcp-flags=syn

Andrew

most of the traffic packets are dropped due to overhead caused by wireguard headers.
here is the solution, assuming you are using default 1420 mtu for wireguard interface.
make sure to select your wireguard interface in out-interface

What if using mtu 1500 ??

Also check out para 9. d and para 10 - viewtopic.php?t=182340

What if using mtu 1500 ??

Also check out para 9. d and para 10 - viewtopic.php?t=182340

Wow, that is very comprehensive guide covering almost every aspect of WG.
Good Work

Hi guys, I have a tunnel made with wiregard, everything works, only I can't create a NAT on a specific IP, I would like the router's IP to when they connect to the router B the router B all on a specific IP on the net
Do you have a suggestion to give me?
Thank you

Yes provide a decent network diagram, to show what are the two or maybe more clients connecting to the server...............
If any MT devices are involved, provide the config.
/export file=anynameyouwish ( minus router serial # and any public WANIP information keys etc.......)

Yes provide a decent network diagram, to show what are the two or maybe more clients connecting to the server...............
If any MT devices are involved, provide the config.
/export file=anynameyouwish ( minus router serial # and any public WANIP information keys etc.......)

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-BAGNARIA
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=30s enc-algorithm=3des name=profile_1 \
nat-traversal=no
/ip ipsec peer
add address=x.x.x.x/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.2.101-192.168.2.190
/ip dhcp-server
add address-pool=dhcp interface=ether2-lan name=dhcp1
/port
set 0 name=serial0
/ppp profile
add local-address=10.0.0.2 name=TUNNEL remote-address=10.0.0.1
add local-address=10.0.11.11 name=Tunnel-gonars remote-address=10.0.11.1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
set 0 memory-lines=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set allow-fast-path=no tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-wan list=WAN
add interface=ovpn-gonars list=LAN
add interface=WG-BAGNARIA list=LAN
add interface=ether2-lan list=LAN
/interface ovpn-server server
set auth="" certificate=CLIENT-GONARS cipher=aes256 \
require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.0.8.3/32 comment=PORTATILE endpoint-port=51820 \
interface=WG-BAGNARIA persistent-keepalive=20s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.0.8.1/32,192.168.1.0/24 comment="TUNNEL GONARS" \
endpoint-address=x.x.x.x endpoint-port=51820 interface=WG-BAGNARIA \
persistent-keepalive=20s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.10.10/24 interface=ether1-wan network=192.168.10.0
add address=192.168.2.250/24 interface=ether2-lan network=192.168.2.0
add address=10.0.8.2/30 interface=WG-BAGNARIA network=10.0.8.0
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.250
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall filter
add action=drop chain=input comment="Block DNS Wan" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Block DNS Wan" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Block DNS Wan" dst-port=23 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Block DNS Wan" dst-port=23 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Squild Blacklist: SBL Blocklist.de." \
in-interface=ether1-wan log=yes log-prefix="BL_sbl blocklist.de" \
src-address-list="sbl blocklist.de"
add action=drop chain=input comment="Squild Blacklist: SBL DShield." \
in-interface=ether1-wan log=yes log-prefix="BL_sbl dshield" \
src-address-list="sbl dshield"
add action=drop chain=input comment="Squild Blacklist: SBL Spamhaus." \
in-interface=ether1-wan log=yes log-prefix="BL_sbl spamhaus" \
src-address-list="sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL Blocklist.de." \
dst-address-list="sbl blocklist.de" log=yes log-prefix=\
"BL_sbl blocklist.de" out-interface=ether1-wan
add action=drop chain=forward comment="Squild Blacklist: SBL DShield." \
dst-address-list="sbl dshield" log=yes log-prefix="BL_sbl dshield" \
out-interface=ether1-wan
add action=drop chain=forward comment="Squild Blacklist: SBL Spamhaus." \
dst-address-list="sbl spamhaus" log=yes log-prefix="BL_sbl spamhaus" \
out-interface=ether1-wan
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
src-address=0.0.0.0/8
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
dst-address=0.0.0.0/8
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
src-address=127.0.0.0/8
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
dst-address=127.0.0.0/8
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
src-address=224.0.0.0/3
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
dst-address=224.0.0.0/3
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=\
"BLOCK TRACEROUTE TRAFFIC Disable ICMP ping" icmp-options=8:0 \
in-interface-list=WAN protocol=icmp
add action=drop chain=forward comment="BLOCK TRACEROUTE TRAFFIC Traceroute" \
icmp-options=11:0 protocol=icmp
add action=drop chain=forward comment="BLOCK TRACEROUTE TRAFFIC" \
icmp-options=3:3 protocol=icmp
add action=add-src-to-address-list address-list=DoS_Attacked \
address-list-timeout=5m chain=input comment=DoS_Attacked \
connection-limit=32,32 protocol=tcp
add action=tarpit chain=input comment=DoS_Attacked connection-limit=10,32 \
protocol=tcp src-address-list=DoS_Attacked
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=input comment="block to WAN" in-interface-list=!WAN \
src-address=192.168.2.0/24
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=accept chain=input comment="Allow OpenVPN" disabled=yes dst-port=\
1180 protocol=tcp
add action=accept chain=input comment=WIREGUARD dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow winbox da OpenVPN" dst-port=1170 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 \
address-list-timeout=1h chain=prerouting connection-state=new dst-port=\
445 limit=5,10:packet protocol=tcp
add action=change-ttl chain=prerouting new-ttl=increment:1
/ip firewall nat
add action=dst-nat chain=dstnat comment="Force using DNS" dst-port=53 \
protocol=udp to-addresses=192.168.2.250 to-ports=53
add action=dst-nat chain=dstnat comment="Force using DNS" dst-port=53 \
protocol=tcp to-addresses=192.168.2.250 to-ports=53
add action=masquerade chain=srcnat comment="TUNNEL OPENVPN" disabled=yes \
dst-address=192.168.1.170 out-interface=WG-BAGNARIA protocol=tcp
add action=masquerade chain=srcnat comment="TUNNEL OPENVPN" disabled=yes \
dst-address=192.168.1.200 out-interface=WG-BAGNARIA protocol=tcp
add action=masquerade chain=srcnat comment="TUNNEL OPENVPN" disabled=yes \
dst-address=192.168.1.0/24 out-interface=WG-BAGNARIA protocol=tcp
add action=dst-nat chain=dstnat comment="NAT DVR" dst-port=37777 protocol=tcp \
to-addresses=192.168.2.88 to-ports=37777
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=prerouting dst-address=!192.168.1.200 dst-port=445 \
protocol=tcp src-address-list=Worm-Infected-p445
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add notrack-chain=prerouting peer=peer1
/ip ipsec policy
set 0 protocol=ipsec-esp
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1
add disabled=no distance=2 dst-address=192.168.1.0/24 gateway=WG-BAGNARIA \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.2.0/24,192.168.1.0/24,10.0.8.0/24 port=1170
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

Need context, no network diagram.
Is this device connecting as a client to another device and what is the other device or is this devices a server for initial connections from a client router and what is this other router??
( I also see another remote connection as well )

Dont have any clue what you are trying to accomplish with sourcenat rules for single IPs and then the entire local subnet out the wireguard tunnel.
As I said, where are they going ????? The traffic flows are too vague to work on.

I created a site to site tunnel and it works, only that I would like everyone who wants to connect the router B on router B addresses them only on an internal IP.

your explanation is not clear.
Network diagrams and Requirements, use google translate as your english is not working out very well.
viewtopic.php?p=908118

Sorry for my English,
So as seen from the scheme, I want addresses 192.168.2.10/11/12 to see only the computer 192.168.1.170, the rest of the Network 192.168.1.0/24 must not access.

Okay so you have two routers, both MT if so you need to post both not just one.
Also do you want users on both routers to initiate a tunnel ( put another way both routers can be both client and server for initial connection )
Assuming both have publicly accessible public IPs............

I did not put the public IPs since the connection works.
The current configuration is site to site, and are on 2 mikrotik rb750gr3.
The two networks 192.168.1.0/24 and 192.168.2.0/24 both parts work, only that the computers that they provoke from 192.168.2.10-12/24
They only have to see the server 192.168.1.170/24.
I tried to create a NAT but it does not work, while before with the OpenVPN it worked, I think it is due to the fact that Wireguard works on another OSI level.

Last time or I stop ( why do you never answer questions??)............ do both have publicly accessible IPs. ( capable of hosting a WG server )
Which side should be considered the client and the server for initial handshake OR do users at either end initiate traffic ( be it an admin for config purposes or users accessing devices).

Last time or I stop ( why do you never answer questions??)............ do both have publicly accessible IPs. ( capable of hosting a WG server )
Which side should be considered the client and the server for initial handshake OR do users at either end initiate traffic ( be it an admin for config purposes or users accessing devices).

Excuse me but perhaps we did not understand each other, the public IP (Internet) are static and the tunnel works.
The IP LANs are 192.168.1.0/24 on Router A and on the B router B LAN 192.168.2.0/24 and work without problems.
Since the tunnel is site to site I think it means that the two LAN can communicate both sides.
I just want certain IPs of the LAN (A) when accessing the LAN (B), they must only access an IP of the LAN (B).
I hope you understand me

Thank you all

Done asking, the questions were simple as was the request for both configs........... Gluck!