Hello to everyone!

Recently i decided to move from site-to-site ipsec tunnel to wireguard.
My setup is: LAN-A (192.168.1.x) <-> routerA <-> WAN (PPPoE) <->ISP modem <----- INTERNET -----> ISP modem <-> (PPPoE) WAN <-> routerB <-> LAN-B (192.168.10.x).
Wireguard interface has ip address set to 192.168.100.1 on routerA, and 192.168.100.2 on routerB.
So both routers are Mikrotik RB951G-2HnD, running version 7.4, connected to internet via PPPoE connection through ISP modem and have static public ip addresses.
Wireguard tunnel is configured and established, added firewall rules, routes and i can ping everything from each router's terminal window - LAN clients on both sides and wireguard interface ip's on both sides but when i try to ping from LAN client (side A) to LAN client (side B) or vice versa there is no communication. Same happens when I use Mikrotik ping tool an set interface to bridge-local.

However I can ping wireguard's interface ip from opposite side of the tunnel from each LAN client...
For example: LAN client on side A (192.168.1.2) can ping 192.168.100.2 (wg interface ip on sideB), but not 192.168.10.1 (routerB LAN address).

I have attached Router A and B configs (sensitive info edited out).
What am I missing?
Maybe I misconfigured something ?

Any help would be greatly appreciated.

Best regards!

Spookey ... I had the EXACT same problem earlier this year.
Did you arrive on ROS7 as a result from upgrade from ROS6 and then upgrade, upgrade, upgrade, ... ?
You may want to check this thread
viewtopic.php?t=182796

Long story short what I had to do to solve this:
1- saved current config of both devices: /export terse show-sensitive file=....
2- RESET both devices to DEFAULT config
3- Initial maintenance (new user, remove admin-user, activate romon, ...) and then restored config from earlier saved files line by line, omitting what was already present as default
4- WG tunnel came up on both devices
5- and everything worked

Not a single thing changed on the config !

I upgrade, upgrade, upgraded my way to ROS 7.

I will try your proposed solution first thing tomorrow morning.

Do I just do "reset to default settings"? Or should i just "start from a clean slate" - netinstall and ROS 7.4 image?

Netinstall is always better.

Concur, the nomenclature slave interfaces is old....
I would start the configs from scratch for sure............

The problem I have is that you have not really indicated a Server Client Relationship.
Both devices should not be setup as Server...............

You have both routers accepting incoming traffic on the same port.............. both sending keep alives.......
Just decide for connectivity purposes which is receiving the initial handshake...... and which is requesting the initial handshake.

I did as holvoetn described...
- exported configs
- netinstall ROS 7.4
- partially imported configs

It works now.

Thank you guys, especially holvoetn - you really made my day...
After a week of setting this thing up, reading anav's " Wireguard Success For The Beginner" (it is really comprehensive, but a little too much to swallow at once...) and fiddling around with different options, I was ready to give up...

Eventually everything worked out - at least for me .

Keep up the good work guys!

That is great news, any advice on how to improve the article is appreciated.

Concur, the nomenclature slave interfaces is old....
I would start the configs from scratch for sure............

The problem I have is that you have not really indicated a Server Client Relationship.
Both devices should not be setup as Server...............

You have both routers accepting incoming traffic on the same port.............. both sending keep alives.......
Just decide for connectivity purposes which is receiving the initial handshake...... and which is requesting the initial handshake.

The problem here is that you're giving really poor advice and only making Wireguard on Mikrotik more complicated than it needs to be.

You describe a client / server relationship, but this is just wrong: In Wireguard you have peers. So site A & B are equal peers and both can initiate a connection to a machine at the other site. When you want to communicate A -> B or B -> A you just route the traffic to the Mikrotik device and that sends it to the other device over the preconfigured Wireguard tunnel. You don't need any keepalives in this situation: You have the endpoint IP defined in the tunnel at both ends, and if the endpoint IP can change, you use a DDNS service as built into RouterOS.

There's no server in Wireguard, only peers.

The issue is that you reply with the same to almost every Wireguard question, and you're only spreading confusion about how any of this actually works.

Concur that wireguard is peer to peer, traffic passes both ways in the tunnel (aka traffic can originate on either side).
It is also true to state, that there is an an initial handshake between one device (local) and the other device (remote) to initiate the tunnel and only one is possible for any given connection.
Both cannot connect to the other side, there can only be one input chain rule triggered on the establishment of the tunnel .........only one actually connects to the other and then the transparent tunnel is available both ways.

My verbiage could probably be improved, nonetheless most cases I see on the forum threads deal with one side of the equation that
a. does not have TWO reachable public IPs (both local and remote MT devices with only one of them having an acccessible public IP)
b. an MT device is behind another router

In these instances its critical to understand that one needs to config so as to enable the initial handshake from the limited device to the available device to make that connection.

As an aside note, what I find confusing is when people who config both sides to be able to initiate and receive the tunnel (both devices have accessible public IPs, then use the exact same ports!
I like clarity when looking at configs and logs, and having it all the same does not do that for me, maybe everyone else has no issue.

routerA listening port is 55,000 input chain rule 55,000
routerB, listening port is 30,000 input chain rule 30,000

I know when in any config exactly which router I am looking at.
When I attach peers to one or the other, since both are accessible via public IP, its much clearer to which MT device I am assigning a client to ( endport required etc...).
I also understand your point about keep alives but that again is mainly for the case where one side is limited. Generally only for limited devices anyway such as smartphones.

I hope that clarifies what I am thinking and your points are well taken.

Eventually everything worked out - at least for me .

Keep up the good work guys!

Good job !
Thanks for letting us know.