MikroTik

Community discussions
https://forum.mikrotik.com/

Allow access to Wireguard peer from WAN

https://forum.mikrotik.com/viewtopic.php?t=199344

Page 1 of 1

Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 2:53 pm
by zhouck
Schema:

1. Mikrotik router with Wireguard server 172.16.1.1
2. Wireguard peer with address 172.16.1.2
3. Peer has RDP port 3389

I have added rule dstmap protocol tcp port 23389 with action netmap To address 172.16.1.2 To ports 3389
Whenever I am trying to access to my_white_ip:23389 port I got timeout but packets counter incremented

So, question: should I add some extra rules? Port 3389 available for Wireguard on client, I have tested with connecting to another internal wireguard server on RPi4, and than I am able to connect to peer (inside wireguard network)

Re: Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 5:07 pm
by anav
It is not clear what you are trying to achieve?
I think you are trying to wireguard into your MT router so that a user can access an RDP server on your LAN.

If so, then I would have to see the config to know why its not working.

/export file=anynameyouwish (minus router serial number, public WAN:IP information, keys etc. )

Re: Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 6:26 pm
by zhouck
I want to RDP from WAN (internet) to my server with non-white IP

The plan is:
* server with non-white IP make wireguard connection to Mikrotik router (which has white IP address)
* Mikrotik setup the rule to forward traffic from WAN to wireguard peer

Re: Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 6:44 pm
by anav
Draw a diagram I have no idea what the heck a white IP is for example.
I also have no clue what you are trying to accomplish speak in terms of user traffic.

User needs to access X located at Y from location Z

Not clear why RDP is needed, not clear why wireguard is needed. etc...

Re: Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 9:51 pm
by zhouck
Image

white ip - real (not private) IP address. A lot of IP in Ukraine is "gray" (over provider's NAT), so not reacheble from Internet

Re: Allow access to Wireguard peer from WAN

Posted: Wed Sep 06, 2023 11:29 pm
by anav
Well, hmm okay, so you have a mobile user (actor) that needs to reach either the main lan behind the MT) or some other still poorly described LAN.

Is this LAN behind a router as well? How does it connect to the internet? Does its upstream router have wireguard.
If not how are you proposing this LAN connects to wireguard ???

Re: Allow access to Wireguard peer from WAN

Posted: Thu Sep 07, 2023 9:45 am
by zhouck
Another LAN has "gray" (private) IP - behind provider's NAT (something like 10.20.30.40)

So, the idea is to connect from this another LAN to Mikrotik router (over Wireguard or other VPN), and than on Mikrotik allow traffic redirect from "wild" Internet to PC's in another LAN

Re: Allow access to Wireguard peer from WAN

Posted: Thu Sep 07, 2023 3:03 pm
by anav
All very doable if this grey router has wireguard capabilities which you have not made clear..
If not you should still be able to connect through the grey router from a PC on that LAN.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/