Hi there,
My apologies if this has been discussed before, but I couldn't find a solution scrolling through all Wireguard topics.
Here is my problem. I've created a Wireguard tonnel from an Android phone to HAP AC3 router, which is also a WAN gateway. I can connect with Mikrotik app to the router and two other Mikrotiks working as wireless extenders in the same LAN by their local IP addresses via Wireguard (even though the app won't discover them). However, I have no Internet access on the phone via Wireguard.
My configuration is very basic.
In the phone in a Peer section I set allowed IP to 0.0.0.0/0 and the endpoint is Mikrotik's DDNS address. In the Interface section, I have set the address to 10.180.5.2/24 and DNS servers to 8.8.8.8 and 10.80.5.1, which is the address of the Wireguard server in Mikrotik.
In the router I've only added a couple of firewall rules related to Wireguard to the default config (below) and added Wireguard interface to the LAN list.
Please let me know what I'm doing wrong. Thanks!
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; allow WireGuard
chain=input action=accept protocol=udp dst-port=13231 log=no
log-prefix=""
3 ;;; allow Wireguard traffic
chain=forward action=accept src-address=10.180.5.0/24 log=no
log-prefix=""
4 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500
5 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500
6 ;;; allow l2tp
7 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid in-interface-list=WAN
log=no log-prefix=""
8 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
9 X ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
10 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
11 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
12 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
13 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related
14 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
15 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
16 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN