Acces Remote Gateway for settings Via Wireguard

RouterOS Beginner Basics
1

Hello,

I have a configuration involving two Mikrotik devices: one located at Location A and the other at Location B.
They are connected via a WireGuard tunnel, with all traffic at Location B routed through Location A (effectively giving both locations the same public IP as seen on “whatismyip”).
Everything works very well as intended. However, I have an issue:

I want to access the gateway at Location B (specifically, the TP-Link router settings) from Location A.

From Location A, I can ping 192.168.32.2, 192.168.20.1, and any device connected to the Mikrotik at Location B, but I cannot reach the gateway at 192.168.50.1
From Location B, I can successfully ping 192.168.50.1 (from terminal Router OS),192.168.10.1,192.168.32.1

At Location A, I have added in the corresponding peer with the following allowed IPs:

add allowed-address=192.168.32.2/32,192.168.20.0/24,192.168.50.0/24 comment=\
    **** endpoint-port=xxxxx interface=WG-A name= location_B \
    persistent-keepalive=10s

Any help would be greatly appreciated!

LOCATION A

# LOCATION A
# 2025-03-15 21:08:41 by RouterOS 7.16.2
# software id = NM34-PCCW
#
# model = L009UiGS-2HaxD

/interface bridge
add name=bridge1
/interface wifi
set [ find default-name=wifi1 ] configuration.country= .mode=ap .ssid=\
    MIKROTIK disabled=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out2 \
    use-peer-dns=yes user=xxxx
/interface eoip
add local-address=192.168.32.1 mac-address=02:45:31:3C:2A:37 mtu=1500 name=\
    eoip-tunnel_netflix1 remote-address=192.168.32.2 tunnel-id=10
add local-address=192.168.32.1 mac-address=02:38:7F:27:F4:13 mtu=1500 name=\
    eoip-tunnel_netflix2 remote-address=192.168.32.3 tunnel-id=11
/interface wireguard
add listen-port=* mtu=1420 name=WG-A
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=ether1
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=LAN
add interface=WG-A list=LAN
add interface=pppoe-out2 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.2/32,192.168.20.0/24,192.168.50.0/24 comment=\
    endpoint-port=* interface=WG-A name=NETX1 \
    persistent-keepalive=10s public-key=\
   
add allowed-address=192.168.32.3/32,192.168.30.0/24,192.168.0.0/24 comment=\
     endpoint-port=* interface=WG-A name=NETX2 \
    persistent-keepalive=10s public-key=\
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.32.1/24 interface=WG-A network=192.168.32.0
add address=192.168.1.15/24 comment="SSH telnet" interface=sfp1 \
    network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=sfp1
/ip dhcp-server lease
add address=192.168.10.5 client-id=1:4:7c:16:0:1e:8f mac-address=\
    04:7C:16:00:1E:8F
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=0.0.0.0 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=* \
    protocol=udp
add action=accept chain=input comment="ntp server" dst-port=123 in-interface=\
    lo in-interface-list=LAN protocol=udp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=accept chain=input dst-port=21 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="winbox control" dst-port=722 protocol=\
    tcp
add action=accept chain=input comment="wol log" dst-port=9 log=yes \
    log-prefix=WOL protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="speed test" dst-port=2000 log=yes \
    log-prefix=speed_test protocol=udp
add action=accept chain=input dst-port=2000 protocol=tcp
add action=accept chain=forward comment="test sfp" connection-nat-state=\
    dstnat
add action=accept chain=input comment="romon EOIP" protocol=gre src-address=\
    192.168.32.0/24
add action=drop chain=input comment="Drop all else" log-prefix=drop_else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" dst-address=\
    192.168.10.0/24 in-interface=WG-A
add action=accept chain=forward comment="local LAN to remote LAN" \
    dst-address=192.168.20.0/24 out-interface=WG-A src-address=\
    192.168.10.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 dst-address-list=\
    "" out-interface=WG-A src-address=192.168.10.0/24 src-address-list=""
add action=accept chain=forward dst-address=192.168.50.0/24 out-interface=\
    WG-A src-address=192.168.10.0/24
add action=accept chain=forward comment="wg remote relay" in-interface=WG-A \
    out-interface=WG-A
add action=accept chain=forward comment="port forwarding accespt" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=21 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.10.5 to-ports=21
add action=dst-nat chain=dstnat dst-port=50000-51000 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.10.5 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-port=990 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.10.5 to-ports=990
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=WG-A \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=WG-A \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.50.0/24 gateway=WG-A routing-table=main \
    suppress-hw-offload=no
/ipv6 dhcp-client
add add-default-route=yes interface=*10 pool-name=delegation \
    pool-prefix-length=56 request=address,prefix
/ipv6 dhcp-server
add address-pool=delegation interface=bridge1 name=dhcp1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast-addresses=192.168.10.1 enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no forbid=yes interface=wifi1

LOCATION B

# LOCATION B
# 2025-03-15 20:10:21 by RouterOS 7.16.2
# software id = ZRE7-477Q
#
# model = RB941-2nD

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=romania disabled=no \
    frequency=auto mode=ap-bridge ssid=MikroTik21 wireless-protocol=802.11
/interface eoip
add local-address=192.168.32.2 mac-address=02:2F:D0:74:B4:B0 mtu=1500 name=\
    eoip-tunnel1 remote-address=192.168.32.1 tunnel-id=10
/interface wireguard
add listen-port=* mtu=1420 name=WG-B
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/routing table
add comment="For use by local clients" disabled=no fib name=wg-vpn
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=WG-B list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=* endpoint-port=\
    * interface=WG-B name=peer1 persistent-keepalive=10s public-key=\
/ip address
add address=192.168.20.1/24 interface=bridge1 network=192.168.20.0
add address=192.168.32.2/24 interface=WG-B network=192.168.32.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=0.0.0.0 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.20.0/24 list=AUTHORIZED
add address=192.168.10.0/24 list=AUTHORIZED
add address=192.168.30.0/24 list=AUTHORIZED
add address=192.168.50.0/24 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="wireguard handshake" dst-port=* \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="romon accept" protocol=gre \
    src-address=192.168.32.0/24
add action=accept chain=input comment="admin access" disabled=yes \
    src-address-list=AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=winbox dst-port=722 protocol=tcp \
    src-address-list=AUTHORIZED
add action=accept chain=input disabled=yes dst-port=2000 protocol=udp
add action=accept chain=input disabled=yes dst-port=2000 protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to local LAN" dst-address=\
    192.168.20.0/24 in-interface=WG-B
add action=accept chain=forward comment=\
    "local LAN to remote LAN or Router1 internet" out-interface=WG-B \
    src-address=192.168.20.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=no \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WG-B
/ip route
add dst-address=0.0.0.0/0 gateway=WG-B routing-table=wg-vpn
add disabled=no dst-address=192.168.10.0/24 gateway=WG-B routing-table=main \
    suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table comment=\
    "Local clients should use (only) Wireguard routing table" disabled=no \
    interface=bridge1 src-address=192.168.20.0/24 table=wg-vpn
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=NETX1
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.10.1
/tool romon
set enabled=yes
/tool romon port
add disabled=no forbid=yes interface=wlan1
2

POSTED THE CODE

3

Very reasonable request, and without going to much into the config it shouldnt be too much of a problem.
If the ask was for a USER on the LAN originate traffic to router A that would be more difficult.

Basically since we NAT all the traffic leaving router B, going to the TPLINK router, the wireguard traffic will seem to come from the MT router.
In other words, the TPLINK will be reachable and it will be able to respond back to apparent source IP of the traffic, the LANIP of the MT Router and the MT Router will unsourcenat back to the wireguard IP and thus know to route that traffic then through the wireguard tunnel back to router A. All good.

The other part is to ensure the permissions on the TPLINK allow traffic from the MT router to be able to access the TPLINK for config purposes. That is outside our swim lanes.

Router A

  1. best to set this to none. Its been known to cause issues.
    /interface detect-internet
    set detect-interface-list=all

  2. What is the purpose of this???
    /ip dhcp-server network
    add address=0.0.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=0.0.0.0 netmask=24

  3. What is the purpose of this rule… SECURITY Problem FTP is not a secure protocol and thus creating an attack vector on your router???
    add action=accept chain=input dst-port=21 in-interface-list=WAN protocol=tcp

  4. AGAIN!! DO you want your router to be hacked???
    add action=accept chain=input comment=“winbox control” dst-port=722 protocol=
    tcp
    WINBOX should only be used from INSIDE the router, either being local on the router or after accessing the router via VPN.

  5. No idea what this is, but if not a VPN, its another error.
    add action=accept chain=input comment=“wol log” dst-port=9 log=yes
    log-prefix=WOL protocol=udp

  6. Why do you have a firewall rule from router A going to a non-existant subnet on Router B 192.168.30??
    add action=accept chain=forward dst-address=192.168**.30.**0/24 dst-address-list=
    “” out-interface=WG-A src-address=192.168.10.0/24 src-address-list=“”

A note: lucky for you, there is also dsntat rule for port21 which gets seen first in packet flow and accepted and thus no traffic will luckily hit the router itself on port 21 but the input chain rule has to go!!

  1. Same with a route, no need for this route as there is no .30 subnet on routerB.
    add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=WG-A
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

  2. Are you sure you need to use IPV6, if not, then suggest you disable, there is an error showing on it…
    /ipv6 dhcp-client
    add add-default-route=yes interface**=10* pool-name=delegation
    pool-prefix-length=56 request=address,prefix

BEFORE I continue do both routers have a public IP. Specifically are you forwarding a port on the TPLINK to Router B??
I will assume so for the moment.

Router B

  1. I see that you elected not to set the IP address of Router B statically, not a problem just an observation.
    /ip dhcp-client
    add interface=ether1

  2. Same as for other router, have no clue why you are doing this.
    add address=**0.0.0.0/**24 dns-server=1.1.1.1,8.8.8.8 gateway=0.0.0.0 netmask=24

  3. Doesnt exist needs to be removed
    add address=**192.168.30.0/**24 list=AUTHORIZED

  4. Not sure why you have clamp rules and two of them, if for the wireguard use this.
    add action=change-mss chain=forward new-mss=1380 out-interface=WG-B protocol=tcp tcp-flags=syn tcp-mss=1381-65535

  5. Change your srcnat rule, remember the handshake has to have a path to get out too, and you have the WG-B in the wan interface list so all good with default rule!!
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface**-list=WAN**

  6. Adjust routing rules slightly and order counts.
    /routing rules
    add min-prefix=0 action=lookup-only-in-table table=main
    add src-address=192.168.20.0/24 action=lookup-only-in-table table=wg-vpn

Note: It would not matter if you used lookup or lookup only as the router has no idea if the wireguard interface is up or down in terms of routing.
To do that you would have to add another ip route, but since you dont want ever the users to use local WAN for internet, not needed.

  1. If your ip dhcp client does not have a route then you need a manual route.

/ip route
add dst-address=0.0.0.0/0 gateway=ether1 routing-table=main ← only required if default-route=no in ip dhcp client settings.
add dst-address=0.0.0.0/0 gateway=WG-B routing-table=wg-vpn
add dst-address=192.168.10.0/24 gateway=WG-B routing-table=main
add check-gateway=ping dst-address=192.168.32.1 gateway=WG-B routing-table=main ← only required if users have the option to go to local WAN

++++++++++++++++++++++++++++++++++++++
Now assuming all fixes made, lets see if there are any obstacles to the required traffic.
User in vlan10 (local admin) enters in his browser 192.168.50.1 to access the TPLINK router.
The router sees such a non-local subnet exists on a route through wireguard,
The router sees the address is a legit remote subnet and finds the correct peer.
The router sees the firewall rule allowing the traffic.
OFF the user goes into the tunnel.

Upon arriving at Router B
The router sees all IPs are allowed out of the tunnel, so the traffic is permitted,
The router knows about the destination address as its somewhat local …
The router routes the traffic out the WANPORT to the TPLINK and sourcnats the source address 192.168.10.X to 192.168.50.Y ( y being the assigned LANIP from tplink to MT )
The TPLINK recognized the source address and the user access the TP Link user interface
Return traffic is sent back to the MT 192.168.50.Y
The router receives and unsourcenats it to 192.168.10.X, and see the route for that and sends the return traffic into the tunnel heading for Router A.

SAME SAME for a remote wiregard client ( admin on laptop on wireguard) 192.168.32.3
The only difference is that first the remote client connects to Router A exits from the tunnel and and then reenters the tunnel due to our relay rule in place.
Rest is same.
Upon return traffic relay rule is used again.

4

Additionally, in Location B, you’re missing a masquerade rule for traffic going out ether1:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1