Hello,
I was able to get my Android phone connected via a wireguard tunnel to my Mikrotik with help from here https://youtu.be/YZGHf70Eyj4.
However, I am unable to access the Mikrotik web GUI by its LAN IP or its tunnel address. Is that normal? I can get to other things on the LAN, just not the router itself.
Does anyone know what I might look for?
Thanks.
It’s probably firewall. You can try something like this:
/ip firewall filter
add chain=input in-interface=<WG interface> protocol=tcp dst-port=80 action=accept
You can skip protocol and dst-port, if you want to allow any access from tunnel.
Further if you have multiple peers coming in on the wireguard interface you will probably want to narrow it down to the admins mobile device IP.
/ip firewall filter
add chain=input action=accept in-interface=<WG interface> protocol=tcp dst-port=80 src-address=wireguard_IP_Admin_mobiledevice
…
More on wireguard here… (para 5 covers firewall rules in general for wireguard)
https://forum.mikrotik.com/viewtopic.php?t=182340
Oh yes. That works. Thank you!
What important is that you understand why it works and why it wasnt working before. 
I see why the new rule would make it work. However, I don’t really understand why it didn’t work to start with since the Wireguard interface is an RFC1918 address in IP–>Addresses. All my other LANs routed between other LANs with no further action. My guess is that it has something to do with the “LAN” traffic coming inbound on the external interface?
There’s no special handling for different kinds of addresses (public/private). What makes the difference, assuming that you have default firewall, is that LAN interface is in “LAN” interface list and firewall blocks new connections from elsewhere. And your new WG interface is also “elsewhere”. So you need either firewall rule, or you could add WG interface to LAN list.
Thus, its understanding how the firewall rules work or dont work on the MT device. Which is what you need to learn…
Without any firewall rules in place, by the way, all traffic is allowed.
OK, I see. Thanks guys for the information. I did look for a LAN list but I didn’t really find a list in the GUI that actually listed out the LAN interfaces. I’ll have another look when I get a chance.
Interfaces->Interface List
I just went through this problem recently and found a few places where Wireguard clients could get blocked from the WWW or Winbox access. I do like the encouragement here to understand WHY - and for me, I had been relying on following https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router so went back there to figure out the “why”… These suggestions are only helpful if you (like me) followed the ‘Securing your Router’ suggestions’ but maybe did not fully understand them at the time
-
You can stop the www & winbox services from being accessible by IP Address range - I had limited winbox to my local 192.68.0.x range and therefore Router WWW and Winbox sessions could not connect:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#RouterOS_services
“…each /ip service entity might be secured by allowed IP address…”
i.e. IP → Services → Service Name (winbox/www) → Available From ( x.x.x.x/yy)
Solution: Add the wireguard IP Range to the ‘Available From’ (or remove all entries and have a lot less security…) -
If you followed ‘Securing Your Router’ you may have created a list ‘Allowed_to_Router’ and disallowed any IP range outside your local network from talking to your router at all:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#IPv4_firewall_to_a_router
“…create address-list for IP addresses, that are allowed to access your router”
i.e. IP → Firewall → Accept Input → Address List ‘Allowed_to_Router’
Since I had followed this advice, the IP range of my Wireguard clients was not in my ‘Allowed_to_Router’ list, and they were therefore blocked by this rule.
Solution: IP → Firewall → Address List → Allowed_to_Router (Add Wireguard range) - this would be exactly the problem solved by @Sob’s ‘accept input from WG Interface’ firewall rule - but solved in a prettier way by adding the Wireguard IP Range to the ‘Allowed_to_Router’ list, instead of prohibiting access with one rule, and reinstating access with another… -
Finally, you could have stopped your Admin user logging in from the Wireguard Address range:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Access_by_IP_address
“…it is possible to restrict username access for the specific IP address…”
System → Users → {your admin user} → Allowed Address → x.x.x.x/yy
Maybe this will help someone finding this post in future!
I saw that. When you click LAN, it just says list = LAN. If you click “lists” and then click “LAN”, it’s empty.
Button “Lists” shows another window where you define lists. And main window shows lists and their member interfaces.
Yes P3tr, there are multiple areas to control access to winbox.
-
Firewall Rules - Input chain controls ACCESS TO the router (or at least to Services on the router such as winbox).
-
TOOLS MAC Server —> MAC WinBox Server - can limit which interface list is authorized to access winbox!
-
SYSTEM–> Users —> ALLOWED ADDRESSES - which IP addresses etc are permitted to attempt to login to the Router.
-
IP – IP SERVICE LIST -----> Specific PORTS allocated for Services and ALLOWED IP addresses if desirec.
( THUS authorized or allowed IPs for winbox CAN be entered in 3/4 options above (firewall rules via firewall address list). They all have different purposes and care must be taken to use them in concert with each other. )