Hello Everyone,
This is my first topic on this forum
I bought router RB4011igs+rm with OS ver,7. This router now works in my office. I launched wireguard on router and on my PC at home.
After activation vpn i can ping gateway - router in my office, I have answer, but.. that’s all I can do I need access to local network in my office and access to my rb4011igs+rm using website.
Please tell me what should I do and.. how Many thanks in advance !
Below config my PC - client wireguard:
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.11.0.3/32
DNS = 192.168.88.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = blablabla.net.nu:13231
PersistentKeepalive = 10

Need full config of office router.
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc.. )


ON PC CLIENT
If your intent is to
a. access LAN subnet on Main router
AND
b. internet through the main router the allowed IPs should only be…

AllowedIPs = 0.0.0.0/0

Here is my router config:

feb/12/2023 11:32:04 by RouterOS 7.7

software id = CX3B-WEKH

model = RB4011iGS+

serial number = XXXXXXXX

/interface bridge
add admin-mac=48:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=MYVPN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=exampleuser.world
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=MYVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=MYVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.11.0.1/24 interface=MYVPN network=10.11.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RTIK
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/interface wireguard peers
add allowed-address=10.11.0.2/32

make allowed-address 0.0.0.0/0 so any traffic can be routed over wireguard peers

And you need to add a route in for the remote subnet at both ends

e.g.
/ip route
add dst-address=192.168.2.0/24 gateway=10.11.0.2

/ip route
add dst-address=192.168.88.0/24 gateway=10.11.0.1

Good morning,
(1) Your wireguard settings on the Router are correct.

(2) As I mentioned on my first post, the settings on the Client ( Laptop ) for the router peer should only have one entry 0.0.0.0/0
That covers off both internet traffic and any remote traffic desired to reach the subnets at the router.
If you didnt want internet then the peer settings would be
10.11.0.1,192.168.88.0/24

(3) No additional routes are required, on the router, because the router creates one automatically
dst-address=10.11.0.0/24 gwy=MYVPN

(4) Due to the nature of the firewall rules, nothing should be blocking your traffic to the subnets either.
So its a bit of a mystery at this point.

+++++++++++++++++++++++++++++++++++++++++++++++++++

In any case we will do a few things..

(5) Add the wireguard interface as a LAN list member. Without changing firewall rules that will enable you to config the router
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=MYVPN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

This is due to the input chain dropping anything not coming from the LAN. With wireguard included in the LAN list, you should be able to reach the router itself for configuration purposes.

(6) On the forward chain side we will be a bit more aggressive and take the one default rule and modify it etc…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

What we have done is take a complex rule with implied functionality into much clearer and better security rules.
from stating drop all traffic from the WAN that is not meant for port forwarding ( and allow everything else )
We go to stating. allow internet traffic originating from the LAN, allow port forwarding, drop everything else ( allow only what we want and drop everything else )

(7) If you are still having issue after this, then I would look at windows based laptops as the problem ( w11 doesnt play nice and often they have firewalls that get in the way )

Hi,
After command: add interface MYVPN list=LAN I’ve got access to my router via client PC On client I used version without Internet by vpn (one of the option how did You help me).
Unfortunatelly I still can’t connect via rdp to computers on the LAN network.
*Other commands hmm Something went wrong:

[admin@RTIK] > /interface list member
[admin@RTIK] /interface/list/member> add comment=defconf interface=bridge list=LAN

failure: already have such entry
[admin@RTIK] /interface/list/member> add comment=defconf interface=bridge list=LAN

failure: already have such entry
[admin@RTIK] /interface/list/member> add interface=MYVPN list=LAN
[admin@RTIK] /interface/list/member> add comment=defconf interface=ether1 list=WAN

failure: already have such entry
[admin@RTIK] /interface/list/member> add interface=ppoe-out1 list=WAN
input does not match any value of interface
[admin@RTIK] /interface/list/member> add action=drop chain=forward comment=
expected end of command (line 1 column 5)
[admin@RTIK] /interface/list/member> add action=drop chain=forward comment=
expected end of command (line 1 column 5)
[admin@RTIK] /interface/list/member> “defconf: drop all from WAN not DSTNATed” con
nection-nat-state=!dstnat
expected command name (line 1 column 1)
[admin@RTIK] /interface/list/member> connection-state=new in-interface-list=WAN
syntax error (line 1 column 17)
[admin@RTIK] /interface/list/member> add action=accept chain=forward in-interface-
list=LAN out-interface-list=WAN
expected end of command (line 1 column 5)
[admin@RTIK] /interface/list/member> add action=accept chain=forward comment=“port
forwarding” connection-nat-state=dstnat
expected end of command (line 1 column 5)
[admin@RTIK] /interface/list/member> add action=drop chain=forward comment=“drop a
ll else”
expected end of command (line 1 column 5)
[admin@RTIK] /interface/list/member>

Not sure I understand what I mean, you were only supposed to add the new line not add duplicates of existing lines LOL>

Sorry, I have no experience I pasted what the console returned for You to see.
What should I do now to access the LAN devices behind the router ?

I need to see the updated config.
/export file=anynameyouwish ( minus router serial # and any public WANIP info )

Hi,
My config below:

feb/14/2023 19:42:31 by RouterOS 7.7

software id = CX3B-WEKH

model = RB4011iGS+

serial number = XXXXXXXXXXXXXXXX

/interface bridge
add admin-mac=48:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=MYVPN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=example@pibiip.pl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=“For VPN” interface=PCSVPN
list=LAN
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=MYVPN
persistent-keepalive=10s public-key=
“ZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=MYVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.11.0.1/24 interface=MYVPN network=10.11.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.198 client-id=1:0:24:8c:3c:xx:xx mac-address=
00:24:8C:3C:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RTIK
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) I requested you add MYVPN to the LAN LIST INTERFACE. Instead you added PCSVPN, confused ??? Change this to

add interface=MYVPN list=LAN

(2) Why do you have persistent keep alive setting on the Server Router for client peer. ( Its the client your home wireguard device that needs keep alive on its peers settings for the router ). They can be removed.

/interface wireguard
add listen-port=13231 mtu=1420 name=MYVPN
/interface bridge port
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
*add comment=“For VPN” interface=PCSVPN *
list=LAN
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=MYVPN
persistent-keepalive=10s public-key=
“ZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=MYVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.11.0.1/24 interface=MYVPN network=10.11.0.0
/ip firewall filter
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

(3) You failed to change the Forward chain rules as suggested.
Replace this
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

WITH THIS:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward in-interface=MYVPN dst-address=192.168.88.0/24 { forgot to include this one last time }
add action=drop chain=forward comment=“drop all else”

Hello,
Regarding point 1:
I changed PCSVPN to MYVPN only for the purpose of the forum entry to be clearer. Sorry. In my config was only PCSVPN entry.
Below my config after changes. Unfortunately, I still can’t connect to devices on the LAN behind the router.

feb/15/2023 00:20:08 by RouterOS 7.7

software id = CX3B-WEKH

model = RB4011iGS+

serial number = XXXXXXXXXXXXX

/interface bridge
add admin-mac=48:A9:8A:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=PCSVPN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=example@blabla.pl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=“for vpn” interface=PCSVPN
list=LAN
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=PCSVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=PCSVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.11.0.1/24 interface=PCSVPN network=10.11.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.198 client-id=1:0:24:8c:3c:7d:ff mac-address=
00:24:8C:3C:7D:FF server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13232 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Port forwarding”
connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=“” dst-address=
192.168.88.0/24 in-interface=PCSVPN
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RTIK
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) You can remove these keep alives, they do nothing…
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=PCSVPN
persistent-keepalive=10s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=PCSVPN
persistent-keepalive=10s public-key=\

(2) The listening port on the wg interface is 13231.
/interface wireguard
add listen-port=13231 mtu=1420 name=PCSVPN

The firewall input chain has the wg port as 13232
add action=accept chain=input comment=Wireguard dst-port=13232 protocol=udp

Hi,
Regarding Point 2:
This is the same situation like above - In my config I have only rows with port number 13232. I changed before this number for the purpose of the forum entry to make it more readable. I forgot to change this number in subsequent posts. Sorry for the confusion.

Okay assuming they are correct I have no clue as to the issue (
a. not really a publicly reachable IP ???
b. keys are not copied correctly ???

Like I said - after Your help I can open router management website via client, but that’s all.
I think, that maybe these networks don’t have any connection to each other (10.11.0.0 with 192.168.88.0) or I have some problem with firewall rules. Please look at this last one. Many thanks in advance!

Here is my config:

feb/15/2023 23:31:39 by RouterOS 7.7

software id = CX3B-WEKH

model = RB4011iGS+

serial number = XXXXXXXXXXXx

/interface bridge
add admin-mac=48:A9:8A:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=PCSVPN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=example@blabla.pl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=“Bez tego nie masz access to brama poprzez vpn” interface=PCSVPN
list=LAN
/interface wireguard peers
add allowed-address=10.11.0.2/32 comment=“Latitude13;3” interface=PCSVPN
public-key=“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
add allowed-address=10.11.0.3/32 comment=Rmachine interface=PCSVPN
public-key=“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.11.0.1/24 interface=PCSVPN network=10.11.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.198 client-id=1:0:24:8c:3c:7d:ff mac-address=
00:24:8C:3C:7D:FF server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=forward connection-nat-state=“” dst-address=
192.168.88.0/24 in-interface=PCSVPN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Port forwarding”
connection-nat-state=dstnat
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RTIK
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Yes, two things
a. we will move rules around so they are in the correct and organized order, thought that in of itself is not the issue.
and
b. modify a key rule to ensure part of an entry that I see no longer exists… as it has no business being there!!!
add action=accept chain=forward connection-nat-state=“” dst-address=
192.168.88.0/24 in-interface=PCSVPN

/ip firewall filter
{input chain default rules}
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
{input chain admin rules}
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
{forward chain default rules}
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
{forward chain Admin rules}
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.0/24 in-interface=PCSVPN
add action=accept chain=forward comment=“Port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

Friend, remember don’t let yourself be brought down to someone else’s level. My problem was esset internet security on the computers behind the router. I had to add exceptions to the firewall for connecting from a different subnet. Yes, I know.. I’m ashamed

Good day my Polish friend, I will drink a toast to your honest admission and very helpful one at that as it makes my understanding of helping others that much better.
Also of course, I should be patient as you have been patient accepting many UKR refugees and of course for supporting/promoting UKR independence long before any other european country!!