Hello,
I have hAP ax3 configured with a WireGuard tunnel.
The connection is ok, but I've a problem to access Winbox when the tunnel is active.
I can be able to reache every device in the LAN, but not the MT (also via Webfig).
I post the configuration.
Thank you.
Edit
Holy crap! Your config is unreadable with current formatting 
If you could edit the export in your post into a single code/peformatted block it would be easier to read. Put 3 back ticks ``` on an empty line, then the export, and then three more back ticks on a line after.
In the meanwhile, it doesn't look like your wireguard interface is in the LAN interface list. So peer traffic isn't hitting the firewall input chain allow rules to access the router. Try:
/interface list member
interface=wireguard list=LAN
Alternately you could set up an input chain rules just for one peer by IP address if you want to limit access.
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 \
name=xxx password=xxx service-name=xxx use-peer-dns=yes user=\
xxx
/interface wireguard
add comment=VPN listen-port=5741 mtu=1420 name=wireguard private-key=\
"xxx="
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool ranges=192.168.2.0/24
add comment=vpn-pool name=vpn-pool ranges=192.168.2.0/24
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge lease-time=1d name=dhcp-lan
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add comment=VPN disabled=no fib name=wireguard
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
interface=bridge list=LAN
interface=ether1 list=WAN
interface=TIM list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
195.242.213.194 endpoint-port=51820 interface=wireguard name=peer \
public-key="xxx="
/ip address
add address=192.168.2.1/24 interface=bridge network=\
192.168.2.0
add address=10.134.73.186 interface=wireguard network=\
10.134.73.186
add address=192.168.1.2 interface=ether1 network=\
192.168.1.2
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=\
192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1xx.xxx.xxx.xxx
/ip dns static
add address=192.168.2.1 comment=defconf name=mikrotik.lan type=A
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input comment=\
"defconf: accept ICMP - drop only echo request" disabled=\
yes dst-limit=1,5,dst-address/1m40s icmp-options=!0:0-255 limit=\
1,5:packet protocol=icmp psd=21,3s,3,1 time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
"defconf: drop invalid" connection-state=\
invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat comment=wireguard out-interface=wireguard
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
disabled=no distance=1 dst-address=192.168.1.1/32 \
gateway=ether1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
wireguard routing-table=wireguard scope=30 suppress-hw-offload=no \
target-scope=10
/routing rule
add action=lookup disabled=no src-address=192.168.2.0/24 table=\
wireguard
Thanks for reply, cpunk.
I’ve add wireguard to the list, but the problem persist.
There is still something not working in your formatting. When I type 3 back ticks I get a code block. Your formatting is still not as code, so it’s better since it’s consistent, but still not right. Try editing the post, delete the back ticks, select the whole export then click the preformatted text format button </>
I think I misunderstood your network. Thought you were on a wg peer while trying to access the router. You’re on a local LAN device, yeah?
Sorry for the format.
Hope that now is correct.
Yes, I have a WG tunnel from the router that protect my connection on all LAN devices.
Why two duplicate pools?
/ip pool
add name=dhcp-pool ranges=192.168.2.0/24
add comment=vpn-pool name=vpn-pool ranges=192.168.2.0/24
Please refrain from using the same name for different interfaces or parameters in RoS, its confusing to the reader and also may cause unknown issues.
Recommend the following:
/routing table
add comment=VPN disabled=no fib name=use-WG
You have an unknown interface associated with the WAN interface list or you simply forget to put name=TIM on your pppoe-config line??
Now it is clear this is wireguard to a third party provider, WHY not point that out in your intro??
It needs work should be:
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=a.b.c.d endpoint-port=xxxxx
interface=wireguard name=peer public-key="xxx=" persistent-keep-alive=30s
we dont need to know the provider's endpoint address or port and you should remove them.
/ip address
add address=10.134.73.186/24 interface=wireguard network=10.134.73.0
Is this the DNS server the third party server gave you??
1xx.xxx.xxx.xxx ??
Good you sourcenat the traffic going out the tunnel!
GET RID of your IP address for ether1. Your pppoe client handles the termination of the ISP to your router.
You do not need any route for ether1 either as you have selected use default route on the pppoe client settings!
Okay I see that the idea is that all your users go out the wireguard for internet, suggest you add two more settings for a good experience.
A. A mangle rule that usually helps with browsing experience due to MTU subtleties.
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard protocol=tcp \
tcp-flags=syn tcp-mss=1381-65535
B. An additional routing rule to ensure local traffic (including winbox ) still works...... order is important it has to be the first rule!
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup disabled=no src-address=192.168.2.0/24 table=use-WG
Hello anav,
thanks for reply.
Many thanks!