Can't Access LAN Devices Behind MikroTik via WireGuard Tunnel

I am hosting a WireGuard server on a VM that has a public IP, with a port exposed for clients to connect. The server’s endpoint is static. In this setup, both my MikroTik router and personal laptop are WireGuard clients, and the allowed IPs are properly configured on all devices.

WireGuard IPs are as follows:

Server: 10.100.0.1
MikroTik: 10.100.0.22
Laptop: 10.100.0.11

All devices can ping each other via their WireGuard IPs without issues.

Now, I have an additional device connected behind the MikroTik via its LAN interface. The LAN subnet is 192.168.50.0/24, and the device has a static IP of 192.168.50.10. I want to access this device from the other WireGuard peer (mainly from my laptop)

To do that, I’ve added the 192.168.50.0/24 subnet to the AllowedIPs in all peer configurations (server, laptop, and MikroTik). However, I’m unable to reach the device behind the MikroTik LAN. As a test, I’ve also tried pinging the LAN IP of the MikroTik itself (192.168.50.1) from the laptop, but it times out — suggesting traffic is not routing properly between the WireGuard and LAN interfaces on the MikroTik. Most probably the necessary routes are missing from the mikrotik side.

I have tried playing around with the firewall and NAT rules in MikroTik, but unfortunately I don’t have a strong background in networking, so I am not entirely sure if what I’ve set up is correct.

Following is my MikroTik config, I would greatly appreciate your help.
wg_lan_conf.rsc (8.02 KB)

Please draw a diagram, I have no clue how everything is hooked up together and to the internet

Hi Thank you for your response, I have added a network diagram for reference. What I’m trying to achieve is access to the LAN devices behind the MikroTik from my laptop via wireguard tunnel

As a basic test, inside MikroTik console, I’ve been trying to ping the MikroTik’s LAN interface from the WireGuard interface using:

/ping 192.168.50.1 interface=wg-client. But I consistently get host unreachable.

From what I understand, if I can’t even ping the MikroTik’s LAN IP from its own WireGuard interface, it likely means that the traffic is not being routed correctly from WG to LAN. I hope that makes sense and helps clarify the issue.

Nice drawing!

Maybe try putting the wireguard interface on the bridge?

Btw if your drawing is correct your allowed IPs on the WG Server are wrong.

Each client only gets a /32 allowed IP from the WG Subnet.

So 10.100.0.22/32 and so on

Thank you for the suggestion! I don’t have a strong networking background, so I’m not sure I fully understood what you meant. Since my WireGuard and LAN subnets are different, wouldn’t I need proper IP routing between them, along with the correct firewall and NAT rules for it to work ? I have defined some rules as you can see in the config file, but they don’t seem to work like I expected.

Yes you are right. It was a mistake in the diagram only. I reuploaded the correct diagram. The wireguard connection works fine between all three nodes, The only problem is when I try to reach MikroTik LAN from WG interface of MikroTik, it does not give any response. That route is probably missing or not recognized

I only meant it as a troubleshooting tool.

I don’t see any /ip route statements in your config.

I would try the following just to as a first step.

/interface bridge port
add bridge=bridge comment=defconf interface=wg-client

I’m sure others will have smarter solutions.

I can see 3 things.

1. You have “attached” routes which means theyre directly connected. So no need for an “/ip route” statement as Josephny said

2. this FW rule already should catch all traffic.

add action=accept chain=forward in-interface=wg-client out-interface=bridge

But keep 1 thing in mind: Some Devices (Firewall) will deny incoming traffic from unknown/all subnets if not configured to allow.

3. Drop your NAT rules. They don’t make much sense if you plan on using full routing.
   These specifically. Drop them and try again. Might be an issue with reply address cause of this config.

add action=masquerade chain=srcnat out-interface=wg-client src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat out-interface=bridge src-address=\
    10.100.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.50.0/24 src-address=\
    10.100.0.0/24
add action=masquerade chain=srcnat dst-address=10.100.0.0/24 src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat out-interface=wg-client

I’m not doubting you at all; rather, curious what an attached route is?

Apparently a translation error
I meant connected route.

Which means the subnet is directly connected to an interface.

In this Case
bridge: 192.168.50.0/24
wg-client: 10.100.0.0/24

So you don’t need any extra routes to reach these two subnets.
Mikrotik just calls them “connect”

/ip/route/print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY        DISTANCE
0  As 0.0.0.0/0         192.168.253.1         1
  DAc 10.10.0.0/24      SHDEFFMWG01           0
  DAc 172.17.0.0/24     containers            0

Looking at the diagram it would appear you have three separate networks/locations.

The laptop is a remote device could be anywhere a true remote peer.
The MT device is a fixed remote device.
The Server is the local wireguard in this discussion.


All three are not connected but all three have access to the internet independently and you wish to connect them via VPN wireguard.
The glue is the SERVER to which both laptop and remote router connect to.
The key is the work at the server, it needs to be setup to allow a peer, AKA laptop, with destination of remote router(MT) to arrive at local server, exit tunnel and reenter tunnel for remote router.
In Mikrotik speak it would be something like
add action=accept chain=forward comment=“relay server” in-interface=wireguard1 out-interface=wireguard1


Also at the server, it has to know that the IP address 192.168.50.10 is a known quality which means two things.
PEER SETTING ON SERVER FOR MT
add allowed-address=10.100.0.22/32,192.168.50.0/24 interface=wireguard public-key=“----”

ROUTE for 192.168.50.0/24 exists and if the server was MT it would look like.
/ip route
add dst-address=192.168.50.0/24 gateway=wireguard table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

At the MT end, some work needs to be done too.
You have a basic error. Allowed IPs, does what ???.. if you don’t know you should! it IDENTIFIES remote addresses, NOT LOCAL
a. remote IPs local user may need to reach (outgoing)
b. remote users that may be coming to your device (incoming)

192.168.50.0/24 is local to the MT and has no business on the peer line and it should be removed.
/interface wireguard peers
add allowed-address=10.100.0.0/24,192.168.50.0/24 endpoint-address=
x.x.x.x endpoint-port=51820 interface=wg-client name=peer1
persistent-keepalive=25s public-key=“–±-”


If there is no longer a 192.168.88.0/24 subnet on the MT router then get rid of the default static IP DNS.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

Your firewall rules are incoherent and out of order as well and needs serious rejig.
Your use of masquerade is way overboard as well and needs to be rejigged.

First need to modify interface list member…
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wg-client list=LAN
add comment=defconf interface=lte1 list=WAN

Second identify which MT lan IPs are used by the admin (wired and wifi and set them as static DHCP leases ) and create a firewall address list.
/ip firewall address-list
add address=192.168.50.X list=Authorized comment=“admin pc”
add address=192.168.50.Y list=Authorized comment=“admin-wifi-laptop”
add address=192.168.50.Z list=Authorized comment=“admin smartphone/ipad wifi”
add address=10.100.0.11 list=Authorized comment=“remote admin”

Firewall rules
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“admin to router” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { insert this rule here, last of all rules so not locked out }
+++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list-WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=accept chain=forward comment=“wireguard to LAN” in-interface=wg-client dst-address=192.168.50.0/24
add action=accept chain=forward comment=“admin to wg” in-interface-list=LAN src-address=Authorized out-interface=wg-client
add action=drop chain=forward comment=“drop all else”

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

If, the wireguard server you are using doesnt recognize the subnet 192.168.50.0/24 then you would need to masquerade the wireguard traffic.
However, since the remote laptop is going to have a destination address of 192.168.50.X, the wireguard server will have to and also know how to route such traffic.