Chateau lte12 route traffic to Wireguard on VPS

RouterOS Beginner Basics
1

Hello!

I’m trying to route all the traffic from my Chateau lte Mikrotik router using wireguard to a VPS in the US.

I installed Wireguard on the VPS and can successfully connect using the Wireguard app on my phone.

I tried to configure as best as I could based on other posts but am still stuck. Below are all the settings I have from the VPS and my Mikrotik router config

MY WG interface I created on the router is called “DallasVPS”

Thanks for any help you can provide!

Interface
Address = 10.xx.xx.2/24, fddd:xxx:xxx:xxx::2/64
DNS = 8.8.8.8, 8.8.4.4
Private Key = XXXXXXXXX

Peer
Publickey = XXXXXXXXX
Presharedkey = XXXXXXXXX
Allowed IPs = 0.0.0.0/0, ::/0
Endpoint = 167.xx.xx.21:51820
PersistentKeepalive = 25

Mikrotik config:

# 2025-06-11 23:26:22 by RouterOS 7.19.1
# software id = M3RS-KK0M
#
# model = RBD53G-5HacD2HnD&EG18-EA
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=48:8F:5A:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=xxx distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=LMT-DD09 wireless-protocol=802.11 wps-mode=push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=xxx disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
    LMT-5G-DD09 wireless-protocol=802.11
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wireguard
add comment="WireGuard DallasVPN" listen-port=51820 mtu=1420 name=DallasVPS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
    "LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=LMT
/ip pool
add name=default-dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=*1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=DallasVPS list=WAN
/interface lte settings
set external-antenna=auto
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 client-keepalive=25s endpoint-address=\
    167.xx.xx.21 endpoint-port=51820 interface=DallasVPS name=peer1 \
    preshared-key="scrubbbedpresharedkey" public-key=\
    "scrubbedpublickey"
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
    192.168.8.0
add address=10.xx.xx.2/24 interface=DallasVPS network=10.xx.xx.0
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
    dst-port=8081 protocol=tcp src-address=212.xx.xx.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface=DallasVPS
add action=accept chain=input dst-port=51820 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=DallasVPS
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward in-interface-list=LAN out-interface=DallasVPS
/system clock
set time-zone-name=Europe/Riga
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system reset-configuration"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

  1. You have a problem on an interface on the bridge???
    *add bridge=bridge comment=defconf interface=1

  2. One obvious problem is DUPLICATE IP ADDRESSES (your phone is .2 and your router is .2)
    MODIFY TO:
    /ip address
    add address=192.168.8.1/24 comment=defconf interface=bridge network=
    192.168.8.0
    add address=10.xx.xx.3/24 interface=DallasVPS network=10.xx.xx.0

Remember to change your setting on the VPS for the router on allowed IPs to 10.xx.xx.3/32

  1. I have no idea what LMT provisioning is…
    If this rule means direct access to a router service WITHOUT encryption then its a Security problem?
    and should be removed asap. Use Wireguard to access the router remotely and securely!
    add action=accept chain=input comment=“defconf: accept LMT provisioning”
    dst-port=8081 protocol=tcp src-address=212.xx.xx.83

  2. Much better to do this… on router.
    /ip firewall address-list
    add address=192.168.88.X list=Authorized comment=“admin local PC”
    add address=192.168.88.Y list=Authorized comment=“admin local laptop/smartphone wifi”
    add address=10.xx.xx.2 list=Authorized comment=“admin remote iphone”

/ip firewall
(other rules)
add chain=input action=accept comment=“admin to router” src-address-list=Authorized
add chain=input action=accept comment=“users to router” in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=accept comment=“users to router” in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=drop comment=“Drop all else”

  1. Your router is NOT the server for wireguard ( the VPS is) so remove this input chain rule you have as the last rule in the forward chain REMOVE>…
    add action=accept chain=input dst-port=51820 protocol=udp

  2. Duplicate rule in srcnat, since you added the VPS wireguard interface as WAN list member, there is no need for a separate sourcenat rule. Covered by the first rule already!! Remove
    /ip firewall nat
    add action=masquerade chain=srcnat comment=“defconf: masquerade”
    ipsec-policy=out,none out-interface-list=WAN
    add action=masquerade chain=srcnat out-interface=DallasVPS




    7.. THe question I have is do you want the router users to have fallback position.
    Are they allowed to use the local internet or maybe just some users, when the WIREGUARD connection is NOT working ???

Cannot advise too much more without this known!
Also you have no method to push your local users into the tunnel.
Easiest is by a combination of table, routing rule and route, more difficult by mangling.

3

Thanks anav

  1. I assume that is correct (I’m still learning)
  2. This is now updated as you showed
    3/4. LMT is the internet service provider not sure if it’s wise to eliminate that rule.
  3. Removed as indicated
  4. Removed as indicated
  5. This will be dedicated to only connecting via wireguard for connected devices. I have separate internet service on a mesh setup for non VPN devices.

I can ping 167.xx.xx.21 via DallasVPS interface (via winbox tools/ping) successfully but nothing else is using the connection yet.

Updated config is below:

# 2025-06-13 00:13:45 by RouterOS 7.19.1
# software id = M3RS-KK0M
#
# model = RBD53G-5HacD2HnD&EG18-EA
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=48:8F:5A:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=xxx distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=LMT-DD09 wireless-protocol=802.11 wps-mode=push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=xxx disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
    LMT-5G-DD09 wireless-protocol=802.11
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wireguard
add comment="WireGuard DallasVPN" listen-port=51820 mtu=1420 name=DallasVPS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
    "LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=LMT
/ip pool
add name=default-dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=*1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=DallasVPS list=WAN
/interface lte settings
set external-antenna=auto
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 client-keepalive=25s endpoint-address=\
    167.xx.xx.21 endpoint-port=51820 interface=DallasVPS name=peer1 \
    preshared-key="scrubbbedpresharedkey" public-key=\
    "scrubbedpublickey"
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
    192.168.8.0
add address=10.xx.xx.3/24 interface=DallasVPS network=10.xx.xx.0
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
    dst-port=8081 protocol=tcp src-address=212.xx.xx.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface=DallasVPS
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward in-interface-list=LAN out-interface=DallasVPS
/system clock
set time-zone-name=Europe/Riga
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system reset-configuration"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

No I meant that an interface with a *1 indicates an issue…The router is telling you that there is a problem.
Which interface is it referring to???

5

@anav it seems to be related to “lo” which is a loopback type interface. I’m not entirely sure what that is.