CHR Cloud Routing to peers

knx90 · June 10, 2025, 7:48pm

Hello guys. I’ve got CHR Hosting Mikrotik Router ver 7.19.1 on my OVH Cloud VPS and one public IP.
Already i configured two mikrotics from my 2 destinations. They are connected to Cloud server. For more clear:

i would like to ping between MT1 and MT2 and their LAN’s. i would like to connect to hosts beetwen those LANs.
i already add IP->Routes on MT2 like 10.0.0.0/24 via 10.1.0.2 and MT1 192.168.1.0/24 via 10.1.0.3 but still can’t even ping.
Also i can only ping one interface from Server terminal - cant ping 10.1.0.2 and 10.1.0.3, only one address - for now 10.1.0.3

Any solutions?

anav · June 10, 2025, 8:00pm

First of all how are you connecting to the two Mikrotik routers on the ground.
Its very unclear, what you have done so far and that is because no requirements have been stated etc..

knx90 · June 10, 2025, 8:47pm

MT1 - CG-NAT, class C on WAN Mikrotik interface
MT2 - Modem bridge configuration, WAN Mikrotik interface = WAN outside “what is my ip”

anav · June 11, 2025, 10:52am

So it would appear your M2 router gets a public IP from the bridged modem
(ip cloud IP = whatsmyIP(in browser) = ip dhcp client (or pppoe) IP.

If so, then whey do you need a CHR in the cloud? Purposes??

knx90 · June 11, 2025, 11:04am

Well that’s true - MT2 get public IP, but when im disconnecting WireGuard for example by reboot router, i cant establish agian connection between MT-1 and MT-2 till i’ll agian change port in firewall configuration and in WG configuration for random port. That’s why im trying Mikrotik VPS Router in model

LAN_1-MT1->CHR<-MT2-LAN_2. I would like to access from LAN_1 to LAN_2 and vice versa LAN_2 to LAN_1 via CHR VPS.

P.S MT-1 is based on mipsbe architecture and so i cant use Zero Tier.

anav · June 11, 2025, 11:30am

Ahh I see, so the issue is more precisely
a. I am located at R2 and reboot router 2 and lose my connection via wireguard to Router 1
OR
b. I am located at R1 and reboot router 1 and lose my connection via wireguard to Router2
OR
c. I am located at R1 and via wireguard reboot router2 and lose my connection via wireguard to Router 2 ( wg doesnt come back after reboot )

Normally after a reboot, there should be a slight delay and then wireguard reconnects is my understanding so need to figure out the correct scenario.

knx90 · June 11, 2025, 11:37am

I am located at R2 via WinBOX LAN, then goes for example restart and handshake wont establish / connections to even wg-1 interface (ping 10.1.0.1 is my wg-1 int).
I am located at R1 via WinBOX LAN and same situation like above (ping 10.1.0.2 wg-2 int)
CHR - restart same like above and 0 problems about reconnecting each wg tunnel. After 10-30 sec i’ve got each wg interface connected agian.

anav · June 11, 2025, 12:27pm

Okay, So if you reboot R2 while at R2, the wireguard connection fails to re-establish. That is not normal.
Can you confirm if your WANIP at R2 changes upon reboot?
Can you please post both configs R1 and R2

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

knx90 · June 11, 2025, 2:21pm

Can you confirm if your WANIP at R2 changes upon reboot?

confirm - WANIP dosen’t change upon reboot

R1 Config

# 2025-06-11 15:57:38 by RouterOS 7.19.1
# software id =
#
# model = RB951G-2HnD
# serial number =
/interface bridge
add arp=proxy-arp fast-forward=no name=bridge_lan port-cost-mode=short \
    protocol-mode=none
add admin-mac= auto-mac=no fast-forward=no name=bridge_wan \
    port-cost-mode=short protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country=no_country_set disabled=no frequency-mode=manual-txpower mode=\
    ap-bridge ssid=cisc0 station-roaming=enabled wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=MT-POZ4
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge_lan lease-time=1m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=mapek
/queue type
add kind=pcq name=PCQ pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip smb
set comment=MSMB enabled=no
/interface bridge port
add bridge=bridge_wan ingress-filtering=no interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_lan ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_wan ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_wan ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_lan ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_wan ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=\
    13231 interface=MT-POZ4 name=-CHRwaw- persistent-keepalive=20s \
    public-key=""
/ip address
add address=10.0.0.1/24 interface=bridge_lan network=10.0.0.0
add address=10.1.0.3/29 interface=MT-POZ4 network=10.1.0.0
/ip dhcp-client
add interface=bridge_wan
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.0.1,8.8.8.8,1.1.1.1 gateway=\
    10.0.0.1
/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_wan
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.1.0.2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes port=8080
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
add directory=/mapek disabled=yes name=mapek
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MT-POZ451
/system scheduler
add interval=1w name=restart_net on-event="/system reboot" policy=reboot \
    start-date=2023-05-28 start-time=06:00:00

R2 config

# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=swieto-lan
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ac .frequency=5300 \
    .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=\
    Poland .mode=ap .ssid=bombu disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=MT-SWIETO
/interface list
add name=WAN_p1
add name=LAN_p2p5_WiFi
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Poland .mode=ap .ssid=\
     disabled=no security= security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface wifi configuration
add chains="" country=Poland disabled=no mode=ap name=#conf_2.4GHZ security=\
  ssid=
/ip pool
add name=dhcp_1 ranges=192.168.1.2-192.168.1.30
/ip dhcp-server
add address-pool=dhcp_1 interface=LAN name=dhcp_1
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 0 memory-lines=75
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name= network=
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=*8 interface=ether1
add bridge=swieto-lan interface=ether2
add bridge=swieto-lan interface=ether3
add bridge=swieto-lan interface=ether4
add bridge=swieto-lan interface=wifi1
add bridge=swieto-lan interface=wifi2
add bridge=swieto-lan interface=ether5
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN_p1
add interface=LAN list=LAN_p2p5_WiFi
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=57.x.x.x endpoint-port=\
    13231 interface=MT-SWIETO name=CHRwaw persistent-keepalive=20s \
    public-key=""
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.1.0.2/29 interface=MT-SWIETO network=10.1.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1 \
    ntp-server=162.159.200.123
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-port=443,80,8080,1025-1099,2049-2200 \
    protocol=tcp
add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="WinBox through VPN" dst-port=8291 \
    in-interface-list=!WAN_p1 protocol=tcp
add action=drop chain=input comment="odrzucenie invalid pakietow" \
    connection-state=invalid connection-type=""
add action=accept chain=input comment="akceptacja icmp" protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN_p2p5_WiFi
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN_p1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
/ip hotspot user profile
set [ find default=yes ] address-pool=*3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=10.1.0.3 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=0.0.0.0/0
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MT-SWIETO139
/system leds
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system ntp client servers
add address=0.pl.pool.ntp.org
/system scheduler
add comment="Weekly ROS Reb00t" interval=1w name=reboot on-event=\
    "system reboot" policy=reboot start-date=2024-02-04 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN_p2p5_WiFi
/tool mac-server mac-winbox
set allowed-interface-list=LAN_p2p5_WiFi

anav · June 11, 2025, 2:54pm

R1- Why is there a second bridge ( aka one for wan )??

R2 Do not name bridge LAN, its very confusing as LAN is already used on the router to denote all local subnets ( bridge subnet, vlans, and/or any subnets tied to etherports, or even wireguard ).
Its very confusing to try and read a config where the bridge is named lan, Just modify to bridge-lan for example.

What is the purpose of the wireguard on Router 1?

knx90 · June 11, 2025, 4:16pm

R1- Why is there a second bridge ( aka one for wan )??

This is configuration for TV access and net from local service provider. Port 1 is the WAN, port 2,3,5 for 3 modems directly connected to 3 TV’s in my second house in 3 diffrent rooms, and port 4 to cisco unmanaged switch connected to devices like computer, console etc via ethernet cable.

R2 Do not name bridge LAN, its very confusing as LAN is already used on the router to denote all local subnets ( bridge subnet, vlans, and/or any subnets tied to etherports, or even wireguard ).
Its very confusing to try and read a config where the bridge is named lan, Just modify to bridge-lan for example.

already done - code has been updated

What is the purpose of the wireguard on Router 1?

i would like to get access to LAN behind R1 and LAN behind R2 - sometimes my parents need help with IT cases, and this is my offtime project to learn something new - maybe in the future i will need to know how to connect diffrent locations company into one network. So im looking best solutions, not only ZeroTier solutions or something like that.

knx90 · June 13, 2025, 9:42am

any solutions/ pro tips?