connect to wireguard behind another router

RouterOS Beginner Basics
1

Greetings,
I have several IP cameras and some time ago the internet regulatory in my country decided to block access to the camera servers. Now I can access the cameras with the manufacturers app when connected to the local Wi-Fi, But when I’m outside I don’t have access to my cameras.

I decided to set my LHG5 as a Wiregaurd server and connected to it with my phone. It was successful and I had access to the LHG5 itself and could ping the port 1 of RB941. But thats it. So what I need is a way to access my cameras and HomeAssistant with this VPN (or any other way).

Thank you, I know there might be several things wrong with how I configured everything, that’s because I know almost nothing about networking or Mikrotik. I used youtube and the mikrotik wiki and it worked great for the past 2 years. So, I really appreciate your time.
Untitled-1.jpg

RB941-2nD

/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=08:55:31:A0:6A:7C auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="ISP1 _PTMP _LHG5"
set [ find default-name=ether2 ] comment="ISP2 _LTE _DWRM921"
set [ find default-name=ether3 ] comment="wAP _GWN7615"
set [ find default-name=ether4 ] comment="HomeA _RPI"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-1111111 wireless-protocol=802.11
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dpool ranges=10.10.10.100-10.10.10.200
add name=dhcp_pool2 ranges=10.10.1.1,10.10.1.11-10.10.1.254
add name=dhcp_pool3 ranges=10.10.10.100-10.10.10.199
/ip dhcp-server
add address-pool=dhcp_pool3 interface=bridge lease-time=10m name=dhcp2
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=pwr-line1
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=wlan1
add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 disabled=yes interface=wireguard1 public-key=\
    "11111111111111111111111111111111111111111111"
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.10.1.1/24 interface=ether1 network=10.10.1.0
add address=10.10.2.1/24 interface=ether2 network=10.10.2.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.10.115 client-id=1:a0:43:b0:44:cf:e3 mac-address=11:11:11:11:11:11 server=dhcp2
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=9.9.9.9,5.200.200.200 gateway=10.10.1.10
add address=10.10.10.0/24 dns-server=9.9.9.9,5.200.200.200 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.1.10 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment=LTE disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.2.10 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tehran
/system identity
set name=Wome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
2

Your entire LAN structure is confusing…

I would need to see both configs.
LHG5 and RB941.

Also, which ISP gives you a reachable public IP
OR
which ISP gives you a private IP but you can forward ports on their device??

Why did you put Wireguard network on LHG and not on RB941?

If LHG5 is your wireguard server for external users, why do you have wireguard settings on RB941

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of lan structure… What is the function of power line1… its not on your diagram???

LAN Options:
a. If you want one subnet just use a bridge and put ONLY ether3 and ether4 on it. ( dont put wan on bridge for lan)

b. I you want two separate subnets then you choices;

  1. You could simply assign ether3 the subnet for cameras and ether4 the subnet for Home Assistant ( no bridge )
  2. You could put one port on bridge and give bridge the IP, and the other port gets its own IP, not on the bridge.

For each subnet regardless you need IP address, Pool, dhcp-server, dchp-server network!!

3

Thank you anav for taking the time and examining this mess.

Your entire LAN structure is confusing…

yes, because it is the result of a lot of trial and error. but it is working fine

I would need to see both configs.
LHG5 and RB941.

I posted the configs of RB941
Here is the one for LHG:

LHG5

/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \
    country=no_country_set disabled=no frequency=5240 frequency-mode=\
    superchannel mode=station-bridge scan-list=5240 ssid=\
    111111111111111111111111111111
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface pppoe-client
add add-default-route=yes disabled=no interface=wlan1 name=pppoe-out1 \
    use-peer-dns=yes user=1111111
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.49,192.168.1.51-192.168.1.254
add name=dhcp ranges=192.168.1.1-192.168.1.49
add name=dhcp_pool3 ranges=192.168.1.1-192.168.1.49,192.168.1.51-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=yes interface=ether1 lease-time=10m name=\
    dhcp1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "11111111111111111111111111111111111111111111"
/ip address
add address=192.168.1.50/24 disabled=yes interface=ether1 network=192.168.1.0
add address=10.10.1.10/24 interface=ether1 network=10.10.1.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=185.98.113.113,185.98.114.114,8.8.8.8 \
    gateway=192.168.1.50
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WireGaurd dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=10.10.10.1/32 \
    gateway=0.0.0.0 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tehran
/system identity
set name=1111111111111111111
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool romon
set enabled=yes



Also, which ISP gives you a reachable public IP
OR
which ISP gives you a private IP but you can forward ports on their device??

It is a reachable public IP.

Why did you put Wireguard network on LHG and not on RB941?

The one on RB941 is disabled. I tried to have it as the wireguard server but failed.
Then I ran the server on LHG and it worked nice. The only problem is that through Wireguard I have access to the LHG but not my WAP, home assistant and cameras.
I don’t know how.

In terms of lan structure… What is the function of power line1… its not on your diagram???

I think its the USB interface on the RB941 that I don’t use and had it disabled. It also powers the device. I might be wrong.

LAN Options:
a. If you want one subnet just use a bridge and put ONLY ether3 and ether4 on it. ( dont put wan on bridge for lan)

b. I you want two separate subnets then you choices;

  1. You could simply assign ether3 the subnet for cameras and ether4 the subnet for Home Assistant ( no bridge )
  2. You could put one port on bridge and give bridge the IP, and the other port gets its own IP, not on the bridge.

Only ether3 and 4 are in a bridge and others are disabled. I only need one subnet and currently using one subnet. I thing there are addresses that I don’t use in the config that might be confusing. I didn’t delete anything that I don’t use anymore.
The Lan is working fine. Obviously flawed and that because I don’t have the knowhow and configured everything with internet guides. but it is working as intended.

I believe that I either need to get the Wireguard server on RB941 to work.
Or
Do something in the LHG so I can access the RB941 from outside by connecting to the LHG wireguard.

4

Yes, the idea would be to get the RB951 to work as the LAN Server as that is the logical approach.
Which IP is a public one ISP1 or ISP2 (LTE). We will use the one that people can reach ( static or dynamic)

It could be possible on LTE but then one would have to create vlans to separate WAN traffic and wireguard traffic to and fro the RB951.

5

ISP1 is has the reachable public ID. ISP2 is the backup, the LTE modem is always off and is for when the power grid fails, a relay will power it with UPS.

So should i go and research for LAN servers?

6

Nope, should be good!

7

This should get you close!

/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=08:55:31:A0:6A:7C auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="ISP1 _PTMP _LHG5"
set [ find default-name=ether2 ] comment="ISP2 _LTE _DWRM921"
set [ find default-name=ether3 ] comment="wAP _GWN7615"
set [ find default-name=ether4 ] comment="HomeA _RPI"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-1111111 wireless-protocol=802.11
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dpool ranges=10.10.10.100-10.10.10.200
/ip dhcp-server
add address-pool=dpool interface=bridge lease-time=10m name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1  list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 disabled=no interface=wireguard1 public-key=\
    "11111111111111111111111111111111111111111111"
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.10.115 client-id=1:a0:43:b0:44:cf:e3 mac-address=11:11:11:11:11:11 server=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=9.9.9.9,5.200.200.200 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8 verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP-Gateway pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment=LTE disabled=no distance=2 dst-address=0.0.0.0/0 gateway=ISP-Gateway pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tehran
/system identity
set name=Wome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes