Help configuring Wireguard for remote network access

vader7071 · July 4, 2025, 6:41pm

My hardware/setup:

RB2011 w/ OS 7.11.2 in Alabama (to be replaced with a 5009 soon)
WireGuard set as server
Laptop with WireGuard as client
Android with Wireguard as client
CRS109 w/ OS 7.19.2 in Mississippi (to be replaced with a 5009 or L009 soon)
WireGuard as client

How it work now:

Laptop connects via WireGuard w/ no problem
Android connects via WireGuard w/ no problem
CRS109 has not been deployed yet and has not been tested.

Issues:
I am having an issue. My laptop shows that all of my internet access now directs out of the RB2011, but I cannot access any devices inside the network. I have not tried with the Android.

Endgame:
I would like all information from the CRS109 to route through the RB2011. I would also like all devices on the CRS109 to have access to devices on the RB2011. I am willing to share my config data, I’m just not sure what I need to share. I’m guessing I have something not set correctly in routes possibly, but I’m not sure. And I don’t want to just start randomly making changes without some direction.

Here are my various WireGuard settings in my RB2011:

/interface wireguard
add comment=“WireGuard VPN” listen-port=13231 mtu=1420 name=wireguard1

/interface list member
add interface=bridge1 list=LAN
add comment=“WireGuard VPN” interface=wireguard1 list=LAN

/ip address
add address=192.168.15.1/22 interface=bridge1 network=192.168.12.0
add address=192.168.70.1/24 comment=“WireGuard VPN” interface=wireguard1 network=192.168.70.0

/ip firewall filter
add action=accept chain=input comment=“Allow wireguard” dst-port=13231 protocol=udp
add action=accept chain=input comment=“Allow wireguard traffic” src-address=192.168.70.0/24

/interface wireguard peers
add allowed-address=192.168.70.3/32 comment=“Note 20” interface=wireguard1 public-key=“???”
add allowed-address=192.168.70.4/32 comment=“S24” interface=wireguard1 public-key=“???”
add allowed-address=192.168.70.5/32 comment=“Laptop” interface=wireguard1 public-key=“???”
add allowed-address=192.168.70.6/32 comment=“CRS109” interface=wireguard1 public-key=“???”

I have no plans to make the CRS109 a WireGuard server. It will always be a client. Everything should be going through the RB2011.

Do I have the IP addresses/Mask set wrong? Should I be looking somewhere else in my configuration?

Thank you in advance for your help.

TheCat12 · July 4, 2025, 7:46pm

The problem more likely has something to do with firewall, so a full config export would be best, the full firewall at least (not recommended)

vader7071 · July 4, 2025, 9:32pm

A few thoughts from your response.

Could it be in the /ip firewall address-list section?

Here is a snippet:

/ip firewall address-list
add address=192.168.100.0/24 list=private
add address=192.168.12.0/22 list=internal

Could I add the line:
add address=192.168.70/24 list=internal

Past this train of thought, my follow up question would be which subsection of Firewall? Mangle? NAT? Filter? I don’t think it would be under service port.

But to try and make this easier, here is the export. I have removed some things like “Kid Control” and the usual safety (usernames, external IP addresses, etc.). Side note, if you see something that would improve performance, I am always open to learn to make this better.

/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge1

/interface ethernet
set [ find default-name=ether1 ] comment=“Incoming ISP” name=e1-ISP
set [ find default-name=ether2 ] comment=“Workshop PoE Switch” name=e2-Work_Shop
set [ find default-name=ether3 ] comment=WAP name=e3-WAP
set [ find default-name=ether4 ] comment=“Upstairs Switch” name=e4-Up_Stairs
set [ find default-name=ether5 ] comment=“Raspberry Pi” name=e5-Pi
set [ find default-name=ether6 ] name=e6-
set [ find default-name=ether7 ] name=e7-
set [ find default-name=ether8 ] name=e8-
set [ find default-name=ether9 ] name=e9-
set [ find default-name=ether10 ] name=e10-Cloud_Key

/interface l2tp-client
add connect-to=[www.xxx.yyy.zzz] max-mru=1460 max-mtu=1460 name=“Office” user=[username]

/interface wireguard
add comment=“2024-08-12 - WireGuard VPN” listen-port=13231 mtu=1420 name=wireguard1

/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
set 5 vlan-mode=fallback
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec peer
add comment=“2020-11-17 L2TP VPN” name=peer1 passive=yes send-initial-contact=no

/ip ipsec proposal
set [ find default=yes ] comment=“2020-11-17 L2TP VPN” enc-algorithms=3des

/ip pool
add name=dhcp ranges=192.168.15.150-192.168.15.200
add name=dhcp-vpn ranges=192.168.14.100-192.168.14.200
add name=vpn ranges=192.168.89.2-192.168.89.255

/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=3d name=dhcp1

/port
set 0 name=serial0

/interface sstp-client
add authentication=mschap2 connect-to=[location] disabled=no name=[sstp-name] profile=default-encryption user=[user]

/queue tree
add limit-at=6200k max-limit=6200k name=prio5-streaming packet-mark=streaming parent=queue1 priority=5 queue=default
add limit-at=100k max-limit=9500k name=prio8-untagged packet-mark=no-mark parent=queue1 queue=default
add limit-at=1G max-limit=1G name=prio3-gaming packet-mark=gaming parent=queue1 priority=3 queue=default
add limit-at=1G max-limit=1G name=prio2-misc-fast packet-mark=misc-fast parent=queue1 priority=2 queue=default
add limit-at=100k max-limit=9500k name=prio6-http packet-mark=http parent=queue1 priority=6 queue=default

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0

/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100

/interface bridge port
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=e2-Work_Shop
add bridge=bridge1 interface=e3-WAP
add bridge=bridge1 interface=e4-Up_Stairs
add bridge=bridge1 interface=e5-Pi
add bridge=bridge1 interface=e6-
add bridge=bridge1 interface=e7-
add bridge=bridge1 interface=e8-
add bridge=bridge1 interface=e9-
add bridge=bridge1 interface=e10-Cloud_Key

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface detect-internet
set detect-interface-list=all

/interface l2tp-server server
set authentication=mschap1,mschap2 use-ipsec=yes

/interface list member
add interface=e1-ISP list=WAN
add interface=bridge1 list=LAN
add comment=“2024-08-12 - WireGuard VPN” interface=wireguard1 list=LAN

/interface sstp-server server
set default-profile=default-encryption

/interface wireguard peers
add allowed-address=192.168.70.3/32 comment=“Note 20” interface=wireguard1 public-key=[key]
add allowed-address=192.168.70.4/32 comment=“S24” interface=wireguard1 public-key=[key]
add allowed-address=192.168.70.5/32 comment=“Laptop” interface=wireguard1 public-key=[key]
add allowed-address=192.168.70.6/32 comment=“CRS109” interface=wireguard1 public-key=[key]

/ip address
add address=192.168.15.1/22 interface=bridge1 network=192.168.12.0
add address=192.168.12.0/22 interface=e2-Work_Shop network=192.168.12.0
add address=192.168.15.1/22 interface=e2-Work_Shop network=192.168.12.0
add address=192.168.70.1/24 comment=“2024-08-12 - WireGuard VPN” interface=wireguard1 network=192.168.70.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add interface=e1-ISP use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.12.0/32 dns-server=[www.xxx.yyy.zzz],[www.xxx.yyy.zzz] gateway=192.168.15.1 netmask=22
add address=192.168.12.0/22 dns-server=[www.xxx.yyy.zzz],[www.xxx.yyy.zzz] gateway=192.168.15.1 netmask=22

/ip dns
set allow-remote-requests=yes servers=[www.xxx.yyy.zzz],[www.xxx.yyy.zzz]

/ip dns static
add address=192.168.12.0 name=router.lan
add address=192.168.15.1 name=router.lan
add address=192.168.100.13 name=CON-DH-PDC-001
add address=192.168.100.14 name=CON-DH-SQL-001
add address=192.168.100.20 name=CON-DH-NAS-001

/ip firewall address-list
add address=192.168.100.0/24 list=private
add address=192.168.12.0/22 list=internal
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic

/ip firewall filter
add action=jump chain=forward comment=“jump to kid-control rules” jump-target=kid-control
add action=accept chain=input comment=“2024-08-12 - allow wireguard” dst-port=13231 protocol=udp
add action=accept chain=input comment=“2024-08-12 - allow wireguard traffic” src-address=192.168.70.0/24
add action=accept chain=inbound comment=“Accept established connections” connection-state=established
add action=accept chain=output comment=“Allow everything out”
add action=jump chain=forward comment=“2020-07-30 - Dan DDoS Block” connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment=“2020-07-30 - Dan DDoS Block” dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos comment=“2020-07-30 - Dan DDoS Block”
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos comment=“2020-07-30 - Dan DDoS Block”
add action=drop chain=forward comment=“2020-07-30 - Dan DDoS Block” connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“2020-07-30 - Dan DDoS Amplification Block” dst-port=53 in-interface=e1-ISP protocol=udp
add action=drop chain=input comment=“2020-07-30 - Dan DDoS Amplification Block” dst-port=53 in-interface=e1-ISP protocol=tcp
add action=drop chain=forward comment=“drop windows ports” port=135-139 protocol=tcp

/ip firewall nat
add action=redirect chain=dstnat comment=“2021-10-05 Force all DNS requests to OpenDNS” dst-address-type=!local dst-port=53 protocol=udp to-addresses=0.0.0.0 to-ports=53
add action=masquerade chain=srcnat out-interface=e1-ISP
add action=masquerade chain=srcnat dst-address-list=!private src-address-list=internal
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes

/ip ipsec identity
add comment=“2020-11-17 L2TP VPN” generate-policy=port-override peer=peer1

/ip ipsec policy
set 0 comment=“2020-11-17 L2TP VPN” dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip route
add distance=1 dst-address=192.168.12.0/22 gateway=e1-ISP
add comment=“Home to CECE” distance=1 dst-address=192.168.100.0/24 gateway=[sstp-name]
add comment=“Home to Terry via CECE” distance=1 dst-address=192.168.203.0/24 gateway=[sstp-name]

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.12.0/22
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/lcd
set backlight-timeout=5m time-interval=daily

/ppp secret
add comment=“2020-11-17 L2TP VPN” name=[name] profile=ipsec_vpn remote-address=192.168.14.100 service=l2tp
add name=vpn
add comment=“2022-02-23 - PPTP VPN” local-address=192.168.15.1 name=[name] profile=default-encryption remote-address=192.168.14.99 service=pptp

/snmp
set enabled=yes

/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago

/system identity
set name=[RB2011-2]

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=129.6.15.28
add address=129.6.15.29