Help with NAT

Hello All ,

I am stuck on a NAT issue and I would appreciate your help .

I was given a TV Box and a wireguard client setup so traffic from the Box will go through the wireguard .

I had set up the wireguard on my mikrotik (Hap ax lite v7.18.2 ) and I am able to ping 8.8.8.8 /1.1.1.1 through wireguard’s ip 10.10.0.20/24 . Probably on the server side they allow only this IP ( 10.10.0.20) since I had changed it to .25 or different subnet and couldn’t ping anything .

So now , i have the TV box connected on lan side (ether2) with network address 192.168.94.10/24 ( gw ip 192.168.94.1) . I had added both wireguard and tv box in the same VRF , added routing rules for network 192.168.94.0/24 to look only in table vpn_vrf and static route 0.0.0.0/0 to go through wireguard

When i ping 1.1.1.1 with src address 192.168.94.1 and vrf=vpn_vrf , I can see the packages (with the sniffer) reaching wireguard interface but since the source ip is 192.168.94.1 i suspect that is dropped from the server side . So I need to change the source IP to 10.10.0.20 to packages from network 192.168.94.0/24

Tried with varius nat rules but couldn’t manage it to work .

**Mikrotik is running default config

Would need to see MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )

The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )

Diagram of how all the pieces are connected would be useful.

I apologize for the messed up configuration , i use it as lab most of the times but need to clear a lot of things .

So the scenario is :

ISP router < => managed switch <=> vlan XXX ,vlan X <=> mikrotik <=> wireguard


on a port of the managed switch vlan XXX is configured for TV Box to receive IP from Mikrotik’s dhcp .

Mikrotik will route the traffic from vlan XXX network through the Box_VPN wireguard and the rest of the network will work on vlanX .

I used this set up with NordVPN and surfshark and worked fine .

I am testing now directly from a port without the Vlan .
I had created a VRF for this VPN ( Box_VRF)

The issue now is that with Box_VPN that provided to me ,tunnel established , I can ping to internet from wireguard interface but when i am trying to ping from the lan interface (ether2 for example) it is not pingable and probably because the VPN provider allow only traffic from IP 10.10.0.20 so when I ping from range 192.168.94.0/24 traffic goes through Box_VPN but I can not receive a reply back.

Through sniffer I can see that icmp packets pass by Box_VPN with src address 192.168.94.1
Mikrotik config export.txt (16.1 KB)

Yeah much too busy for me to look at in any detail and wont bother until cleaned up.
I did note that this is wrong.
add allowed-address=0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s
client-listen-port=13834 interface=wireguard_1 name= public-key=“”
add allowed-address=0.0.0.0/0 client-address=10.194.91.3/32 comment=" iPhone " interface=wireguard_1 name= public-key=
“”
add allowed-address**=0.0.0.0/0** client-address=10.194.93.1/32 endpoint-address=xx.xx.xx.xx endpoint-port=13833 interface=wireguard1
name= persistent-keepalive=10s public-key=“”

The third wireguard interface name does not match the two others…
So the first two are noise???
/interface wireguard
add disabled=yes listen-port=51822 mtu=1420 name=Box_VPN
add listen-port=13833 mtu=1420 name=wireguard1
add listen-port=51821 mtu=1420 name=Nordlynx
add listen-port=51820 mtu=1420 name=Surfshark_VPN
add comment=back-to-home-vpn listen-port=11429 mtu=1420 name=back-to-home-vpn
add listen-port=13834 mtu=1420 name=wireguard_2

One thing I checked was:
You want the wireguard interface to be a member of the WAN list, (and very likely don’t want it to be a member of the LAN list)

Hi again ,

I was playing with the other tunnels and messed up with the names but are not related to my case i think , only Box_VPN tunnel need to checked .

I have an update on the issue and seems that my problem is with the VRF .

Outside of VRF with default configuration service working OK , i had added the routing table , routing rules etc and working . While pinging from 192.168.94.1 to 1.1.1.1 i can see the packages on wireguard interface with source ip 10.10.0.20 .

When I add Box_VPN and a lan interface under the same new VRF then the NAT is not working properly , probably due to bad configuration from my side but I would love to have an advise when where to look on .

If I may, and please don’t take it as an offence, it seems to me that the configuration you posted is beyond any possible fixing/recovery, the related settings (right or wrong as they might be) are buried under countless layers of cruft/noise.

It is like I was asking you to come to my garage and find in the tens of drawers and containers/boxes a 6 mm long M4 grub screw (it is there, and it is far easier to find than a needle in a haystack, still …).

I would suggest you to save the export (and/or make a backup) and start again from a reset configuration, adding only the settings you are trying to troubleshoot.

The new configuration will be anything between 2 and 4 Kb (as opposed to the current 16 Kb) and much easier to review.