Help with Wireguard -- Linux PC

Josephny · November 2, 2025, 11:40am

I have a (beloved) RB5009 that is working wonderfully (export below) and recently got a laptop and installed Fedora Auroro linux on it to play and learn (and it’s totally cool!).

I set up a Wireguard connection between the linux PC and the RB5009 and have made great progress. Each device can ping each other on the 10.10.100.x network.

The RB5009 is also connected via wireguard to a number of other MT devices which all exist in the 10.10.100.x network. I can ping from the linux PC to any of those devices (e.g., 10.10.100.30, 10.10.100.40, etc.).

Each of those remote MT devices has a 192.168.x.x network on their LAN side.

My goal, which I have been unable to achieve as of yet, is for the WG connection from the linux PC to reach all the other WG-connected LANs at their local 192.168.x.x networks.

My suspicion is that the problem is either routing or firewall (let’s see if I’m on the right track).

Another big problem is that whenever the WG connection is active on the laptop, I lose internet connectivity that otherwise is made available via the laptop’s wifi connection. I don’t know if a default route changes, or something else.

Can someone please take a look?

Here is the WG config on the linux PC, extracted by:

>sudo cat /etc/NetworkManager/system-connections/212-RB5009.nmconnection

[connection]
id=212-RB5009
uuid=519c54b9-bc72-40cd-8b55-ecdcd1594bc5
type=wireguard
autoconnect=false
interface-name=wg

[wireguard]
listen-port=13340
private-key=KDUXH-------

[wireguard-peer.xx27--------]
endpoint=<HOST>.dyndns.org:51820
persistent-keepalive=40
allowed-ips=10.10.100.0/24;192.168.0.0/16;

[ipv4]
address1=10.10.100.101/24
dns=1.1.1.1;
gateway=10.10.100.1
method=manual

[ipv6]
addr-gen-mode=stable-privacy
method=ignore

And here is the RB5009 export:

# 2025-11-02 06:23:23 by RouterOS 7.19.3
# software id = 2KBD-7ZZB
#
# model = RB5009UPr+S+
# serial number = HDA0
/interface bridge
add admin-mac=18:FD:74:CF:7F:5D auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment=hAPax3-Downstairs poe-out=off
set [ find default-name=ether3 ] comment="JRS PC port 3" poe-out=off
set [ find default-name=ether4 ] comment=hAPax3-Upstairs poe-out=off
set [ find default-name=ether5 ] comment=<empty> poe-out=off
set [ find default-name=ether6 ] comment="MOCA adapter" poe-out=off
set [ find default-name=ether7 ] comment=OffBridge poe-out=off
set [ find default-name=ether8 ] comment=BI-Server poe-out=off
set [ find default-name=sfp-sfpplus1 ] comment=CSS326
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard private-key=\
    "WIPjFC5--------A="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add name=DHCPdisabled
add name=TRUSTED
add name=IoT-Cameras
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.0.103 client-id=192.168.2.2 name=HA password=XXXXX \
    username=mqtt
add address=192.168.0.162 auto-connect=yes name="Home Assistant" password=\
    XXXXX username=mqtt
/ip pool
add name=192.168.2.100-200 ranges=192.168.2.100-192.168.2.200
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.101-192.168.55.200
/ip dhcp-server
add address-pool=192.168.2.100-200 interface=bridge lease-time=3d name=defconf
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server \
    interface=ether7 name=offbridge-dhcp-server
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 3 remote=192.168.2.22
add name=logserver remote=192.168.0.112 remote-port=51400 target=remote
add email-to=jXXXXX@domain.com name=email target=email
add disk-file-name=UPSLOG name=diskups target=disk
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/interface bridge filter
add action=drop chain=forward disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Forward \
    mac-protocol=ip out-interface-list=DHCPdisabled src-port=67-68
add action=drop chain=input disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Input mac-protocol=\
    ip src-port=67-68
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge interface=sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=bridge list=MANAGE
add disabled=yes interface=ether1 list=MANAGE
add interface=212-Wireguard list=LAN
add disabled=yes interface=212-Wireguard list=MANAGE
add interface=212-Wireguard list=DHCPdisabled
add comment=OffBridge interface=ether7 list=LAN
add disabled=yes interface=ether7 list=MANAGE
add interface=bridge list=TRUSTED
add interface=ether7 list=TRUSTED
add interface=212-Wireguard list=TRUSTED
/interface ovpn-server server
add mac-address=FE:B2:B3:FE:59:72 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" interface=\
    212-Wireguard name=jrs-laptop public-key=\
    "b9iyIPXw9MQIGo852yC/xxxxxx="
add allowed-address=\
    10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=\
    371 endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard name=371 persistent-keepalive=40s public-key=\
    "xxxxxx="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=\
    212-Wireguard name=jrs-iphone public-key=\
    "PypzufC5QJLUMgJCHEmbjQYbmC+ZS2Kk4+xxxxxx="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=629 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51821 interface=\
    212-Wireguard name=629 persistent-keepalive=40s public-key=\
    "xxxxx="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=255 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51835 interface=\
    212-Wireguard name=255 persistent-keepalive=40s public-key=\
    "xxxxx+r9bzZ0aWPK0PMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.1/24 comment=76 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51830 interface=\
    212-Wireguard name=76 persistent-keepalive=40s public-key=\
    "xxxx="
add allowed-address=10.10.90.0/24 comment="BI PC WG APP" endpoint-port=51820 \
    interface=212-Wireguard name=peer8 public-key=\
    "R5SjZucQPhyu5CQyXLvxf/xxxxx="
add allowed-address=10.10.100.1/32,192.168.2.2/24 comment=\
    "212 (local, just for reference);   192.168.2.2" disabled=yes \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard name=peer9 public-key=\
    "xxxxx/op1OqXrW4Ds="
add allowed-address=10.10.100.100/32 comment="JRS Laptop 201" disabled=yes \
    interface=212-Wireguard name=peer10 public-key=\
    "QJCXZaf5K/xxxx="
add allowed-address=10.10.100.101/32 endpoint-port=51840 interface=\
    212-Wireguard name=peer11 public-key=\
    "N/t6/86S/xxxx="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51870 interface=\
    212-Wireguard name=125 persistent-keepalive=40s public-key=\
    "xxxx="
add allowed-address=10.10.100.99/32,192.168.2.0/24 comment="JRS Laptop 2023" \
    interface=212-Wireguard name=peer13 private-key=\
    "ED8Ig6UntTB7Kg+xxxx//vOc9p2Q=" public-key=\
    "w9XFUjODaOIOQbCeMVJ+xxxxx="
add allowed-address=10.10.100.53/32,192.168.0.0/24 client-listen-port=51840 \
    comment="WG Proxmox Win11" endpoint-address=XXXXX.dyndns.org \
    endpoint-port=51844 interface=*12 name=peer15 public-key=\
    "Wut4NWWjMvqM+8BNw0IP+xxxx="
add allowed-address=10.10.100.15/32 comment=355-AX3 disabled=yes \
    endpoint-address=10.0.0.1 endpoint-port=51860 interface=212-Wireguard \
    name=355-ax3 persistent-keepalive=40s public-key=\
    "C6fhu5+xxxx/OH756yD08OtpEw54Qql3LZ04="
add allowed-address=10.10.100.10/32 comment="T Laptop" interface=\
    212-Wireguard name=t-laptop public-key=\
    "xxxx+vjrp81mL+itsBc="
add allowed-address=10.10.100.80/32,192.168.80.1/24,10.72.0.0/16 comment=729 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51880 interface=\
    212-Wireguard name=729 persistent-keepalive=40s public-key=\
    "xxx/xxx+DzjqQ4t0CQ="
add allowed-address=10.10.100.81/32 comment=hex-lab endpoint-address=\
    192.168.2.192 endpoint-port=51881 interface=212-Wireguard name=peer19 \
    persistent-keepalive=40s public-key=\
    "U/xxxx/+xxx/y0="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51833 interface=\
    212-Wireguard name=355 persistent-keepalive=40s public-key=\
    "Q8CPJm+/xxx="
add allowed-address=10.10.100.101/32 comment=Aurora-laptop interface=\
    212-Wireguard name=Aurora-laptop private-key=\
    "KDUXHH4-----" public-key=\
    "rKKCAbPpb-----"
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=192.168.55.1/24 interface=ether7 network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server alert
add alert-timeout=12h disabled=no interface=bridge on-alert="/system script ad\
    d name=rogue-dhcp source=\94:log warning message=\\\94Rogue DHCP server de\
    tected!\\\94\94"
add alert-timeout=30m interface=bridge on-alert=rogue-dhcp

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
    192.168.2.2 netmask=24
add address=192.168.55.0/24 dns-server=1.1.1.1 gateway=192.168.55.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=10000KiB servers=\
    9.9.9.9,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.2.8 name=212-rb5009.212.local type=A
add address=192.168.2.2 name=RB5009.212.local ttl=9w6d10h40m type=A
add address=10.10.100.1 name=212.10.10.100.1.local ttl=9w6d10h40m type=A
add address=192.168.2.100 comment="automatic-from-comment (magic comment)" \
    name=TV15.212.local ttl=1h type=A
add address=192.168.2.121 comment="automatic-from-comment (magic comment)" \
    name="Ipad SRN.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.138 comment="automatic-from-comment (magic comment)" \
    name=MFCL3770CDW.212.local ttl=9w6d10h40m type=A
add address=192.168.2.141 comment="automatic-from-comment (magic comment)" \
    name="JRS iPhone.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.109 comment="automatic-from-comment (magic comment)" \
    name="Vizio on 15.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.122 comment="automatic-from-comment (magic comment)" \
    name=Homepod.212.local ttl=9w6d10h40m type=A
add address=192.168.2.199 comment="automatic-from-comment (magic comment)" \
    name=Playstation.212.local ttl=9w6d10h40m type=A
add address=192.168.2.142 comment="automatic-from-comment (magic comment)" \
    name=SRNAppleWatch.212.local ttl=9w6d10h40m type=A
add address=192.168.2.22 name=JRS-PC.212.local type=A
add address=192.168.2.102 comment="automatic-from-dhcp (magic comment)" name=\
    Master-Bedroom.212.local ttl=1h40m type=A
add address=192.168.2.103 comment="automatic-from-dhcp (magic comment)" name=\
    Family-Room.212.local ttl=1h40m type=A
add address=192.168.2.138 comment="automatic-from-dhcp (magic comment)" name=\
    MFC-L3770.212.local ttl=1h40m type=A
add address=192.168.2.147 comment="automatic-from-dhcp (magic comment)" name=\
    212LR.212.local ttl=1h40m type=A
add address=192.168.2.191 comment="automatic-from-dhcp (magic comment)" name=\
    SRNOffice.212.local ttl=1h40m type=A
add address=192.168.2.128 comment="automatic-from-dhcp (magic comment)" name=\
    212MBR.212.local ttl=1h40m type=A
add address=192.168.2.200 comment="automatic-from-dhcp (magic comment)" name=\
    HarmonyHub.212.local ttl=1h40m type=A
add address=192.168.2.124 comment="automatic-from-dhcp (magic comment)" name=\
    BRW2C6FC95FBCEB.212.local ttl=1h40m type=A
add address=192.168.2.173 comment="automatic-from-dhcp (magic comment)" name=\
    NC-LT-SN20.212.local ttl=1h40m type=A
add address=192.168.2.137 comment="automatic-from-dhcp (magic comment)" name=\
    tasmota-E37677-5751.212.local ttl=1h40m type=A
add address=192.168.2.117 comment="automatic-from-dhcp (magic comment)" name=\
    BRNB4220095598A.212.local ttl=1h40m type=A
add address=192.168.2.127 comment="automatic-from-dhcp (magic comment)" name=\
    Debian.212.local ttl=1h40m type=A
add address=192.168.2.110 comment="automatic-from-dhcp (magic comment)" name=\
    JRS-Laptop-2023.212.local ttl=1h40m type=A
add address=192.168.2.108 comment="automatic-from-dhcp (magic comment)" name=\
    0005CD193C07.212.local ttl=1h40m type=A
add address=69.202.199.148 name=XXXXX.dyndns.org type=A
add address=192.168.2.2 comment=router.212.internal name=router.212.internal \
    type=A
add address=10.10.100.80 comment=729router.internal name=729router.internal \
    type=A
add address=192.168.2.22 comment=jrspc name=jrspc.212.internal type=A
/ip firewall address-list
add address=XXXXX.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=Authorized
add address=10.10.100.0/24 list=Authorized
add address=XXXXX.dyndns.org list=XXXXX
add address=hda08a4mazh.sn.mynetname.net list=PublicIP
/ip firewall filter
add action=log chain=input comment="Port 53 Log" connection-state=new \
    disabled=yes dst-port=53 log=yes log-prefix=TCP-53 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=drop chain=input comment="DROP DHCP on DHCPdisabled" disabled=yes \
    dst-port=67-68 in-interface-list=DHCPdisabled log=yes protocol=udp \
    src-port=67-68
add action=accept chain=input comment="Allow GRE for EoIP" disabled=yes log=\
    yes protocol=gre
add action=accept chain=input comment="Allow Authorized" src-address-list=\
    Authorized
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-all-else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf:  drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" \
    out-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow LAN to WAN" disabled=yes \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:81 \
    dst-address-list=XXXXX dst-port=81 log-prefix=\
    "NAT FW destination XXXXX port 81" protocol=tcp to-addresses=\
    192.168.0.101 to-ports=81
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:8123 \
    dst-address-list=XXXXX dst-port=8123 protocol=tcp to-addresses=\
    192.168.0.162 to-ports=8123
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip route
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=192.168.2.8 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.5 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="TEMP -- REMOVE THIS WHEN 729 AX3 is moved" disabled=yes \
    distance=1 dst-address=172.16.0.0/16 gateway=192.168.2.192 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=212-Wireguard \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=10.10.100.80 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=729 disabled=no distance=1 dst-address=192.168.80.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=10.21.0.0/16 gateway=ether5 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=212-RB5009
/system logging
set 0 topics=info,!wireguard,!dhcp
add topics=account
add topics=watchdog
add action=logserver prefix="XXXXXH MikroTik" topics=hotspot
add action=logserver prefix="XXXXXH MikroTik" topics=\
    !debug,!packet,!snmp
add action=remote disabled=yes prefix=192.168.2.2 topics=info
add action=remote disabled=yes topics=ups
add topics=ups
add disabled=yes topics=dns
add topics=firewall
add action=diskups regex="^\\[UPS\\]:" topics=script
add action=disk topics=watchdog
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229

/system ups
add name=ups1 port=usbhid1
/system watchdog
set auto-send-supout=yes ping-start-after-boot=10m ping-timeout=10m \
    send-email-to=jXXXXX@domain.com watch-address=1.1.1.1
/tool e-mail
set from=jXXXXX@domain.com password="bpxk rxgz xxx" port=587 \
    server=smtp.gmail.com tls=starttls user=<xxxx>@gmail.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes

anav · November 2, 2025, 1:09pm

The connectivity of your laptop, when remote, is not up to the MT setup but is a function of your laptop OS and the wireguard client you are using on the laptop. Does your setup allow split-tunneling for example.

Not sure why you have bridge filters for ports 67, 68.
What is the purpose of that?? And also some weird rules for port 67 68 in input chain as well, clearly there is some sort of concern here.........???

why do you have a duplicate interface lists, LAN and TRUSTED are identical. Speaks to the entire config as a mess begging to be cleaned up. Get rid of junk and then one can see the forest for the trees.

The Authorized firewall address list is not needed in your WIDE OPEN approach.
For example you allow the entire LAN and duplicate TRUSTED interface to the input chain. One or the other will suffice.
Both of these interface lists already include the WIREGUARD interface, so anyone coming in via wireguard is allowed access, this includes all the 192.168.0.0./16 folks does it not???

Not fond of open ended rules. at least put in-interface-list=LAN

add action=accept chain=forward comment="Allow all traffic out WG iface" \
    out-interface=212-Wireguard

Your destination nat rules like everything else are a fricken mess, I see duplicate rules.
Very confused to the fact that you have identified your WANIP in at least two different ways ???
dst-address-list=XXXXX
dst-address-list=dynamic-WANIP

okay they are duplicate address lists LOL, pointing to same thing.......... why???
See one dstnat rule without a destination address as well.

I see you port forward through the rb5009, and then thru wireguard to servers on other devices. Cool!
The routes needed for that are there which was nice to see, but two were a bit strange to me
with gateway of 192.168.2.5 ( how are users getting to non-local addresses through a local lan IP?)
Then you do have one route with a gateway of a peer wireguard address vice the wireguard gateway interface name..... and the kicker its for a destination address (subnet) that doesnt even exist on that peer ???

Wireguard related -->

On the router, one of the the peer client settings have an error. Why do you have TWO client IP addresses for a single client, makes no sense!

add allowed-address=
10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=
371 endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=
212-Wireguard name=371 persistent-keepalive=40s public-key=
"xxxxxx="

You have to make up your mind, as to which peer this tunnel is connecting to??

Now I am confused, is the RB5009 a host for the other routers. Your setup is inconsistent, if it is the host then why do you have endpoint information for almost half of the peers, and not the other half but all are on the same wireguard subnet ???????????????????

One of the peers has an endpoint port and no endpoint address, also weird!
Why post the private key of a laptop in a peer?

I cannot proceed further until the mess is cleaned up.
Would luv to help more, but it hurts my brain to try and decipher whats needed for traffic, and whats garbage. Much easier to spot your own errors too when its clean!

Question: Can you provide a sense of who is using the port forwardings.
a. to servers on the RB5009 ( just internal, just external or both)
b. to servers on other routers ( through WG), (just internal, just external, or both)

I am thinking that it would be better to simply give external users, going to servers on all routers , wireguard access to the servers coming in directly via wireguard, much more secure!

Josephny · November 2, 2025, 2:04pm

The connectivity of your laptop, when remote, is not up to the MT setup but is a function of your laptop OS and the wireguard client you are using on the laptop. Does your setup allow split-tunneling for example.

I don't know what "split-tunneling" is, or whether Fedora Aurora allows it, or whether it is needed.

Not sure why you have bridge filters for ports 67, 68.
What is the purpose of that?? And also some weird rules for port 67 68 in input chain as well, clearly there is some sort of concern here.........???

It has been a while since I messed with this config. I have a vague recollection that DHCP requests were being responded to and satisfied across the WG connection and this was not wanted, hence the filtering of ports 67 and 68.

However, both of these bridge filters are disabled, so they shouldn't be doing anything else other than adding to the messiness.

why do you have a duplicate interface lists, LAN and TRUSTED are identical. Speaks to the entire config as a mess begging to be cleaned up. Get rid of junk and then one can see the forest for the trees.

The Authorized firewall address list is not needed in your WIDE OPEN approach.
For example you allow the entire LAN and duplicate TRUSTED interface to the input chain. One or the other will suffice.
Both of these interface lists already include the WIREGUARD interface, so anyone coming in via wireguard is allowed access, this includes all the 192.168.0.0./16 folks does it not???

I would need to go through everything to make sure than getting rid of LAN or TRUSTED doesn't mess anything up. Can we ignore this for now?

Yes, it does include all of the 192.168.0.0/16 people. I understand that is a major security issue, and you and I have discussed it in the context of changing to VLAN at the remote locations as well as this (main) RB5009 location. I'm still working on getting emotionally preparing for such a switchover -- not there yet.

Your destination nat rules like everything else are a fricken mess, I see duplicate rules.

The dst-nat rules allow me to reach internal servers at ports 81 and 8123. Is this not correct?

Very confused to the fact that you have identified your WANIP in at least two different ways ???
dst-address-list=XXXXX
dst-address-list=dynamic-WANIP

I believe these are 2 difference lists: XXXX is a remote location and dynamic-WANIP is the local WAN IP.

See one dstnat rule without a destination address as well.

I don't see one.

I see you port forward through the rb5009, and then thru wireguard to servers on other devices. Cool!

Thanks to you!

The routes needed for that are there which was nice to see, but two were a bit strange to me with gateway of 192.168.2.5 ( how are users getting to non-local addresses through a local lan IP?)

I believe that is disabled.

Then you do have one route with a gateway of a peer wireguard address vice the wireguard gateway interface name..... and the kicker its for a destination address (subnet) that doesnt even exist on that peer ???

I see one with dst-address=192.168.4.0/25 gateway=10.10.100.80 -- is this the one? If so, it's disabled.

Wireguard related -->

On the router, one of the the peer client settings have an error. Why do you have TWO client IP addresses for a single client, makes no sense!
add allowed-address=10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=371 endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=212-Wireguard name=371 persistent-keepalive=40s public-key="xxxxxx="

IF you are referring to having both 10.10.100.2 and 10.10.100.40, it is because the remote device does indeed have both those addresses. I know I should clean that up, but it works for now (and has worked for a long time).

Now I am confused, is the RB5009 a host for the other routers. Your setup is inconsistent, if it is the host then why do you have endpoint information for almost half of the peers, and not the other half but all are on the same wireguard subnet ???????????????????

I don't understand "host." This RB5009 is set up as peer to other MT devices so either side can initiate the connection, hence both ends have endpoints.

Some peers don't have endpoints because the RB5009 will never initiate the connection (like the iphone and laptops/PCs).

Does that address the question?

One of the peers has an endpoint port and no endpoint address, also weird!

I see that now -- it's the one with comment="BI PC WG APP" This one is never used (i.e., not needed)

Why post the private key of a laptop in a peer?

Did I?

I cannot proceed further until the mess is cleaned up.
Would luv to help more, but it hurts my brain to try and decipher whats needed for traffic, and whats garbage. Much easier to spot your own errors too when its clean!

Does my response allow you to ignore the mess (for now)?

Question: Can you provide a sense of who is using the port forwardings.
a. to servers on the RB5009 ( just internal, just external or both)
b. to servers on other routers ( through WG), (just internal, just external, or both)

I'm not sure I understand the question. I would like to be able to be anywhere with my linux PC, establish a WG connection to 212, and then have access to all devices (all IP addresses) in the 10.10.100.x and 192.168.x.x networks at the RB5009 location as well as all the locations that are WG-connected to the RB5009.

As for who, that's easy: Just me (so long as we are referring solely to the linux PC).

I am thinking that it would be better to simply give external users, going to servers on all routers , wireguard access to the servers coming in directly via wireguard, much more secure!

This is part of the larger plan that we have been working on for a long time and that I am still not ready to implement; specifically, switching everything over to VLANs everywhere and then figuring out how various people and devices communicate with other various devices/servers throughout the greater network.

Josephny · November 2, 2025, 2:32pm

I found the solution to the linux PC losing Internet connecitivity when WG connection is active.

I had to check “Use this connection only for resources on its network” in the Peer | IP4 settings of the WG networking connection on the PC. This is the GUI equivalent to “ipv4.never-default = yes” and retains connectivity to the gateway identified in the wifi connection.

anav · November 2, 2025, 2:58pm

Excellent, as noted, it was not a router setting!

I would also get rid of the firewall rules concerning ports 67,68 etc...... and bridge filters altogether. They are not needed.
Just ensure you have a drop rule at the end of your input chain ( as you already do ) and forward chain as stated many times previously. On that note,,,,,,,, you have redundant rules in that you state in the clear way that port forwarding is allowed in the forward chain but then as last rule kept the associated default rule that should be removed and replaced with the drop all rule.

From

add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

TO

add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=no
add action=drop chain=forward comment="drop all else"

The last rule in nat, had not dst address:

add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50

Okay fair enough if XXXX is a remote location, then the dstnat rule makes no sense. The destination address here ( like the default in-interface= ) indicates a local address, its the TO address that may point to a subnet outside of this router etc..... All those rules should be removed.

If you want traffic going to a different WANIP, then you need tables and specific IP routes and whatever of the two makes more sense, mangles or routing rules.

As to peers, the device at the other end can ONLY have one wireguard address identifying that device, within the same subnet ( aka same wireguard interface ). Connections in wireguard are point to point not point to multipoint.

Finally, there is nothing wrong with having each router have the capability to reach other but that is not practical within the same subnet. You need different addresses.

For example if you have four routers, each with a public IP and you want to connect them via wireguard, there are two obvious options (others get too complex). ONE - is simply one acts as the host for all the others, and the other three are clients making the connection, done. If the host is not available the other 3 cannot reach each other.
SECOND - each is able to initiate a connection to the other
example
R1 hosts WG1 ( three peers r2,r3,r4 ) interfaceA- 10.10.10.0/24
R2 hosts WG2 ( three peers r1,r3,r4 ) interfaceB - 10.20.20.0/24
R3 hosts WG3 ( three peers r1,r2,r4 ) interfaceC- 10.30.30.0/24
R4 hosts WG4 ( three peers r1,r2,r3 ) interfaceD - 10.40.40.0/24

In this setup each router has four WIreguard Interface, a host on one one and client on the other three.
In this setup any router can fail and all other routers can still talk to each other.

This is just a general concept approach. The details get far more complex when you start introducing the requirements that drive the config details.
Identify all user(s)/devices(s) including the admin on each router and local network.
Identify all their traffic needs.

Once done the config can then be crafted in an efficient manner.

Josephny · November 2, 2025, 9:10pm

anav:

From

add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

TO

add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=no
add action=drop chain=forward comment="drop all else"

When I did this, the “drop all else” rule starting accumulating, and the logs showed:

2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 70:d8:c2:4c:54:64, proto TCP (SYN), 192.168.2.153:61784->69.147.92.11:443, len 52                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 70:d8:c2:4c:54:64, proto TCP (SYN), 192.168.2.153:51729->142.250.65.227:443, len 52                            
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac c8:7f:54:5a:69:13, proto TCP (SYN), 192.168.2.22:58843->47.88.25.197:443, len 52                               
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56981->17.253.3.144:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56965->151.101.67.6:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56981->17.253.3.144:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56980->17.253.3.137:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56981->17.253.3.144:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56980->17.253.3.137:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56979->17.253.3.135:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56981->17.253.3.144:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56966->151.101.131.6:443, len 64                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac b0:a7:37:75:b6:60, proto TCP (SYN), 192.168.2.166:59360->23.219.36.145:443, len 60                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac b0:a7:37:75:b6:60, proto TCP (SYN), 192.168.2.166:35202->23.219.36.133:443, len 60                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac b0:a7:37:75:b6:60, proto TCP (SYN), 192.168.2.166:51891->23.219.36.134:443, len 60                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 70:d8:c2:4c:54:64, proto TCP (SYN), 192.168.2.153:40178->142.250.15.94:443, len 52                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56967->151.101.195.6:443, len 64                             
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 62:51:8c:32:e0:c4, proto TCP (SYN), 192.168.2.152:54646->142.250.65.227:443, len 60                            
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56980->17.253.3.137:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto TCP (SYN), 192.168.2.151:56981->17.253.3.144:443, len 64                              
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto UDP, 192.168.2.151:61350->17.248.199.67:443, len 1228                                 
                     info                                                                                                                                                                                 
2025-11-02 16:02:45  firewall  forward: in:bridge out:ether1, connection-state:new src-mac 60:57:c8:5d:06:4e, proto UDP, 192.168.2.151:55446->17.250.96.121:443, len 1378                                 
                     info

Then my local wifi clients could not connect to the AP.

Something about these rules are necessary.

This is why I am loathe to touch the config – something always breaks.

Josephny · November 2, 2025, 9:11pm

As far as WG, I’ve had it set up with 1 WG interface at each location and multiple peers at each.

anav · November 2, 2025, 10:25pm

The problem is what you are missing is four wireguard interfaces on each router.
The one its hosting and the three that they are clients of.
Each router that is the host will have something similar to Router 1 for ex.
-allowed address wgIP-r2/32,remotesubnets interface=wireguard1 public-key=
-allowed address wgIP-r3/32,remotesubnets interface=wireguard1 public-key=
-allowed address wgIP-r4/32,remotesubnets interface=wireguard1 public-key=
and then the following routers peer setting as a client to the other routers as hosts...

allowed address=0.0.0.0/0 interface=wireguard2 endpoint=URL#R2 endpoint-port=54422
public-key="-----" persistent-keep-alive=xt
allowed address=0.0.0.0/0 interface=wireguard3 endpoint=URL#R3 endpoint-port=54423
public-key="-----" persistent-keep-alive=xy
allowed address=0.0.0.0/0 interface=wireguard4 endpoint=URL#R4 endpoint-port=54424
public-key="-----" persistent-keep-alive=xz

/interface list
wg1 = LAN
wg2= WAN
wg3= WAN
wg4 =WAN
+++++++++++++++++++++++++++++++++++++++++++++++

In this approach all subnet users going from a client router to host router will have the assigned Wireguard IP address of the clientrouter. This simplifies many things. Foremost, on the host router we dont need to create any conflicting static routes. The host route only needs to create ip static routes for the remote subnets identified in its peer settings for the other routers acting as clients.

One consideration to keep in mind is if you need for some reason to limit access From a client subnet to a host subnet. This has to be done using firewall rules on the host device for any incoming traffic.

As I stated previously, the devil in the detail comes from a COMPLETE set of user requirements.

anav · November 2, 2025, 10:29pm

As far as APs not getting connection, then you are missing a stated requirement.
If you have a single subnet and no vlans, then how is any traffic getting dropped.
This tells me you have multiple subnets and thus we need firewall rules to allow any traffic needed between them. Since both your APs are on the bridge using a single subnet, they are connected at layer 2. How could some layer 3 firewall rules affect them. Thus you need to provide more information.

You have to be clear on the communication as well, you state they couldnt connect to the AP.
If that is the case then its a problem on AP setup not router. It is more likely that they could connect to the AP but not get any internet. Seeing as they should be able to get an IP address from the server, one would look at DNS and at firewall rules.
My first guess is a missing firewall rule in the forward chain

add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN.

Josephny · November 2, 2025, 10:33pm

You and I created this single WG interface solution together a long time ago, and it works great.

I don’t want to change it.

Josephny · November 2, 2025, 10:36pm

Could be (I really was thinking the same thing), but it’s been working great for years, so I’d rather not tackle changing it.

When I’m ready to tackle something, it will be VLANs everywhere – which I’m still convinced will be a brain-cell-burning, hair-losing, cuss-laced, possibly-tear-filled endeavor, even with the generous help from you and others here.