Hello, I have two MTs and I made Wireguard connection between them:

MT1’s WG IP is 10.74.75.1/30, and MT2’s WG IP is 10.74.75.2/30 and they both can ping each other.
MT1’s internal IP is 192.168.100.8, and MT2’s IP is a public IP (it’s an MT VPS).

My laptop is connected to MT1. I changed my laptop’s gateway to 192.168.100.8 but nothing changes and if I google my IP, I still see my current internet IP instead of MT2’s IP.

This is my MT1’s route detail.

[admin@MikroTik] > /ip/route/print detail stats
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
0 Is dst-address=0.0.0.0/0 routing-table=main pref-src=“” gateway=wireguard1 immediate-gw=wireguard1 check-gateway=ping distance=1 scope=30 target-scope=10 suppress-hw-offload=no

1 As dst-address=0.0.0.0/0 routing-table=main pref-src=“” gateway=192.168.100.1 immediate-gw=192.168.100.1%ether1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no

DAc dst-address=10.74.75.0/30 routing-table=main gateway=wireguard1 immediate-gw=wireguard1 distance=0 scope=10 suppress-hw-offload=no local-address=10.74.75.2%wireguard1

DAc dst-address=192.168.100.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.100.8%ether

I don’t know why my first route is inactive.

Can you help me?

Update1:
Connection topology to my laptop is:

I have an ADSL modem (DHCP is off). Mikrotik is connected to Modem via LAN cable (in MT, DHCP is off too). Laptop device is connected to Mikrotik via LAN. I did set manually IP to my laptop:

IP: 192.168.100.4
Subnet: /24
Gateway: 192.168.100.8 IMT’s IP)

Modem’s IP is 192.168.100.1.

Update2:

When I add new route via this command, my laptop has no internet anymore and I should delete the route:

/ip/route/add dst-address=0.0.0.0/0 gateway=wireguard1

Then when I print the routes, the new route is active but I have no internet access.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

For both routers.
Which router is Server for handshake

For ISP connections need info.
R1 - what type of ISP(s),
public/private IP, static or dynamic IP

R1 - what type of ISP(s),
public/private IP, static or dynamic IP

If its a private IP, assuming there is an upstream ISP modem/router.
Can you port forward from that ISP device to the MT?

Thanks,

Home export:

2024-08-02 22:32:31 by RouterOS 7.13.4

software id =

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=14000 mtu=1420 name=wireguard1
/port
set 0 name=serial0
set 1 name=serial1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=out_ips endpoint-port=
14000 interface=wireguard1 public-key=
“public_key”
/ip address
add address=192.168.100.8/24 interface=ether1 network=192.168.100.0
add address=10.74.75.2/30 interface=wireguard1 network=10.74.75.0
/ip dns
set servers=8.8.8.8
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1
add disabled=yes distance=1 dst-address=out_ips/32 gateway=wireguard1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set winbox port=5200
/system hardware
set allow-x86-64=yes
/system note
set show-at-login=no

VPS export:

aug/02/2024 22:33:48 by RouterOS 7.6

software id =

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=14000 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=home_ip endpoint-port=
14000 interface=wireguard1 public-key=
“WVUHistxl/1kClHsHFyw2+V5RDOnEVZIUgZm97UC+kM=”
/ip address
add address=out_ips interface=ether1 network=out_gateway
add address=10.74.75.1/30 interface=wireguard1 network=10.74.75.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8
/ip route
add dst-address=0.0.0.0/0 gateway=out_gateway
add disabled=yes distance=1 dst-address=home_ip/32 gateway=wireguard1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

R1 has static public IP. R2 has static public IP.

The R2 is the server. R1 is my local MT device.

Regarding port forward, yes I did that, because if I disable port forward, then R2 cannot ping 10.74.75.1/30.

I’m not sure but I doubt either my routes have problem which are inaccessible, or I should have a firewall rule (I don’t have any firewall rules in R1 or R2).

I also googled and read this link: https://help.mikrotik.com/docs/display/ROS/WireGuard

I almost have done everything in the given link, and added some firewall rules:

MT1’s Filters:

[admin@MikroTik] > /ip/firewall/filter/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=input action=accept protocol=udp src-address=mt2_ip dst-port=14000 log=no log-prefix="" 

 1    chain=forward action=accept src-address=10.74.75.0/30 dst-address=10.74.75.0/30 

 2    chain=forward action=accept src-address=10.74.75.0/30 dst-address=10.74.75.0/30

MT2’s Filters:

[admin@MikroTik] > /ip/firewall/filter/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=input action=accept protocol=udp src-address=mt1_ip src-port=14000 log=no log-prefix="" 

 1    chain=forward action=accept src-address=10.74.75.0/30 dst-address=10.74.75.0/30 

 2    chain=forward action=accept src-address=10.74.75.0/30 dst-address=10.74.75.0/30

This is my laptop’s network configuration file:

network:
    ethernets:
        ens160:
            addresses:
            - 192.168.100.4/24
            nameservers:
                addresses:
                - 8.8.8.8
                search: []
            routes:
            -   to: default
                via: 192.168.100.8
    version: 2

The attached picture is MT1’s firewall connections.

In my laptop I run curl api.ipify.org and I expect to show me MT2’s IP but I still see MT1’s IP..

Since you made changes the first two configs are no longer useful, please post your latest .

Thanks, they’re attached to this post.
mt1.rsc (1.32 KB)
mt2.rsc (1.05 KB)

It is solved.

I should have defined NAT and Mangle in both servers.