Hi,
I just acquired my first Mikrotik router (KNOT) and I cannot get the Wireguard tunnel to work.
The KNOT is connected to the Internet through the LTE interface :
[admin@MikroTik] > ip address print
0 192.168.11.1/24 192.168.11.0 bridge
10.15.210.236 is obviously not the IP of my lte connection. Checkip.dyndns.com returns the following address : XX.102.2.236.
However the other end of the Wireguard tunnel reports a connection from the following address :
I haven't yet tried to dump traffic on the Mikrotik router and tcpdump shows nothing on the Wireguard interface at the other end (EdgeOS). BTW here is the result of wg show :
interface: wg12
peer: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
Mikrotik is configured with an address of 10.168.12.8 and the Edge router at the other end is 10.168.12.1.
Any hint will be welcome.
Marc
anav
April 24, 2026, 10:32pm
2
Draw a diagram very confusing mix of equipment.
10.15.210.236 is the actual IP of your device. Lookup CGNAT
Thank you Usbuild. I was partially aware of CGNAT without knowing its official name.
Still, as I wrote to anav, I have already done this setup with a router running OpenWRT and the same ISP and it worked. With the KNOT and although the tunnel seems to be up (but I am new to RouterOS so not so confident about that side of the tunnel), I cannot SSH from the KNOT into the Edge.
CGNAT should not prevent the outbound connection from the KNOT to the Edge. CGNAT is the reason why I need to establish a VPN in order to be able to connect to the KNOT from the outside.
Hope my explanations are clear.
+----------+ +----------+
| Eth 192.168.10.1 | |
| KNOT | | Edge |
| | | |
| wg0 10.168.12.8 <--> Lte 10.15.210.236 <--> ISP CGNAT 46.102.10.236 <--> 87.xxx.xxx.36:51822 <--> wg12 10.168.12.1| |
+----------+ +----------+
I hope this helps. Mixing hardware should not confuse you : it is common in a VPN that the two end points run on different hardware (e.g. one is a router, the other a laptop).
I have already done this setup wih an OpenWRT router instead of the KNOT and it worked.
L
There is nothing wrong with this, and this is totally correct and logical. Your WG tunnel is up and has traffic according to this:
The cause why you cannot SSH from the KNOT to the Edge (I assume using the IP address 10.168.12.1 as SSH server address?) is probably in other part of the KNOT's configuration, maybe the routes or firewall rules.
You should post the redacted configuration export of the KNOT following this guide: Forum rules - #5 by gigabyte091
@CGGXANNX
There must be something wrong with masquerading and/or firewall rules indeed. Here is the config file and thanks for your time.
# 2026-04-25 22:36:10 by RouterOS 7.20.7
#
# model = EG25-G&KNe
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=59122 mtu=1400 name=wg-c-droixhe
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=web name=web use-network-apn=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=web band="" mtu=\
1400
/iot bluetooth
set bt1 name=bt1 random-static-address=D5:EC:FD:E4:89:94
/ip pool
add name=dhcp ranges=192.168.11.100-192.168.11.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=10.168.12.0/24 \
client-address=10.168.12.8/24 client-dns=10.168.12.1 endpoint-address=\
myhost.ddns.net endpoint-port=51822 interface=wg-c-droixhe name=\
edge-droixhe persistent-keepalive=15s preshared-key=\
"" public-key=\
"="
/ip address
add address=192.168.11.1/24 comment=defconf interface=bridge network=\
192.168.11.0
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf dns-server=192.168.11.1 gateway=\
192.168.11.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.11.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=passthrough chain=output out-interface=wg-c-droixhe
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg-c-droixhe
/ip route
add disabled=no distance=1 dst-address=10.168.12.1/32 gateway=wg-c-droixhe \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Brussels
/system gps
set init-string="AT+QGPS=1" port=gps set-system-time=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
jaclaz
April 26, 2026, 12:18pm
8
Do you consider your wg-c-droixhe wireguard interface, LAN, WAN or something else ?
The default firewall and nat are based on categorizing the interfaces as belonging to either LAN or WAN (but I see that you already have modified, possibly beyond any hope of recovery the default set of rules).
You should (IMHO) re-start with default firewall per Rule #8: The twelve Rules of Mikrotik Club
right now with those rules disabled you are exposed to the outside.
I have followed your advice and restarted the router with default firewall.
In order to benefit from the existing masquerading on the WAN interface list, I have added wg-c-droixhe to WAN.
I have also configured routing for 10.168.12.0/24 through wg-c-droixhe.
Statement 1 : the wireguard tunnel is down.
Any piece of advice is welcome.
# 2026-04-26 22:01:45 by RouterOS 7.20.7
# software id = S31V-JQ40
#
# model = EG25-G&KNe
# serial number = XXXXX
/interface bridge
add admin-mac=D0:EA:11:53:B0:E0 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireguard
add listen-port=59122 mtu=1400 name=wg-c-droixhe
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/iot bluetooth
set bt1 name=bt1 random-static-address=D5:EC:FD:E4:89:94
/ip pool
add name=default-dhcp ranges=192.168.11.10-192.168.11.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wg-c-droixhe list=WAN
/interface wireguard peers
add allowed-address=10.168.12.0/24 client-dns=10.168.12.1 endpoint-address=\
droixhe.lmetv.be endpoint-port=51822 interface=wg-c-droixhe name=\
edge-droixhe persistent-keepalive=15s preshared-key=\
"XXX-prre-shared-key-XXXX" public-key=\
"EDGE-SERVER-PUBLIC-KEY"
/ip address
add address=192.168.11.1/24 comment=defconf interface=bridge network=\
192.168.11.0
add address=10.168.12.8/24 interface=wg-c-droixhe network=10.168.12.0
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf dns-server=192.168.11.1 gateway=\
192.168.11.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.11.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=10.168.12.0/24 gateway=wg-c-droixhe \
routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system gps
set init-string="AT+QGPS=1" port=gps set-system-time=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Knot is the one initiating connection. I believe you should leave it blank
jaclaz
April 27, 2026, 7:56am
11
I believe you should now add the firewall rules in input and forward to accept the Wireguard connection:
But let's wait if some more expert with Wireguard members notice something else that is "off" in your configuration.
From this latest export of your configuration, you still need to add an accept rule on the input chain for the WG port.
/ip firewall filter
add action=accept chain=input dst-port=59122 protocol=udp
This rule is to be moved (dragged with the mouse in WinBox) above the following rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
If you want to use SSH from a client in the 192.168.11.0/24 LAN (of the KNOT) to connect to the SSH server with the address 10.168.12.1 (EdgeOS) then you should also add the following two firewall mangle rules:
/ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" \
new-mss=1360 out-interface=wg-c-droixhe protocol=tcp tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=forward comment="reduce MSS for WG" \
new-mss=1360 in-interface=wg-c-droixhe protocol=tcp tcp-flags=syn tcp-mss=1361-65535
The rules are adapted for the MTU 1400 you currently set on the wg-c-droixhe interface. If you use a more usual MTU 1420 then adjust the values to 1380 and 1381-65535.
This following static route (with the S flag) you added is redundant and can be removed:
/ip route
add disabled=no dst-address=10.168.12.0/24 gateway=wg-c-droixhe \
routing-table=main suppress-hw-offload=no
Because the same route was already dynamically added when you set the IP address on the interface with this entry:
/ip address
add address=10.168.12.8/24 interface=wg-c-droixhe network=10.168.12.0
With the configuration, you should be able to use the SSH client on a PC in the 192.168.11.0/24 LAN to connect to 10.168.12.1. If it doesn't work then:
Verify if the WG peer on the KNOT shows an active Last Handshake, if not you should verify if the port (51822), the keys, including the preshared keys, are correct.
If the handshake is ok, and the tunnel has traffic, check whether the FW on 10.168.12.1 allows incoming SSH connections.
Or are your requirements not only "SSH to 10.168.12.1 but more of a site-to-site setup (see @jaclaz link)?
Ok I lied, could not resist trying...
ip/firewall/filter
4 ;;; Wireguard
chain=forward action=accept src-address=10.168.12.0/24 dst-address=192.168.11.0/24 log=no log-prefix=""
5 ;;; Wireguard
chain=forward action=accept src-address=192.168.11.0/24 dst-address=10.168.12.0/24 dst-address-list="" log=no log-prefix=""
'+ ip/firewall/nat
1 chain=srcnat action=masquerade out-interface=wg-c-droixhe log=no log-prefix=""
and SSH works !
Enough for today as I have some other work pending but here is the current status.
I have enough with a single Filter rule in the firewall :
3 ;;; Wireguard
chain=output action=accept protocol=udp dst-port=51822 log=no log-prefix=""
I had also noticed the redundancy in the the routing table thank you. I have updated the routing to allow the connection to the LAN on the Edge router side :
1 As 10.168.4.0/24 wg-c-droixhe main 1
DAc 10.168.12.0/24 wg-c-droixhe main 0
But nothing would have worked without the proper public key on both sides. As the KNOT replaces another router, I had the wrong key in place on the Edge router. After changing it, the handshake finally succeeded.
Troubleshooting on the Mikrotik is complicated by the fact that the public IP changes more frequently due to the LTE connection and the fact that I am used to tcpdump but not yet to routerOS's packet sniffer. I ended up dumping the packets corresponding to the Wireguard's port and reading them with Wireshark.
As far as the connection with SSH from a host on the LAN on the KNOT's side, I will try that later using the instructions given by [CGGXANNX].
Thanks to all for your precious help.