LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!

Hello.

I’m brand new to Mikrotik kit, but was actually a network engineer in the distant past (just enough knowledge to be dangerous these days!!). I’ve been banging my head for hours (and hours), so relucyantly decided to give in and see if there are any kind souls out there that might be able to point me in the right direction?

I have a new LHGG LTE6 dish router that has a vanilla / out of the box config after upgrading to OS7 and working great for LAN clients to the Internet.

I am trying (and failing abysmally!) to get inbound services working (Wireguard specifically, but trying ICMP Ping from the WAN / LTE1 interface too to prove basic connectivity). I am testing using a (UK) Three HomeFi SIM that I already have, but if I can prove this will work I’ve got details of an EE SIM with fixed IP and a contract made for non-mobile use.

I’m hoping to eventually deploy it in a remote part of Scotland where there is no cabled Internet offering, but a relatively good EE 4G signal. The kit is currently at home with me in the south of England, where I have fibre to the property and decent mobile signals to play with at least.

I have followed the https://help.mikrotik.com/docs/display/ROS/WireGuard doc carefully and triple checked (honestly) everything. The router has no other config other than defaults, and I’ve been and watched numerous YouTube videos for RoadWarrior type WireGuard configurations – everything looks right, but clients fail on the handshake “Handshake for Peer1 did not complete after 5 seconds” in the client logs.

I have tried setting up DDNS setup from IP>Cloud whilst on the THree SIM and the public IP reported matches what I get from a client on the router’s LAN, but cannot see any traffic hitting the Wireguard interface or Wireguard firewall rules.

My suspicion is either firewall rules or maybe the Three HomeFi SIM blocking inbound services rather than Wireguard config itself, but I have no experience at all of Router OS so am shooting in the dark beyond following posts and tutorials to the letter.

Trying to take it back to basics I found and added a firewall rule that should (I believe) enable ICMP Ping from the Internet, just so I can prove inbound traffic is hitting the firewall. I configured it through the GUI with

chain=input
protocol=icmp
In.Interface=lte1
action=accept

When I ping from an external client it still times out, and the counters on the rule show 0 (just like the Wireguard rules and Wireguard Interface).

I’m running out of ideas on what to try or logical diagnostics to pursue further. I can try to export the full config and redact to post, screenshot and put together a topology diagram if needed, but it is so basic I thought it might be possible to suggest some steps to try without?

I’d be happy to just get an external ping working as that gives me something to go on, and would allow me to see what the counters / logs should be doing. Obviously getting it working as a Wireguard server is the aim, but happy to put the time in myself and I’m not greedy!

Equally, if anyone provides remote support / configuration services then I’m open to paying for some time to get this working.

Any help would be immensely appreciated!!

Thanks

Firewall rule order matters. They’re processed from top to bottom within a chain. Just adding a rule puts it at the end, after the default “drop” rule. Drag it higher in the list.

The default firewall rules permit ICMP. Are you getting a public IP address - in the UK the only mainstream SIMs which provide public addresses are Three, and then only if you use the correct APN.

Depending on what the EE SIM with fixed IP will cost, as they are often for small amounts of data for IoT / M2M use, it may be better to use a commodity SIM plus an L2TP tunnel from AAISP for inbound management access (either from whitelisted IPs or via a VPN server set up on the Mikrotik). Their ‘light’ product offers a single static IPv4 address, with limits of 3Mb/s and 1TB/month for £2/month+VAT.

Thank you for the quick responses!

I managed to get it working whilst the post was being authorised, but could not update or access the post (sorry).

Config was actually spot-on (both Wireguard and ICMP Ping), it was the Three SIM. Seems althought it’s a HomeFi (rather than mobile data) plan they still CG-NAT the IP (odd that it was not using a private range). Swapped to an EE data SIM from a mobile hotspot dongle and I got a public IP. I was then able to ping and connect with the Wireguard client that I’d previously setup without making any further config changes to either!

Very impressed with it now it’s working.

Trouble as always when something is new it all feels like smoke and mirrors - I recall the same with LAT tables on early ISA and then all over again with Fortigate appliances - both years ago now. Principles are generally the same, but the way they are implented differs and that is where the assumptions and doubt gets you!

Thanks again for the help, I need to do a lot more reading now so I actually have some idea of what I’m doing with the router moving forward…