Mikrotik as Wireguard client behind NAT, loosing connection

Hi,

I am making a remote EOIP connection over Zerotier and over Wireguard as backup between AX3 as server and AX2 as client. Everything worked for 3 days, then suddenly today at 5 AM in the morning, when everyone is sleeping, Wireguard client lost connection to server. Zerotier is working without problem.

Client is AX2 behind a modem that is doing NAT, so AX2 gets local IP in the 192.168.x.x range on its WAN interface (double NAT). I’m not realy sure, why everything worked for 3 days and then suddenly stopped.

This in configuration on server:

# 2024-11-09 12:04:59 by RouterOS 7.16.1
# software id = 0KXJ-G1BZ
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = *****
/disk
set usb1 media-interface=none media-sharing=no
/interface bridge
add admin-mac=D4:01:C3:89:8C:02 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
add igmp-snooping=yes name=dockers
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid="MikroTik X3 5g" disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid="MikroTik X3 2g" disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface eoip
add local-address=192.168.200.17 mac-address=02:4E:2A:AF:D7:A2 mtu=1500 name=\
    eoip-tunnel1 remote-address=192.168.200.16 tunnel-id=100
add local-address=10.0.0.1 mac-address=02:96:52:0E:47:17 mtu=1500 name=\
    eoip-tunnel2 remote-address=10.0.0.2 tunnel-id=200
/interface veth
add address=172.16.0.5/24 comment=OpenSpeedTest:3000 gateway=172.16.0.1 \
    gateway6="" name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12223 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\
    defconf
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=******
/zerotier controller
add instance=zt1 ip-range=192.168.200.5-192.168.200.20 name=ZT-doma network=\
    ****** routes="192.168.200.0/24,172.16.0.0/24@192.168.200.17,192\
    .168.88.0/24@192.168.200.17"
/container
add interface=veth1 root-dir=/usb1/docker/openspeedtest start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/docker/tmp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=eoip-tunnel1
add bridge=bridge interface=eoip-tunnel2
add bridge=dockers interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=dockers list=LAN
add interface=zerotier1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.2/32,192.168.88.0/24 interface=wireguard1 \
    is-responder=yes name=AX2 preshared-key=\
    "pnL+yJjj+j6aYyuGMRzjHeqcLhlTXbEGgNrUvgscHvs=" public-key=\
    "Jyrc7qgRl7jzYI5Jv7Y9FS5D4mA9gjfJ+6MsoC/94zc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
add address=172.16.0.1/24 interface=dockers network=172.16.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
*
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=******.sn.mynetname.net list=Management
/ip firewall filter
add action=accept chain=input comment=Wireguard_IN dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp \
    src-address-list=Management
add action=accept chain=input comment=\
    "Accept GRE za delovanje EOIP preko Wireguard" protocol=gre
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat comment="Masquarade for Docker" \
    src-address=172.15.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 in-interface=\
    wireguard1 protocol=udp to-addresses=10.0.0.1 to-ports=13231
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=192.168.100.1/32 gateway=192.168.200.10 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe
/system logging
set 0 topics=info,!wireguard
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/zerotier controller member
add authorized=yes ip-address=192.168.200.16 network=ZT-doma zt-address=\
    *
add authorized=yes ip-address=192.168.200.17 network=ZT-doma zt-address=\
    *
add authorized=yes ip-address=192.168.200.7 network=ZT-doma zt-address=\
    *

and this is configuration on client:

# 2024-11-09 12:06:49 by RouterOS 7.16.1
# software id = HQN1-MFMB
#
# model = C52iG-5HaxD2HaxD
# serial number = *
/interface bridge
add name=EOIP_Wireguard
add name=EOIP_Zerotier
add admin-mac=48:A9:8A:D2:6B:4F auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid="MikroTik X2 5g" disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid="Mikrotik X2 2g" disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid="Mikrotik x2 Dom ZT" disabled=no mac-address=\
    4A:A9:8A:D2:6B:54 master-interface=wifi2 name=wifi3_EOIP_ZT \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid="Mikrotik x2 Dom WG" disabled=no mac-address=\
    4A:A9:8A:D2:6B:55 master-interface=wifi2 name=wifi4_EOIP_WG \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface eoip
add local-address=192.168.200.16 mac-address=02:F6:DD:31:BB:1C mtu=1500 name=\
    eoip-tunnel1 remote-address=192.168.200.17 tunnel-id=100
add local-address=10.0.0.2 mac-address=02:2D:D0:AF:62:E8 mtu=1500 name=\
    eoip-tunnel2 remote-address=10.0.0.1 tunnel-id=200
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.100.10-192.168.100.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\
    defconf
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=*
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=EOIP_Wireguard comment=defconf interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=EOIP_Zerotier comment=defconf interface=ether4 internal-path-cost=\
    10 path-cost=10
add bridge=EOIP_Zerotier comment=defconf interface=ether5 internal-path-cost=\
    10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
add bridge=EOIP_Zerotier interface=eoip-tunnel1
add bridge=EOIP_Zerotier interface=wifi3_EOIP_ZT
add bridge=EOIP_Wireguard interface=eoip-tunnel2
add bridge=EOIP_Wireguard interface=wifi4_EOIP_WG
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=zerotier1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.0/24,10.0.0.1/32 endpoint-address=\
    *.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
    name=peer1 persistent-keepalive=25s preshared-key=\
    "pnL+yJjj+j6aYyuGMRzjHeqcLhlTXbEGgNrUvgscHvs=" public-key=\
    "1BDWomR4kyO7WftVNumw+m6V0la46ZqI/PXDRRVlcVc="
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
    192.168.100.0
add address=10.0.0.2/24 interface=wireguard1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 \
    gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=*.sn.mynetname.net list=Management
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp \
    src-address-list=Management
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN src-address-list=!Management
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Why would wireguard simply disconnect without any apparent reason?

Am i missing some firewall rules or anything else?

1. Lack of firewall rules would likely NOT be the issue.

2. Not that this is a problem but recommend change this on allowed IPs on your peer client router… so that you as a remote admin can access your peer Client router when away from both routers.
   /interface wireguard peers
   add allowed-address=192.168.100.0/24,10.0.0.0/24 endpoint-address=
   .sn.mynetname.net endpoint-port=13231 interface=wireguard1
   name=peer1 persistent-keepalive=25s preshared-key=“-----” public-key="*****"

3. THE PROBLEM
   The allowed IPs at both ends are wrong. The purpose of allowed IPs is to IDENTIFY, the REMOTE users:
   a. that either are going to be arriving at the local router and exiting the tunnel to visit the local LAN, OR
   b. that local users have as a destination address, when they enter the tunnel to go to the remote router.

In other words we are identifying the users/subnets at the other end.
So simply change 192.168.100.0/24 on the peer Client to 192.168.88.0/24 and on the peer Server change 192.168.88.0/24 to 192.168.100.0/24

4. Advise to never open winbox to the internet, should only be accessed internall from local user or from admin who came in on VPN like wireguard
   add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
   src-address-list=Management

The managment address list should only consist of the following and it can be the same list on both devices, difference being one only changes the comment words from remote to local and local to remote!
/ip firewall address-list { Use static dhcp leases where applicable }
add address=192.168.100.X list=Management comment=“local admin desktop wired”
add address=192.168.100.Y list=Management comment=“local admin device WIFI”
add address=10.0.0.A list=Management comment=“remote admin laptop wireguard”
add address=10.0.0.B list=Management comment=“remote admin smartphone/ipad wireguard”
add address=192.168.88.D list=Management comment=“remote admin on other router LAN desktop”
add address=192.168.88.D list=Management comment=“remote admin on other router LAN WIFI”

5A. Final point is the ip routes, on peer Server

For any traffic, originating on peer SERVER or return trafffic from users on peer SERVER heading for 192.168.100.0/24, the router will attempt to route this out the WAN, so we need to tell it where to send this traffic.
add dst-address=192.168.100.0/24 gateway=wireguard1 routing-table=main

However, that may not apply in this case because you seem to be layering EOIP and wireguard and thus what you have, may perfectly fine in your design of EOIP and wireguard
/ip route
add dst-address=192.168.100.1/32 gateway=192.168.200.10 routing-table=main ???
BUT
5B. Missing I could not find any equivalent route on the peer Client device, letting the client router know where to route traffic that needs to get to 192.168.88.0/24 ???

Nothing seems plainly wrong in your config, but I have spotted complaints here on the forum regarding what happens (or rather does not happen) if the peer address changes - not sure whether they are still relevant for 7.16.1.

So apart from a mere implementation bug (as in “something does not work as intended”), the server may have leased a new IP address and the client side Wireguard possibly does not try to re-resolve the fqdn if it stops receiving responses to the keepalives (so kind of a design bug as in “the architect did not anticipate a failure scenario”).

To identify the root cause, once it happens again, before touching the Wireguard itself, open a command line window as wide as your screen allows on the client and run /tool sniffer quick port=13231 in it for at least two minutes. It will show you whether the client actually keeps sending some traffic to the server, and if yes, whether it sends that traffic to the current address of the server or to some other one, which would most likely be the one previously assigned to the server. It will also show whether the server responds. Further investigation depends on the outcome of this step.

In any case, a workaround should be to use mangle rules to update an address list with the responses of the server (as in “UDP packets with destination port 13231 in chain input”) with, say, a 1m timeout, and running a scheduled script every 30 seconds that will disable and re-enable the Wireguard interface whenever said list is empty.

Ok, i changed Allowed Adress on server to: 10.0.0.0/24 and 192.168.100.0/24 and on the client to 10.0.0.0/24 and 192.168.88.0/24. Don’t realy know if this is right, because connection still doesn’t work even when i disable and enable everything again. Wireguard is only used for EOIP as backup, so i’m guessing no routing should be needed.

I tried with sniffer and i see, that client is sending packets to correct ip adress but server never responds or recieves anything. If i try with sniffer on server, nothing shows up.

[daniel@MikroTik] > /tool sniffer quick port=13231
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether1 105.706 20 → 48:A9:8A:D2:6B:4E 10:A3:B8:E8:DF:F0 192.168.1.67:13231 ..47.104:13231 ip:udp 190 2
ether1 110.746 21 → 48:A9:8A:D2:6B:4E 10:A3:B8:E8:DF:F0 192.168.1.67:13231 ..47.104:13231 ip:udp 190 1
ether1 115.956 22 → 48:A9:8A:D2:6B:4E 10:A3:B8:E8:DF:F0 192.168.1.67:13231 ..47.104:13231 ip:udp 190 3
ether1 121.707 23 → 48:A9:8A:D2:6B:4E 10:A3:B8:E8:DF:F0 192.168.1.67:13231 ..47.104:13231 ip:udp 190 3
ether1 126.826 24 → 48:A9:8A:D2:6B:4E 10:A3:B8:E8:DF:F0 192.168.1.67:13231 ..47.104:13231 ip:udp 190 0

I know about dangers of open Winbox port. I added adress list (management) that resolves back to my ip adress and then only allows connection from my ip adress. At least i hope it work’s like that.

Ok, one little detail…

If i change Wireguard port on server from 13231 to 13230, fix firewall entry to this port and configuration on client to this port, then everything starts to work again.

I noticed this behaviour already once before on different occasion, when i wanted to connect AC2 in vineyard to my home 5009. This was on completly different providers. Connection worked for some time, and then suddenly stopped working. Then i changed port and everything started to work again. What could be causing such behaviour?

This indicates that the issue is outside your Mikrotik, such as the ISP blocking the Wireguard port. If you ping the server address from the client, can you see the ICMP packets to arrive to the server? If yes, try running :resolve nonsen.se server=..47.104 server-port=23456 while sniffing on the server - do UDP packets with dst-port 23456 arrive to the server?

I tried with that and packets do arrive to the server:
[daniel@MikroTik] > /tool sniffer quick port=23456
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether1 3.633 1 ← B8:C2:53:21:00:83 D4:01:C3:89:8C:01 ..217.237:36998 ..47.104:23456 ip:udp 69 3
ether1 5.641 2 ← B8:C2:53:21:00:83 D4:01:C3:89:8C:01 ..217.237:36230 ..47.104:23456 ip:udp 69 1

As i said, it works now, after i changed the port number, but interesting thing is, that it works for maybe 3 or 4 days and then stops. And there is no other way to make it work again, other than changing the port.

The same behavior on different telecom operators. One connection is from Telekom to Telemach in Slovenia (client behind double NAT) and other connection is from Bosnia (BH Telecom) to Slovenia (T2). Also client behind double NAT. Completly different devices, different operators and the same behaviour. And i don’t think operators in those countries are blocking Wireguard protocol.

At least Zerotier works without problem.

Okay normal wireguard will ONLY work if at least one of the ends of your connection has an accessible public IP.
This needs to be the peer Server router for handshake.
Accessible means that, if the MT router does not get a public IP, then the ISP router in front of it, MUST
a. get a public, AND
b. can forward a port to the mikrotik router ( you can access the basic admin page, or can get the ISP provider to do so )

In terms of wireguard ports, you need three things to be true.

1. peer Server router for handshake needs to define listening port as abcdef
2. peer Server router for handshake requires an input chain rule allowed dst-port= abcdef protocol=udp
3. peer CLIENT router for handshake in allowed must identify the WANIP of the peer Server router and the listening port to be abcdef

The wanip is expressed as the actual WANIP if its a public Static WANIP, OR as dyndns URL if its a public but dynamic WANIP. In the latter case many people use the mynetamecloud service from MT to identify the WANIP.

PROBLEM:

1. In the previous post I question if you quality for wireguard as you MAY not have an accessible public IP.

2. IF NOT, then an alternative in certain situations is BACK to HOME VPN, for some reason I didnt notice this before but in your peer Server router for handshake the following:
   /interface wireguard
   add comment=back-to-home-vpn_ listen-port=12223 mtu=1420 name=back-to-home-vpn
   add listen-port=13231 mtu=1420 name=wireguard1_

Being able to help users without full awareness is something I have stated to NORMIS, in that they should push any IP cloud BTH settings so that they appear on the config, dont give an eff it its dynamic as its impossble to be efficient in troubleshooting without out it!!

ALL TO SAY, is that Back to Home BTH, is NOT, I repeat NOT designed for TWO MT ROUTERS

It only supports single device entities to an MT router ( smartphone, laptop etc..)

Servers in both cases are directly connected to internet (modems in bridge). Clients in both cases are behind double NAT (Mikrotik connected with WAN port to operator’s modem, that is already doing NAT).

I will try those rules in a few hours and report later ( cows ). Thank you for now.

It would appear that you are providing contradictory information ( which was also implied earlier ) and hence I asked for some clarification but still confusing.

If the router is in a double nat scenario, aka behind the ISP modem/ROUTER or ISP ROUTER, then there is NO WAY the servers are connected directly to the internet, or more clearly NO WAY the MT router is getting a public WAN IP !!

To perhaps state this differenty…

An ISP modem, CANNOT provide NAT it only provides public IP
An ISP combined modem/router CAN provide NAT and thus a private IP to the MT router ( aka double NAT behind the MT )
An ISP combined modem/router CAN provide a public IP if put into a bridge mode.
AN ISP router can provide a private IP to the MT router ( aka double nat behind the MT)

SO perhaps you understand why there is confusion.

On one hand you say the (“modems in bridge”)… the correct wording should be the ISP modem/ROUTER is in bridge mode supplying the MT with a public IP.
On the other hand you say (“Mikrotick connected with WAN port to operators modem, that is already doing NAT”)

the correct wording should be, the Mikrotik gets a private WANIP from the operators modem/ROUTER that is already providing NAT.

IT CANNOT BE BOTH ( a public IP reaches the MT router and in the next sentence, the ISP device has NAT )…

1. Please confirm on each router.

The WANIP that shows up on IP DHCP client = whats my ip in browser = the public address associated in IP Cloud

If A = B = C you are getting a public IP at the MT router

If A ≠ B = C you are getting NOT getting a public IP at the MT router

2. Please confirm on each router, where your are NOT getting a public IP, that you can reach the admin page on the ISP modem/ROUTER ( typically if WANIP is 192.168.1.X, one uses 192.168.1.1 to reach the admin page )

Both Mikrotik servers are directly exposed to the internet. We usualy call this “bridge” mode at our operators. They are directly acessible from internet.

Both Mikrotik clients are behind operator routers that are doing NAT, so they get IP adress from private range and are not directly acessible from internet.

As i said, connection works normaly for 3 days and then suddenly stops without any apparent reason and won’t reconnect unless i change port on the server.

All devices are on 7.16.1

Why why why are you using a FOREIGN term called operators… It means nothing to me or anyone else.

Do you mean operator router = Mikrotik Router OR do you mean operator router = ISP router.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I am assuming you mean an operator is the client company that you are supporting ??? but its a guess.
So in this case.
ISP provides a modem which provides a public IP to the MT router,
OR
ISP provides a modem/Router in bridge mode which provides a public IP to the MT router.

In other words, operator means nothing to me as its a company not a device…

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So I going back to ideas…

Can you confirm you DO NOT use any IP CLOUD settings ( other than perhaps the dyndns url ( mynetname.net to identify the router as endpoint address )
AND
Can you confirm that both configs were done manually without IP cloud or qr codes etc…

If that answer is YES to both questions, then I would have to agree with Sindy that your ISP is playing funny games.

Since you can see the client to send the packets to the server but cannot see them to arrive (the source port may get changed by the NAT at client side but the destination one must remain the same), the packet must get dropped on the path between the client and the server outside your Mikrotiks. The only question is whether the reason is some convoluted filtering policy of some of the ISPs (or a bug in their NAT implementation) or whether the client starts sending the packets with UDP, IP, or Ethernet checksum wrong after 3 days so they get dropped for this reason. To find out, you would have to insert a switch capable of packet mirroring, or another Mikrotik in bridge mode, between the client and its uplink device and sniff there, using Wireshark to check the UDP and IP checksums (if Ethernet checksum is wrong, already the sniffing device will drop the frames).

The older I am, and the more networking experience I gather, the less I use the word “impossible”. I had a case (not far from SI and BiH) where traceroute was showing different paths for UDP packets depending on their size, the ones it liked went through to the destination whereas the ones it didn’t like got diverted mid-path. Changing the port from 4500 to another one fixed that. Go figure.

Sorry, never learned english in my life, so sometimes i write some words differently as they should be. Here ISP is called “Operater” so i just translated it to operator. ISP would be much more self explanatory.

From /IP Cloud i only use DNS for this configuration. Back to home is used on the same device (server side) for phones, but for that, completly separate wireguard interface is configured. Configuration for site to site connection was configured manualy.

I was already thinking if i should simply try with port 443 and see if this one also stops working.

This sniffing part already exceeds my capabilities. But yes, in the end everything looks like ISP starts to filter port used for connection. When this repeats i will simply try with 443. I’m out of ideas. Luckily Zerotier works well here, but i will have to move my ac2 back to old drivers to install Zerotier on it and make everything more stable.

You’ve already managed to sniff on the client and server Mikrotiks themselves, so you can sniff on yet another Mikrotik configured as bridge with hardware switching disabled as well.

You can store the results of sniffing to a file on the router (and you only need a couple of packets) and then download that file and open it using Wireshark on your PC, not a big deal. In Wireshark, you have to check that verification of the IP and UDP checksum is enabled - if it is, Wireshark will highlight a checksum error. If it shows Header Checksum: 0xe106 [validation disabled] (for the IP header checksum) or Checksum: 0x6616 [unverified] (for the UDP checksum) in the packet dissection pane, right-click on the respective row, choose “Protocol Preferences” from the context menu, and enable checksum verification in the list of protocol preferences.

Might not help either, plus you need UDP, so the “443 always works as customers would riot if it didn’t” may not apply here. If it is enough to change the port on client side to make it work again, you can use an ugly trick - add the following rule to table nat of the client’s firewall, to the beginning (top) of the srcnat chain:
chain=srcnat protocol=udp src-port=13231 dst-port=13231 src-address-type=local action=src-nat to-ports=40000-59999
I have just double-checked that this rule indeed chooses a random port from the specified range to replace the original 13231 each time the connection gets re-created; so an /ip/firewall/connection/remove [find where scrnat src-address~“:13231” dst-address~“:13231”] scheduled to 02:34:00 every day will cause the same actual connection to look different to the ISP, causing only a short-term interruption until the client sends the next Wireguard handshake packet.

The above only makes sense if the root cause is not the wrong checksum calculation at the client.

I may get to that sniffing after all other options are used. I realy have no experience in this. You are probaby right, since it’s UDP usage its questionable. I will check the firewall rule you provided, thank you.

So Sindy are you saying that its not a problem with either Router but something at the ISP end.

Is it interfering in any specific direction???

The fix is applied on which router?

I am having trouble wrapping my head on exactly what this accomplishes post loss of connection…

Specifically, the port cannot be assigned randomly for the initial connection it has to match the listening port on the input chain on one mikrotik and the allowed IPs endpoint address port at the other MT device…

Simply frigging with sourcenat rule seems to be not complete???