Ok, so this is strange.
Mikrotik app iOS 1.2.14 on iPhone connected via Wireguard VPN that terminates on a Mikrotik hAP ax^3.
I can connect the VPN and ping the hAP ax^3 internal interface.
When I try to connect to the hAP ax^3 using the Mikroitk app to the hAP ax^3 internal IP it times out. If I change the IP to a DNS name, router.xxx which resolves (via NextDNS) to the exact same hAP ax^3 IP address it connects fine.
Wireshark packet capture shows no traffic over the wireguard interface when attempting to connect via IP (can see ICMP traffic when I ping from the iOS device to the IP) but when I use the DNS name from the same device to the same IP it connects and can see traffic in Wireshark.
Deleted and reinstalled iOS app but did not fix the behaviour.
iOS app error message after some time while attempting to connect with an IP address, “Connection Refused”
Same device on local wifi connects fine using IP. Issues are when connecting over Wireguard VPN.
Okay just tested in on my Router, from iphone on cellular, MT app worked just fine with format
a. trusted LAN address ( like 192.168.88.1:winbox port )
b. actual wireguard IP of the router ( Like 10.20.30.1:winboxport )
Steps
created wg interface and wireguard address
created input chain rule for handshake
added wireguard interface to trusted interface list which has access to router ( for config ).
created peer on router and on wireguard app on iphone to match ( used new peer creation capability on router to so via qr code )
turned off wifi and verified on LTE cellular
turned on wireguard client, verified traffic on router for wireguard ( packets on wireguard interface and hit on handshake rule in input chain firewall rules )
used MT app as per above a. and b. and both logged in fine to the router.
Usual problems.
ROUTER:
a. forgot to add allow input chain rule for incoming handshake port
b. forgot to add allow wireguard interface or incoming IP address on input chain (for config purposes)
c. forgot to add wireguard address on the router under /ip address
d. copied public key from client incorrectly
WG Client
(Note: allowed IPs set to 0.0.0.0/0 for test is best)
MT APP
Nothing to do with Wireguard I don’t think. Everything from wireguard interface on the Mikroitk router is allowed via input and forward chains. iOS Wirgauard client is configured with “Allowed IP’s” containing the full internal /24 network.
As I stated, the Mikrotik app connects to the router from the iOS device when I use a domain name (no port needed, standard 8291) but not if I change the domain name to an IP in the app, ie. I’m using exactly the same username and password.
As stated above I can see traffic on a Wireshark trace (streaming from the Mikrotik) when I attempt a connection using the domain name, but when I change the name to the IP I see zero traffic flow via the wireguard interface on the Mikrotik.
From the iOS device I can connect to the Mikrotik web interface using IP address and the domain name:
This is not a Wireguard issue, it feels like a Mikrotik app bug.
Using the “Network Tools” app on iOS I can successfully ping the Mikrotik interface using IP and domain name without issue and see all ICMP packets via Wireshark streaming from the Mikrotik:
I have just tried on a different Mikrotik at a different site. Wireguard VPN all existing access works into that network including http to the Mikrotik admin interface and again, IP address via the Mikrotik iOS app does not work.
If I change Wireguard “Allowed IP’s” to 0.0.0.0/0 it does work when I use an IP to connect in the Mikrotik app. This is not ideal as I need to keep the Wireguard VPN connected all the time and do not want the default route to go via that interface.
So, why is a domain name working in the app using my original config in Wireguard of “Allowed IP’s: 192.168.10.0/24, 10.0.0.0/24” but fails when using the interface IP of 192.168.10.1?
I still think this is a bug in the Mikroitk app.
Okay so I need to test this by attempting to access a subnet on my Router from my ios app. The allowed IPs on my WG app thus should be restricted to a subnet and the wireguardIP of the router…okay will try.
Added wireguard subnet access to a printer on a printer vlan. router firewall rule
Changed wireguard IP to subnet&wireguard address of router. on wireguard app allowed IP settings
Used browser to access printer… using printer LAN address on router network entered into my iphone browser
Worked great.
Checked what is my IP and I get the IP address of my Cell provider, great!
CHecked website access, no issues. great!
Dont know where your problem lies, but I dont see any bug. …
You should note that I dont use the MT app to access LAN resources, its ONLY for accessing the router for config purposes.
I am not using Mikrotik app to access any LAN resources, only the edge Mikrotik thats terminating the Wireguard VPN. I should have mentioned up top that my Wireguard endpoint (server end) is IPv6 (ISP here in Australia CGNATS our IPv4 ie. no public IPv4 address available).
Lets list some observations:
I can connect to the Mikrotik via IP address to the HTTP interface ie. there are zero issues with Wireguard Allowed IP’s or firewall rules.
[xxxx@hapax3] > :put [resolve router.sapling]
192.168.10.1
[xxxx@hapax3] /ipv6/firewall/filter> export where !disabled
# 2025-03-15 16:01:12 by RouterOS 7.18.2
# software id = xxxx
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxx
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=wireguard0 dst-port=51820 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
[xxxx@hapax3] /ip/firewall/filter> export where !disabled
# 2025-03-15 16:02:57 by RouterOS 7.18.2
# software id = xxxx
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxx
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard0 - accept all" in-interface=wireguard0
add action=accept chain=forward comment="wireguard0 - accept all" in-interface=wireguard0
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
UTUN4 route on iOS device when Wireguard is connected:
And a trace route from the iOS device showing one hop to 192.168.10.1:
How can this be anything else but a bug?
So this gets stranger… I found another iOS app that allows a port scan to a specific address. When I port scan to the name router.sapling on port 8291 it succeeds, if I use 192.168.10.1 to 8291 it fails.
FAIL:
SUCCESS:
My apologies, but I dont understand your network and I dont use IPV6.
If you can provide a similar scenario that I could test on my equipment to confirm your findings I am glad to attempt such tests.
Do you mean you wireguard into a downstream router or device and wish to be able to reach and configure a parent upstream MT?
Do you mean you wireguard into a downstream router or device and wish to be able to reach a subnet or lan device on a parent upstream MT?
Please make a clear analogy so that I can test here.
I think the culprit lies with Wireguard and IPv6 and/or my LTE provider (for the iOS device) here in Australia (Telstra).
Do you mean you wireguard into a downstream router or device and wish to be able to reach and configure a parent upstream MT?
No, I wireguard into the device I want to configure using the Mikrotik iOS app
Do you mean you wireguard into a downstream router or device and wish to be able to reach a subnet or lan device on a parent upstream MT?
No, I wireguard into the device I want to configure using the Mikrotik iOS app
In saying this, I just wireguard connected into a different site using a public IPv4 address and attempt to configure the device I am wireguard’d into and the same issue. Can’t connect to that device using an IP address via the Mikrotik iOS app.
But I can wireguard to my router (establish tunnel) and then use ip addresses on the router to configure the router via the MT app.
Do you mean wireguard to a device directly that is downstream of the router, so lets say an AX3 or other MT device behind the router?
If so do you want me to test if its acting like a router doubleNAT ax3,
OR
do you want me to test if the MT device is acting like an ap/switch etc…
Please clarify as connecting to my main router works just fine
No, I’m running Wireguard on the Mikrotik router I am trying to connect to. I’m not trying to connect to anything downstream.
Regardless, there is something strange going on when you look at the screenshots above from the iOS device.
Must be an IPV6 issue then.