Multi WAN routing problem with CHR. Help please

Hello,
Dear Team,
I have 4 WANs from the same ISP. The RB5009 load is balanced, and the RB5009 is connected to the RB750.On the RB750, the hotspot server is running.
I have Mikrotik CHR on DigitalOcean.I have connected the RB750 to the CHR through the Wireguard VPN client.

I want to access RB750 with the public IP of CHR by port forward.
I have port forwarded on CHR to access RB750 but it is not working. I noticed the port forward is stuck in RB5009 where load balancing is done.
Please assist me

Regards

If

• you do the port forwarding on the CHR properly (from the public address to the private one that is attached to the Wireguard interface on the 750),
• the Wireguard tunnel as such is working properly,
• the routing on the 750 is done properly,

the 5009 can have no impact on the port forwarding from the CHR to the 750. So something about the above points must be wrong.

Hence start from posting the configuration exports from the CHR and the 750, with the usual precautions, obfuscating everything sensitive but in a way that does not obfuscate the relationship between elements, i.e. for public and global addresses, substitute the prefixes so that things like the fact that the own address of the CHR and the gateway are in the same subnet remain visible after the obfuscation.

I have tried to connect another remote location MIkrotik 750gr3 and port forward on digital ocean still not working.

CHR______________
/disk
set slot1 media-interface=none media-sharing=no
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1_WAN
set [ find default-name=ether2 ] disable-running-check=no name=ether2_LAN
/interface veth
add address=172.16.8.2/24 gateway=172.16.8.1 gateway6=“” name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN-Interface-List
add name=LAN-Interface-List
/port
set 0 name=serial0
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!all
/ipv6 settings
set max-neighbor-entries=15360
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface list member
add interface=ether1_WAN list=WAN-Interface-List
add interface=ether2_LAN list=LAN-Interface-List
/interface wireguard peers
add allowed-address=172.16.7.7/32 client-address=172.16.7.7/32 client-dns=\

/ip address
add address=172.16.7.1/24 comment=Wireguard interface=wireguard1 network=
172.16.7.0
add address=172.16.8.1/24 comment=VPN interface=ether2_LAN network=172.16.8.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m update-time=yes
/ip dhcp-client
add interface=ether1_WAN
/ip dns
set cache-size=10000KiB
/ip firewall filter
add action=accept chain=input
add action=accept chain=forward comment=“Accept all that is DST NATed”
connection-nat-state=dstnat connection-state=new
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=“Router Access Remotely” dst-port=
8295,8296,8297,8298 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=drop chain=input comment=“Block Ping” in-interface-list=
WAN-Interface-List protocol=icmp
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP FIN Stealth scan” protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/SYN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-RST/SYN scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/PSH/URG scan” protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP NULL scan” protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Dropping Port Scanners”
src-address-list=“Port Scanners”
/ip firewall mangle
add action=change-mss chain=forward comment=
“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1
protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.7.0/24
add action=masquerade chain=srcnat src-address=172.16.8.0/24
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=8298
in-interface=ether1_WAN protocol=tcp to-addresses=172.16.7.21 to-ports=
8295
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=Remote disabled=no distance=1 dst-address=172.20.20.0/24 gateway=
wireguard1 pref-src=”" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=Remote disabled=no distance=1 dst-address=10.10.10.0/24 gateway=
wireguard1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8298
set ssh disabled=yes
set api disabled=yes
set winbox port=8297
set api-ssl disabled=yes
/ppp secret
add local-address=172.16.8.1 name=hotspot remote-address=172.16.8.2 service=
l2tp
add local-address=172.16.8.1 name=pppoe remote-address=172.16.8.3 service=
l2tp
/system identity
set name=MikroTik-London
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system note
set show-at-login=no
/tool romon
set enabled=yes


Hotspot Server RB750_____________

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether3 ] name=ether3_Loop
set [ find default-name=ether4 ] name=ether4_Loop
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=3_PPPoE
service-name=service_two user=xyz
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add include=none name=WAN-Interface-List
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip hotspot profile
add dns-name=login.net hotspot-address=10.10.10.1 html-directory=
flash/hotspot login-by=http-pap name=hsprof1
/ip pool
add name=hs-pool-1 ranges=10.10.10.11-10.10.10.250
/ip dhcp-server
add address-pool=hs-pool-1 interface=ether5_LAN lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=1 disabled=no interface=
ether5_LAN name=hotspot1 profile=hsprof1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/queue type
set 8 mq-pfifo-limit=5000
/queue interface
set ether1_WAN queue=multi-queue-ethernet-default
set ether2 queue=multi-queue-ethernet-default
set ether3_Loop queue=multi-queue-ethernet-default
set ether4_Loop queue=multi-queue-ethernet-default
set ether5_LAN queue=multi-queue-ethernet-default
/routing table
add disabled=no fib name=ether1_WAN
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface list member
add disabled=yes interface=1_xxyyzz_35M+50M list=WAN-Interface-List
add disabled=yes interface=2_m-rizwan2p_30+50M list=WAN-Interface-List
add interface=3_PPPoE list=WAN-Interface-List
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.7.1/32 endpoint-address=134.122.100.126
endpoint-port=13231 interface=wireguard1 name=Rremote-DigitalOcean
persistent-keepalive=25s public-key=
add allowed-address=192.168.199.1/32 disabled=yes endpoint-address=
18.171.250.163 endpoint-port=13231 interface=wireguard1 name=Remote-AWS
persistent-keepalive=25s public-key=
/ip address
add address=10.10.10.1/24 interface=ether5_LAN network=10.10.10.0
add address=172.16.7.19/24 interface=wireguard1 network=172.16.7.0
add address=172.20.20.1/24 interface=ether5_LAN network=172.20.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface=ether5_LAN valid-server=B8:69:F4:AE:BC:FE

/ip dhcp-server network
add address=10.10.10.0/24 comment=“hotspot network” dns-server=
8.8.8.8,1.1.1.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.10.10.0/24 list=LAN-Address-List
add address=172.20.20.0/24 list=LAN-Address-List
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=accept chain=forward dst-address-list=LAN-Address-List
src-address=172.16.7.0/24
add action=accept chain=forward dst-address=172.16.7.0/24 src-address-list=
LAN-Address-List
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=“Router Access Remotely” dst-port=
8295,8296 protocol=tcp
add action=drop chain=input comment=“Block Ping” disabled=yes
in-interface-list=WAN-Interface-List protocol=icmp
add action=drop chain=input comment=“Block Attack” disabled=yes dst-port=
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment=“Block Attack” disabled=yes dst-port=
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
"Port Scanners to Address List " disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP FIN Stealth scan” disabled=yes protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/SYN scan” disabled=yes protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-RST/SYN scan” disabled=yes protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/PSH/URG scan” disabled=yes protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-ALL/ALL scan” disabled=yes protocol=tcp tcp-flags=
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP NULL scan” disabled=yes protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Dropping Port Scanners” disabled=yes
src-address-list=“Port Scanners”
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:1 out-interface=
ether5_LAN passthrough=no src-address=10.10.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
out-interface-list=WAN-Interface-List src-address-list=LAN-Address-List
/ip hotspot walled-garden
add comment=“place hotspot rules here” disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list !dst-port
!protocol src-address=10.10.10.1 !src-address-list
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8296
set ssh disabled=yes
set api disabled=yes
set winbox port=8294
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=“RoshanNet Hotspot Server”
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system note
set show-at-login=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes

On the RB750, the IP address attached to interface wireguard1 is 172.16.7.19; on the CHR, the allowed-address on the wireguard peer representing the RB750 says 172.16.7.7, and the to-addresses in the only dst-nat rule on the CHR is set to 172.16.7.21.

All these three addresses have to be the same in order that it worked.

Also, you have spent more than 340 posts on the forum, have you noticed the existence of the </> button?

Sorry I will will do </> next time


In NAT it shows this log:

dstnat: in:pppoe-out out:(unknown 0), connection-state:new proto TCP (SYN), xx.xx.xx.xx:60263->xx.xx.xx.xx:8297, len 52

Maybe I do not understand what you want to achieve or how the wireguard tunnel is set - is the endpoint address of the only Wireguard peer on the RB750 set to the public address of the CHR? Because the log row you’ve just posted says that the initial packet towards TCP port 8297 has arrived via pppoe-out1. Did this log line appear after you have aligned the three addresses as I’ve suggested above?

What is the purpose of the LAN on the CHR??
Are you using the CHR as WAN2 for the RB750 ???
Are you port forwarding to servers on the RB via the CHR connection ( through the wireguard tunnel between the two devices )
Are you using the wireguard tunnel to remotely connect to both RB750 and RB5009 for router config purposes.
Are you using the wireguard tunnel to remotely connect to RB70 LAN or RB5009 LAN.

I want to access Mikrotik Rb750gr3 with the public ip of CHR over the wireguard vpn through port forwarding.
Rb750gr3 is connected with chr.
No need to do any thing with Rb5009

Your answer is too vague to be of any use.

Describe the traffic,
USER A,USER B, USERC< from external wants to do what!!
Identify users and describe traffic needed.

• config 750
• config RB5009
• reach servers on LAN of 750
• reach servers on LAN of RB5009