Natting Public Ip Over Wireguard

We have a two firewalls connected through wireguard where locally everything is working normally.

With reference to the attached diagram, we would like to connect to a device (with port 4575) which is connected to Firewall 2 from a public computer.

Basically connection shall pass from:

1. Public computer to the FW 1
2. FW1 to FW2 (via wireguard)
3. FW2 to the connected device
   
   
   When checking firewall rules on FW1 and FW2, traffic was accepted to the device but connection was still not available.

Could it be something with TCP going back to FW1?

It could be 10 things, without any config impossible to say. (could be nat, routing, …)
Did you “torch” on FW2 to see if the DNAT’ted packet arrives at that point ???

The “device” is exposed to Internet with a DNAT ? Or does this “public computer” also has Wireguard Client ?

On a side-note, if FW2 is also connected to ISP/Internet, why not perform the DNAT at the location ? You have this FW2 under your control/administration ?

Ok, the schema is clear, but are missing all IPs…

If you don’t provide the configurations, you can only go blind, trying, groping, you choice…

FW1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-remote-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-remote-site#2
/ip address
add address=10.20.200.1 interface=wireguard-remote-site#2 network=10.20.200.2
add address=10.21.200.1 interface=wireguard-remote-site#1 network=10.21.200.2
add address=172.50.201.1/30 interface=ether1 network=172.50.201.0

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
    187.122.133.144 endpoint-port=22222 interface=wireguard-to-remote-site#1 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
    187.122.133.145 endpoint-port=33333 interface=wireguard-to-remote-site#2 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=input comment=\
    "WireGuard Ports " dst-port=22222,33333 \
    protocol=udp 
add action=accept chain=input comment=\
    "WireGuard Ports " src-port=22222,33333 \
    protocol=udp 
add action=accept chain=forward-from-wan \
    dst-address=10.200.40.5 dst-port=4575
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=\
    4575 protocol=tcp to-addresses=10.200.40.5

FW 2
/interface ethernet
set [ find default-name=ether2 ] speed=100Mbps
/ip dhcp-client
add interface=ether2
/ip address
add address=10.20.200.2 interface=wireguard-to-main-site#1 network=10.20.200.1
add address=10.21.200.2 interface=wireguard-to-main-site#2 network=10.21.200.1
/interface wireguard
add listen-port=22222 mtu=1420 name=wireguard-to-main-site#1
add listen-port=33333 mtu=1420 name=wireguard-to-main-site#2

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=\
    188.122.133.144 endpoint-port=22222 interface=wireguard-to-main-site#1 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=\
    188.122.133.145 endpoint-port=33333 interface=wireguard-to-main-site#2 \
    persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip firewall filter
add action=accept chain=forward comment=\
    "natted from remote site" dst-address=10.200.40.5 \
    dst-port=4575 log=yes log-prefix=inside protocol=tcp
add action=accept chain=input comment=\
    "WireGuard Ports " dst-port=22222,33333 \
    protocol=udp 
add action=accept chain=input comment=\
    "WireGuard Ports " src-port=22222,33333 \
    protocol=udp

Internally we are able to connect to 10.200.40.5:4575 but from external connection arrives to firewall 2 but connection fails.

Sorry but had to edit and subtract from 1000 lines of code.. so if you need anything else just ask thanks for helping.

Further find attachment of forwaded log from FW2.

Untitled.png1635×539 17.4 KB

The FW2 is under our control but the ISP modem is natted by the supplier through a 4G Dynamic Modem. This is not possible.

ok, heavy edited… for example missing all “dstnat-services”, like have nothing.

But, if is the only NAT you do, and the line is not altered, miss the destination address or at least the incoming WAN interface.
/ip firewall nat
add action=dst-nat chain=dstnat-services dst-port=4575 protocol=tcp to-addresses=10.200.40.5

and missing also the source NAT, the device try to use ISP2 for reply, but is natted with another WANIP2 and remote connection can not be possible…
pseudo rule:
add action=src-nat chain=srcnat-services dst-address=10.200.40.5 to-addresses=

Just a suggestion but you can try to enable DMZ (if supported by the 4G modem) which might sometime remove potential double-nat issues. Btw, what kind of 4G modems are they?

not possible since managed by ISP.

You read this?
http://forum.mikrotik.com/t/natting-public-ip-over-wireguard/166237/1

n/a

tried didnt work.

the first nat was already set. .the source nat was added but still didnt work.

Pass… also hide the information that there is another firewall in the middle… it’s too much for me, before I become vulgar, and I already am of my own…

Okay. Is this some kind of NMO/SLA business subscription with a preconfigured router/modem that is managed and monitored by the ISP? What NMO/ISP and modem is it?

Btw, regarding the last network diagram, where are the 4G modems located?

EDIT:
Just a suggestion but if you add subnets and ip addresses to the picture it makes it much easier to understand your configuration.

sorry

solved by adding the Source NAT on FW1 instead.

Thanks for your help.

Glad you managed to get it working!

Just curious but do you use some sort of NMO/SLA business plan with a pre-configured router/modem managed and monitored by the ISP and secondly, what is the NMO/ISP and what kind of modem is it?

so, even if I didn’t know it, I had already written the right name…