Hello, friends.
My issue may look like a noob, but I’ve searched a lot and didn’t find any glue.
I have two Mikrotik (M1 and M2) routers and a Wireguard tunnel between them. Works fine except one thing. M1 has a public IP and my goal is to get access to host in M2 network via connection from Internet to a M1 public IP. I tried dstnat and netmap rules in Firewall and no luck. I see incoming connection but no reply from host in M2 network.
Apparently I’m missing some rule to properly send reply back to the WAN. Would you please give me an idea where to search for a solution?
A M1 dstnat rule is as follows(address in to-address is from M2 LAN):
add action=dst-nat chain=dstnat comment=“My Home NVR” dst-port=44444
in-interface-list=WAN log-prefix=NVR protocol=tcp to-addresses=10.10.10.198
to-ports=80
Thank you.
Can you confirm this is what you want to do.
EXTERNAL USERS —> Use public IP (dyndns url):ServerPort# → Connect to Router A.
Router A → Port forwards incoming traffic on WANIP into Wireguard Tunnel —> Connect to Router B
Router B → Remote traffic exits wireguard tunnel and gets sent to Local Server On B.
Traffic is returned all the way back to original external user.
You need 2 firewall mangle rules. First, mark incoming connections from WireGuard interface and then route those connections out the WireGuard interface. Here is mine look like:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Incoming WireGuard1 Connection" in-interface=wireguard1 new-connection-mark=Wireguard-In passthrough=no
add action=mark-routing chain=prerouting comment="Route Return for Incoming WireGuard Connection" connection-mark=Wiregaurd-In new-routing-mark=WireGuard1 passthrough=no
There should be no mangling required ???
Basic port forwarding on the public Router A to the server IP address on Router B.
Create an IP route for the dst server address, on Router A, pointing to the wireguard interface name.
Thus the router knows two things.
I can accept the incoming external traffic (fw rule allowing dstnat, and dstnat rule) and it should go to IP xxxx and I have a route for that destination and thats through the WG Tunnel.
Assuming on the Wg Server Router A, the allowed IPs has identified (besides the /32 wireguard IP of router B), the remote subnet the server is located on.
All the incoming port forwarded traffic heading for that destination will then be allowed into the tunnel.
Assuming the client WG RouterB, has allowed IPs of 0.0.0.0/0 for allowed IPs, and thus all external user traffic will be allowed to exit the tunnel heading to the LAN
On router B, simply ensure you have a firewall rule allowing in interface wireguard to, dst-address the lan server IP in question.
[wrong —> The router will track the reply traffic <—] and send it back the way it arrived to the tunnel and with allowed IPs of 0.0.0.0/0 the traffic will be allowed back into the tunnel to Router A.
What is key in this approach is that the Server will actually see/record all the original IPs of external users.
PS. If you also want remote access (wg road warrior) to access the internet of Router A, or the config of Router A, add wireguard to the LAN interface list.
This would only be true if all traffic of the server was routed out the WireGuard connection. But if you only want to allow access to some services on the server through the WireGuard connection, you will will need to mark that incoming traffic so that it will return out the WireGuard connection.
Okay, what I am missing is the return traffic.
The router has no way of knowing to send return traffic back into the tunnel vice out the local WAN at router B.
Since this is traffic NOT going out one of the local WANs, then we cannot use routing rules and must use mangles.
Rules by Deadstik are spot on but I would change the first rule to passthrough=yes. and add connection-mark=no-mark
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark comment=“Mark Incoming WireGuard1 Connection” in-interface=wireguard1 new-connection-mark=Wireguard-In passthrough=no
add action=mark-routing chain=prerouting comment=“Route Return for Incoming WireGuard Connection” connection-mark=Wireguard-In new-routing-mark=WireGuard1 passthrough=no
and in the firewall rules forward change add.
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related connection-mark=no-mark
Thus keeping fastrack available for all other traffic.
Good day,
I have the same/similar need and i believe same/similar setup as OP just less experience.
M1 (Static IP) i have this nat rule:
chain=dstnat action=dst-nat to-addresses=192.168.50.53 to-ports=3389 protocol=tcp in-interface-list=WAN dst-port=7500 log=no log-prefix=""
On M2 (LTE ISP) i have:
0 ;;; Mark Incoming WireGuard1 Connection
chain=prerouting action=mark-connection new-connection-mark=Wireguard-In passthrough=yes connection-mark=no-mark in-interface=wireguard1 log=no
log-prefix=""
1 ;;; Route Return for Incoming WireGuard Connection
chain=prerouting action=mark-routing new-routing-mark=wireguard1 passthrough=no connection-mark=Wireguard-In log=no log-prefix=""
What additional things need to be done to either M1 or M2?
My wireguard VPN from M1 to M2 is working. I can ping 192.168.50.53 which is behind M2 from M1 no problem. I am trying to connect to 192.168.50.53 from internet using port 7500 but it never hits mangle rule on M2 when i try.
I disabled fasttrack in filter rules
PS: no i am not going to leave it like this or even use it, i am setting up for an online order system that is not yet setup so i had to create a test scenario.
Well there are two approaches and the you wish will predicate the config option to go with.
Question: do you want to know who the external IPs are at the M@ server ( identify them )
NO → then source-nat all the traffic going into the wireguard tunnel at M1 → advantage mangling not required you should be able to identify users by some means at M1.
YES → then you will need to mangle the traffic coming in on wireguard at M2, so that the router knows where to send the reply traffic ( since coming from www (external users ) it would naturally attempt to send out response to local WAN.
I dont know for sure if yes or no.
But lets say yes. Does the mangle rules i posted earlier do that?
Here are the routes i have not sure if the 0.0.0.0/0 wireguard1 is needed.
# DST-ADDRESS GATEWAY DISTANCE
0 As+ 0.0.0.0/0 wireguard1 1
DAd+ 0.0.0.0/0 192.168.210.1 1
DAc 10.255.180.0/24 wireguard1 0
DAc 192.168.50.0/24 bridge 0
DAc 192.168.210.0/24 ether1 0
I would need to see complete config, MT os does not work in isolation.
/export file=anynameyouwish ( minus router serial number, any public IP information, keys etc.)
Hi,
I have attached the config for M2. Do you need the M1 as well. That one is a central router for several clients but aside from that its just basic config with lots of wireguard interfaces for different customers.
lwmtconfig.rsc (6.62 KB)
Yes, both routers please.
Here is M1
cloudmtmod.rsc (2.86 KB)
M1 FIRST OBSERVATIONS.
- Unsafe Rule in INput chain. Understand you have it narrowed down but WANIPs can be spoofed. The basic rule of thumb is ONLY configure the router from behind the router.
So either from a LAN device or from within the router once connected via VPN, like wireguard.
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=
WAN protocol=tcp src-address-list=Winbox
-
Modify interface list members
/interface list member
add interface=ether1 list=WAN
add interface=wg_customername list=LAN -
Recommend replacing default rule with better and CLEARER set of rules…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“enter WG tunnel” in-interface-list=LAN out-interface=wg_customername
add action=drop chain=forward comment=“Drop all else”
M2 OBSERVATIONS -
Modify allowed IPs.
/interface wireguard peers
add allowed-address=10.255.180.0/24 comment=GTCloud endpoint-address=
XXXXXXXXXXXXX.sn.mynetname.net endpoint-port=21227 interface=
wireguard1 persistent-keepalive=25s public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
-
Same comment on input chain rule regarding access to config.
-
The routing table name is the same as the wireguard interface name, very confusing and probably interfering
MODIFY TO:
/routing table
add disabled=no fib name=**to-**wireguard1 -
YOUR IP ROUTES seem incorrect.
If you dont have default route selected in IP DHCP client then need both below, if you do you only need the second route.
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-wireguard1 -
Also change firewall rules slightly and first create a firewall address list.
/ip firewall address-list
add address=mainroutersubnetIP list=Authorized comment=“AdminLAN IP on main router”
add address= 10.255.180.3 list=Authorized comment=“Admin remote laptop”
add address=192.168.50.X list=Authorized comment-=“Local admin pc”
Note; YOu need to identify what the LANIP address is ( statically set in DHCP leases ) on the main router for the ADMIN (aka his desktop).
Also create another wireguard client for the admin when remote ( as in laptop from anywhere ).
Also identify the local admin computer on this router ( static DCHP lease)
Input chain:
From:
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
TO:
add action=accept chain=input comment=" admin access" src-address-list**=Authorized**
add action=accept chain=input comment=“users to services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { put this rule in last so you dont lock yourself out }
Forward chain:
From:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove}
add action=accept chain=forward comment=“allow port forwarding to server” in-interface=wireguard1 dst-address=192.168.50.3
add action=accept chain=forward comment=“allow admin to lan” src-address-list=Authorized dst-address=192.168.50.0/24
add action=drop chain=forward comment=“Drop all else”
-
OKAY, confused? Why do you have port forwarding to the same server with the same endport on this router. I though the idea was people were going to access the Main router, vice the secondary router to reach this server??? It should be removed if not there for some unknown purpose???
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 protocol=tcp
to-addresses=192.168.50.53 to-ports=3389 -
Mangles next… FIXED:
/ip firewall mangle
add action=mark-connection chain=prerouting comment=
“Mark Incoming WireGuard1 Connection” connection-mark=no-mark
in-interface=wireguard1 new-connection-mark=Wireguard-In passthrough=yes
add action=mark-routing chain=prerouting comment=
“Route Return for Incoming WireGuard Connection” connection-mark=
Wireguard-In new-routing-mark=to-wireguard1 passthrough=no
M1
- I have about 200 mikrotik routers that i manage so how would you manage that? I never heard of public ip spoofing that its actually possible.
- Done
- I will study what you have proposed, i usually just use the default config and add as needed.
M2 - ok thanks i forgot that on the client peer i could do 0/24. Just not on the server side.
- Thinking about how i will manage.
- fixed
- i will try and understand all of this.
- I was trying stuff, this was disabled. i have deleted it.
- Fixed.
After doing what you mentioned above i added one more rule to M1.
chain=srcnat action=masquerade out-interface=wg_customername log=no log-prefix=""
And now it works! thank you very much for helping me solve this.
To manage 200 routers I would certainly look at something like this to simplify life.
https://admiralplatform.com/
Second point is that if you were my IT manager/consultant, I would sue if breached, for malpractice… 
Yes when trying to port forward from R1 public IP, through wireguard to Server on R2, the easiest way is to sourcenat the traffic entering the tunnel at R1.
The drawback is that the public IPs of the users will not hit the actual server, some people like to record that or know that info. However, its a bit more complex in that, then you have to mangle at R2.
Thank i will check out https://admiralplatform.com/
Ok good feedback. what am i doing that you would consider malpractice?
Knowingly making connection to the router available to the WWW. Using the default winbox port is icing on the malpractice cake.
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=
WAN protocol=tcp src-address-list=Winbox
ok thanks i will fix that.
Hello everyone, I would like to be able to access a surveillance camera behind a Mikrotik that has a Wireguard client. Wireguard works correctly between the server, my PC (Wireguard client) and the Mikrotik.
I can access the Mikrotik by Wireguard from my PC on any network, now I would like to access the camera.
here is my config
wg server 10.253.0.0/24
wg client pc 10.253.0.3/32
wg client mikrotik 10.253.0.2/32
mikrotik LAN 192.168.10.0/24
ip camera 192.168.10.198/33
mikrotik ipWan 192.168.20.184
i would like to know what firewall rules i should implement to be able to reach the camera behind the mikrotik from my pc by wireguard.
please.