Routing VLAN through WireGuard VPN

RouterOS General
1

I’m looking for help setting up my WireGuard client on my Mikrotik. I have a WireGuard server set up on a hAP in another city. I have a working configuration that I can use from my laptop, but I’d like to transfer that to my router to route my work computer.

I’ve tried various walkthroughs. Unfortunately, most of them are either in an older version of Router OS, or they miss key settings that I would like to emulate. Namely, I want to router my VLAN 50 (VLAN_Work) through my WireGuard client on the MikroTik. I’m attempting to use the wg-LH-Mikro interface.

I feel like I’m a dns setting away from getting this to work properly. When I torch the connection I just see a bunch of dns tx with no rx. The DNS is using my local settings instead of the DNS I have set in the WG client.

That being said, I’m probably very wrong, and I would appreciate any help with this matter.

Thank you in advance.

PS. Please let me know if I removed too many key elements of the config below.

# 2025-05-19 17:57:59 by RouterOS 7.16.2
# software id = REMOVED
#
# model = RB750Gr3
# serial number = REMOVED
/interface bridge
add name=BridgemDNS protocol-mode=none vlan-filtering=yes
add admin-mac=REMOVED auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface wireguard
add listen-port=31313 mtu=1420 name=SF_Mikro
add listen-port=42746 mtu=1420 name=wg-LH-Mikro
/interface vlan
add interface=bridge name=VLAN_Cameras vlan-id=20
add interface=bridge name=VLAN_MAIN vlan-id=10
add interface=bridge name=VLAN_Printer vlan-id=40
add interface=bridge name=VLAN_TVs vlan-id=30
add interface=bridge name=VLAN_Work vlan-id=50
/interface macvlan
add interface=VLAN_MAIN mac-address=REMOVED name=macvlanMAIN
add interface=VLAN_Printer mac-address=REMOVED name=macvlanPTRE
add interface=VLAN_TVs mac-address=REMOVED name=macvlanTVs
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WAN2
/interface lte apn
set [ find default=yes ] default-route-distance=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_Bridge ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_TVs ranges=192.168.96.2-192.168.96.254
add name=dhcp_pool_Cameras ranges=192.168.91.2-192.168.91.254
add name=dhcp_pool_Work ranges=192.168.50.2-192.168.50.254
add name=dhcp_pool_Main ranges=192.168.87.2-192.168.87.254
add name=dhcp_pool_Maintenance ranges=192.168.89.2-192.168.89.254
add name=dhcp_printer ranges=192.168.92.2-192.168.92.4
add name=dhcp_pool_MIA-WG ranges=192.168.177.2-192.168.177.8
/ip dhcp-server
add address-pool=dhcp_pool_Bridge interface=bridge lease-time=1d14h name=\
    DHCP_Bridge
add address-pool=dhcp_pool_TVs interface=VLAN_TVs lease-time=1d12h30m name=\
    DHCP_TVs
add address-pool=dhcp_pool_Cameras interface=VLAN_Cameras lease-time=1d12h20m \
    name=DHCP_Cameras
add address-pool=dhcp_printer interface=VLAN_Printer name=DHCP_Printer
add address-pool=dhcp_pool_Main interface=VLAN_MAIN name=DHCP_Main
# Interface not running
add address-pool=dhcp_pool_Maintenance interface=ether5 name=Maintenance
add address-pool=dhcp_pool_Work interface=VLAN_Work name=DHCP_Work
/routing table
add comment="routing table for WireGuard - LH" disabled=no fib name=WG_MIA_RT
add comment="Routing table for LH Mikrotik" disabled=no fib name=WG_LH_RT
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS only" dst-address=\
    224.0.0.251/32 dst-mac-address=REMOVED/FF:FF:FF:FF:FF:FF \
    dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp mac-protocol=ip \
    out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward comment="Drop all other L2 traffic" in-bridge=\
    BridgemDNS out-bridge=BridgemDNS
/interface bridge nat
add action=src-nat chain=srcnat comment=\
    "Use your primary bridge MAC address here" dst-mac-address=\
    REMOVED/FF:FF:FF:FF:FF:FF src-mac-address=\
    REMOVED/FF:FF:FF:FF:FF:FF to-src-mac-address=REMOVED
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=VLAN_TVs
add bridge=bridge interface=VLAN_Cameras multicast-router=permanent
add bridge=*11 interface=VLAN_Printer
add bridge=*13 interface=VLAN_MAIN
add bridge=BridgemDNS interface=macvlanMAIN
add bridge=BridgemDNS interface=macvlanTVs
add bridge=BridgemDNS interface=macvlanPTRE
add bridge=bridge interface=VLAN_Work
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether2,ether3,ether4,bridge vlan-ids=10,20,30,40,50
add bridge=bridge untagged=ether2,bridge vlan-ids=1
add bridge=bridge tagged=VLAN_MAIN,VLAN_TVs vlan-ids=10,30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=lte1 list=WAN
add comment=defconf interface=ether5 list=LAN
add comment=defconf interface=*1E list=WAN
add comment=defconf interface=wg-LH-Mikro list=WAN
/interface wireguard peers
add allowed-address=192.168.90.2/32 interface=SF_Mikro name=SF_Windows \
    private-key="REMOVED" public-key=\
    "REMOVED"
add allowed-address=192.168.90.3/32 interface=SF_Mikro name=SF_iOS \
    private-key="REMOVED" public-key=\
    "REMOVED"
add allowed-address=0.0.0.0/0 client-dns=208.67.220.220 endpoint-address=\
    REMOVED endpoint-port=13231 interface=wg-LH-Mikro name=\
    LH_Mikrotik persistent-keepalive=25s public-key=\
    "REMOVED"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.87.1/24 interface=VLAN_MAIN network=192.168.87.0
add address=192.168.91.1/24 interface=VLAN_Cameras network=192.168.91.0
add address=192.168.96.1/24 interface=VLAN_TVs network=192.168.96.0
add address=192.168.92.1/24 interface=VLAN_Printer network=192.168.92.0
add address=192.168.89.1/24 comment="Management VLAN on Ether5" interface=\
    ether5 network=192.168.89.0
add address=192.168.90.1/24 interface=SF_Mikro network=192.168.90.0
add address=192.168.50.1/24 interface=VLAN_Work network=192.168.50.0
add address=192.168.177.2 interface=*1E network=192.168.177.0
add address=192.168.32.3 interface=wg-LH-Mikro network=192.168.32.3
/ip arp
add address=192.168.92.2 interface=VLAN_Printer mac-address=REMOVED
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.16 comment="Netgear Switch" mac-address=\
    REMOVED server=DHCP_Bridge
add address=192.168.96.253 mac-address=REMOVED server=DHCP_TVs
add address=192.168.96.251 client-id=REMOVED mac-address=\
    REMOVED server=DHCP_TVs
add address=192.168.92.2 client-id=REMOVED mac-address=\
    REMOVED server=DHCP_Printer
/ip dhcp-server network
add address=192.168.32.3/32 gateway=192.168.32.3
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.87.0/24 gateway=192.168.87.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
add address=192.168.90.0/24 gateway=192.168.90.1
add address=192.168.91.0/24 gateway=192.168.91.1
add address=192.168.92.0/24 gateway=192.168.92.1
add address=192.168.96.0/24 gateway=192.168.96.1
add address=192.168.177.2/32 comment=MIA_VPN gateway=192.168.177.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=\
    VLAN_TVs,VLAN_MAIN,VLAN_Printer,bridge
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.89.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="Drop Winbox Port not coming from LAN" \
    dst-port=8291 protocol=tcp src-address=!192.168.88.0/24
add action=accept chain=input comment="Allow MDNS" connection-type="" \
    disabled=yes dst-address=224.0.0.251 dst-port=5353 log=yes log-prefix=\
    mDNS protocol=udp src-port=5353
add action=accept chain=input comment="Allow MDNS" connection-type="" \
    dst-address=239.255.255.250 dst-port=1900 log=yes log-prefix=mDNS \
    protocol=udp src-port=1900
add action=accept chain=forward comment="Allow traffic from Main to TVs" \
    out-interface=VLAN_TVs protocol=udp src-address=192.168.87.0/24
add action=accept chain=forward comment="Allow traffic from Main to Printer" \
    out-interface=VLAN_Printer protocol=udp src-address=192.168.87.0/24
add action=accept chain=forward comment="Allow traffic from Main to TVs" \
    dst-address=224.0.0.251 protocol=udp src-address=192.168.87.0/24
add action=accept chain=forward comment="Allow Connections to TVs" \
    connection-state="" dst-address=192.168.96.251-192.168.96.253 \
    src-address=224.0.0.251
add action=accept chain=forward comment="Allow Connections from TVs" \
    connection-state=established,related,untracked src-address=\
    192.168.96.251-192.168.96.253
add action=accept chain=forward comment="Allow Connections from Printer" \
    connection-state=established,related,untracked src-address=192.168.92.2
add action=accept chain=input comment="Allow WireGuard" dst-port=42746 \
    protocol=udp
add action=accept chain=output comment="Allow WireGuard" dst-port=13231 \
    out-interface=wg-LH-Mikro protocol=udp
add action=accept chain=forward out-interface=wg-LH-Mikro src-address=\
    192.168.50.0/24
add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\
    wg-LH-Mikro
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=VLAN_Work \
    new-routing-mark=WG_LH_RT passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    11 vrf-interface=ether1
add disabled=no distance=1 dst-address=9.9.9.9/32 gateway=10.0.0.1 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=1.1.1.1/32 gateway=10.0.0.1 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    11 vrf-interface=ether1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=*1E routing-table=\
    WG_MIA_RT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.32.3/32 gateway=VLAN_Work \
    routing-table=WG_LH_RT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-LH-Mikro \
    routing-table=WG_LH_RT scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.87.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing igmp-proxy interface
add interface=VLAN_MAIN upstream=yes
add interface=VLAN_TVs
/routing rule
add action=lookup-only-in-table disabled=yes dst-address="" src-address=\
    192.168.50.0/24 table=WG_MIA_RT
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    192.168.50.0/24 table=WG_LH_RT
add action=lookup disabled=no dst-address="" src-address=192.168.177.2/32 \
    table=WG_MIA_RT
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    192.168.32.3/32 table=WG_LH_RT
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik"
/system note
set show-at-login=no
/system scheduler
add interval=1h30m name=CheckDNS_Schedule on-event=CheckDNS policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-02-18 start-time=18:19:21
/system script
add dont-require-permissions=no name=CheckDNS owner=Owner policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\?REMOVED"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

would need to see both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

What are the actual requirements.
a. users on remote router to access lan subnets ( right now you have one vlan it seems that need that)
b. users on remote router to access internet of server router?
c. admin to access server router for config purposes?
d. admin to access all lans on server router?

Are there any reverse requirements.
ability for admin on server router to access config of remote client router?

Remote road warrior requirements…
In other words, not replace your current laptop access from anywhere, but keep it and perhaps have others added???
admin as road warrior to access both routers for config purposes?
admin as road warrior to access subnets on both routers?
admin as road warrior to access internet out of server Router…

3

Thank you for the questions.

I unfortunately, do not have a copy of the config of the remote router. I only have the config of the client router that I posted above. I should have thought to get one before leaving, but I did not think I would need one with a working WireGuard connection. I’m not sure the people living in that location are savvy enough to produce one for me.

I can tell you that the remote router is behind a cable modem/router with one udp port (13231) forwarded to the Mikrotik. It is an hAP running almost completely a stock configuration of 7.18.2 with three differences:
I added the WG connection with IP of 192.168.32.0
I added a script to get the IP address, which isn’t static, but is private.
I changed the default IP from 192.168.88 to 192.168.77.

As far as requirements go:
Option b (users on remote router to access internet of server router) would suffice.
No reverse requirements.

Edit to add. I do have a Mullvad subscription, which I also failed to get working. I ran into similar issues. I’d be happy to get either one working. Perhaps if I can work through my issues with the Mullvad connection (and I assume there would be no secondary config required), I can get the Mikrotik working later.

4

Check if you have you local subnets added to allowed-address on the remote router. If you just took the existing configuration from your laptop and moved it to a router, usually this should be the only thing to change. That’s because previously the laptop itself was the WG client, so its WG IP was allowed on the remote server. Now the laptop isn’t using WG IP as the source.

If you don’t have access to the remote server or simply don’t want to reconfigure it (at least for now), you can still make it work by using src-nat or masquerade on your router’s WG interface, so that connections from your laptop (and other devices) get NAT-ed to the WG IP, which is already allowed on the server.

This is also how you make things work with VPN providers where they give you just one WG IP and, obviously, don’t allow to reconfigure anything on their side.

5

I think this relevant bit of config should already apply NAT the wg interface.

/interface list member
...
add comment=defconf interface=wg-LH-Mikro list=WAN
...
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
 ...
6

Okay will focus on your local router ( client router for handshake ).

  1. In general use only one bridge. If you need extra subnets use vlans.
    /interface bridge
    add name=BridgemDNS protocol-mode=none vlan-filtering=yes
    add admin-mac=REMOVED auto-mac=no comment=defconf name=bridge
    port-cost-mode=short vlan-filtering=yes

  2. Why do you have two WAN interface lists??

  3. Why the use of macvlans…

  4. To confirm the wireguard table to route traffic to the server router is WG_LH_RT ??

  5. Not familiar with bridge filters, bridge nat, nor macvlans so cannot comment on them

  6. None of your bridge ports are correct, when using vlans they should either be trunk ports ( only vlan tagged frame types), access ports ( priority and untagged frames) and they identify etherports or WIFI ports, NOT VLANS. Not sure about macvlans but I doubt they qualify as etherports or wlans either.

  7. If ether2,3,4 are trunk ports just put
    /interface bridge port
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2 comment="trunk port to ??)
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3 comment="trunk port to ??)
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 comment="trunk port to ??)

  8. AVOID This mistake, once using vlans the bridge should not be involved in any DHCP or any extra settings for vlan1. PLUS you already have tagged vlans on ether2 trunk port.
    PLUS no such thing as untagging bridge.
    add bridge=bridge untagged=ether2,bridge vlan-ids=1

  9. Bridge is no longer needed as a LAN interface list member, all vlans should be identified and probably macvlans as well.

  10. On wireguard peer for other router youa re using dns 208.67.220.220 ( is that available on the other router) otherwise your router may try to use local router or local wan for dns.

  11. ADDRESS IS WRONG for wireguard peer:
    add address=192.168.32.3**???** interface=wg-LH-Mikro network=192.168.32.3

Should be:
add address=192.168.32.3**/24** interface=wg-LH-Mikro network=192.168.32.0

  1. This router is NOT hosting any wireguard and thus there should be NO input chain rules for handshakes… and no output chain rules are ever required.
    _add action=accept chain**=input** comment=“Allow WireGuard” dst-port=42746
    protocol=udp
    add action=accept chain=output comment=“Allow WireGuard” dst-port=13231 _

  2. You have two forward chain rules for subnet .50 on router.
    a. to allow users on .50 subnet to reach wireguard tunnel
    b. to allow remote users to reach subnet .50 via the wireguard tunnel.
    c. are there any remote subnets coming to this router?

Please confirm both requirements are true!!

  1. Firewall rules are not really in logical order, and its wise to keep chains together for easy reading and to spot errors.

  2. If not using ipv6, then disable ipv6 and get rid of all associated firewall rules and address lists.

  3. You do not need a mangle rule for subnet .50 to go to wireguard tunnel since you are already using routing rules. Remove it.

  4. MOdify routing rules to following, and order is important.
    From:
    /routing rule
    add action=lookup-only-in-table disabled=yes dst-address=“” src-address=
    192.168.50.0/24 table=WG_MIA_RT
    add action=lookup-only-in-table disabled=no dst-address=“” src-address=
    192.168.50.0/24 table=WG_LH_RT
    add action=lookup disabled=no dst-address=“” src-address=192.168.177.2/32
    table=WG_MIA_RT
    add action=lookup-only-in-table disabled=no dst-address=“” src-address=
    192.168.32.3/32 table=WG_LH_RT

TO:
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main { allows local traffic to talk to each other, of course if allowed by forward chain firewall rules }
add action=lookup-only-in-table src-address=192.168.50.0/24 table=WG_LH_RT
add action=lookup-only-in-table src-address=192.168.177.2/32 table=WG_MIA_RT

  1. In terms of ROUTES, they need much work as well.
    ->It would appear that you have two WANs?
    one is LTE APN with distance 3.
    ->ether1 is WAN terminated to the router using IP-dhcp-client

BUT CONFUSED on your routing for this wan, I see its an attempt at recursive but how do you know the gateway IP of ether1 ?? is it static??
Perhaps just using fictitious numbers so OKAY if true then routes should look like/
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add dst-address=9.9.9.9/32 gateway=10.0.0.1 routing-table=main scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=10.0.0.1 routing-table=main scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=*1E routing-table=WG_MIA_RT
add dst-address=0.0.0.0/0 gateway=wg-LH-Mikro routing-table=WG_LH_RT


*1E indicates you have a problem with this interface.

7

You are right, I didn’t look closely at the configuration. It appears @anav found a number of issues, so the problem must be elsewhere.

8

The NAT question, is covered in the sense that all users coming from the local router will have, as source IP, the local wireguard IP address due to the wireguard interface being added to the WAN interface list and thus an extra sourcenat rule just for the wireguard is not required.
Now its kind of mandatory when using a third party provider which IS ONLY expecting on IP address to hit their server.
WOrking with another MT router one has more flexibility, normally, to delineate at the other end what Subnets are to be included in allowed addresses and the necessary firewall rules and routes required to send back non-local traffic through the tunnel. So in other words added flexbility also means more configuration.
I prefer the granular approach because then one can differentiate which users are allowed to go where on the receiving router.
Using the sourcenat approach one does NOT at the receiving router…

Thus the onus is making sure on the sending end to be very granular with who is allowed to enter the tunnel and to which address they are allowed to send traffic through the tunnel, so a bit more work on the sending side.

In this case, sourcenat makes sense because it would appear the local admin does not have ready access to the config of the receiving (server for handshake) router.

Yes, there are many issues with the config, and wireguard is just one of them.

9

First of all. Thank you so much for the time you have taken to respond. I really appreciate the full rundown of my config file, and I fully intend to slowly implement the changes that you have suggested. I did get the WireGuard interface working right before your very helpful post, so I’ll put the changes I made (some of which I will slowly remove while checking for issues) before I answer questions regarding the config.

Note, the following code just includes the sections where I made changes for the sake of brevity.

/ip dhcp-server network
add address=192.168.32.3/32 comment="wg-LH " dns-server=208.67.220.220 \
    gateway=192.168.32.3
add address=192.168.50.0/24 comment=VLAN-Work dns-server=\
    208.67.220.220,192.168.88.1 gateway=192.168.50.1
 ...
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=VLAN_Work \
    new-routing-mark=WG_LH_RT passthrough=no
add action=change-mss chain=postrouting new-mss=1380 out-interface=\
    wg-LH-Mikro passthrough=no protocol=tcp tcp-flags=syn
 ...
 /ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    11 vrf-interface=ether1
add disabled=no distance=1 dst-address=9.9.9.9/32 gateway=10.0.0.1 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=1.1.1.1/32 gateway=10.0.0.1 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    11 vrf-interface=ether1
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=*1E routing-table=\
    WG_MIA_RT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-LH-Mikro \
    routing-table=WG_LH_RT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.50.0/24 gateway=wg-LH-Mikro \
    routing-table=WG_LH_RT suppress-hw-offload=no
...
/routing rule
add action=lookup-only-in-table disabled=yes dst-address="" src-address=\
    192.168.50.0/24 table=WG_MIA_RT
add action=lookup-only-in-table disabled=no dst-address="" routing-mark=\
    WG_LH_RT src-address=192.168.50.0/24 table=WG_LH_RT
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=\
    VLAN_Work routing-mark=WG_LH_RT src-address=192.168.50.0/24 table=\
    WG_LH_RT
add action=lookup disabled=no dst-address="" src-address=192.168.177.2/32 \
    table=WG_MIA_RT
add action=lookup-only-in-table disabled=no dst-address="" routing-mark=\
    WG_LH_RT src-address=192.168.32.3/32 table=WG_LH_RT
add action=lookup-only-in-table disabled=no dst-address=192.168.50.0/24 \
    interface=wg-LH-Mikro routing-mark=WG_LH_RT src-address=0.0.0.0/0 table=\
    WG_LH_RT

Now to answer your questions, the best I can, which… just look at my user name.

  1. In general use only one bridge.
    I think it’s better if I address this in an answer to point 3.

  2. Why do you have two WAN interface lists??
    When I was first attempting to get my lte backup going, I created this. Thanks for the reminder that it was just a vestigial piece of config.

  3. Why the use of macvlans…
    I could not for the life of me get mdns working correctly. I finally ended up following a this guide, which I think also accounts for the extra bridge you mentioned in point 1: http://forum.mikrotik.com/t/mdns-between-vlans-with-just-bridge-filters-look-mum-no-containers/173295/1

  4. To confirm the wireguard table to route traffic to the server router is WG_LH_RT ??
    Correct.

    \

  5. Not familiar with bridge filters, bridge nat, nor macvlans so cannot comment on them
    I still think part of the guide I used to get my tvs and printer talking across the vlans>

  6. None of your bridge ports are correct, when using vlans they should either be trunk ports ( only vlan tagged frame types), access ports ( priority and untagged frames) and they identify etherports or WIFI ports, NOT VLANS. Not sure about macvlans but I doubt they qualify as etherports or wlans either.
    Sounds like I need to get back into the config to get it working correctly. Maybe once they are correctly configured, I can ditch the macvlans.

  7. If ether2,3,4 are trunk ports just put…
    Will do. Thanks for the feedback. They are, in fact, all trunk ports. Really, only port 2 is in use. It feeds into a managed switch that feeds 3 APs that add vlan tags based on AP name. I wanted the others available just in case.

  8. AVOID This mistake, once using vlans the bridge should not be involved in any DHCP or any extra settings for vlan1. PLUS you already have tagged vlans on ether2 trunk port.
    PLUS no such thing as untagging bridge.
    I was kinda worried about losing access to the switch and APs. I’ll try this change in safe mode to see if I can get it set correctly. All the APs and the switch are on the 192.168.88.# IP addresses, which mirrors the bridge, so I’ll need to figure this out when my much better half is away.

  9. Bridge is no longer needed as a LAN interface list member, all vlans should be identified and probably macvlans as well.
    See above. I will tackle this, but need to clear out the house first.

  10. On wireguard peer for other router youa re using dns 208.67.220.220 ( is that available on the other router) otherwise your router may try to use local router or local wan for dns.
    That was the DNS listed in my wireguard config file. I think it is the DNS the provider has hardcoded in their router.

  11. ADDRESS IS WRONG for wireguard peer:
    Interesting. I tried to follow the interface created for my laptop. I’ll change that to see if it provides a more reliable connection.

  12. This router is NOT hosting any wireguard and thus there should be NO input chain rules for handshakes… and no output chain rules are ever required.
    Thanks I will remove those. I was just throwing crap at the wall to see what would stick. I find the mikrotik documents fly way over my head, and people who make guides really just gloss over important things.

  13. You have two forward chain rules for subnet .50 on router
    a. to allow users on .50 subnet to reach wireguard tunnel
    b. to allow remote users to reach subnet .50 via the wireguard tunnel.
    c. are there any remote subnets coming to this router?..
    I just wanted scenario a.

  14. Firewall rules are not really in logical order, and its wise to keep chains together for easy reading and to spot errors.
    I really don’t know much about firewall rules. I will clean up the pieces that have seen absolutely no traffic. Are there any good guides out there for dummies like myself?

  15. If not using ipv6, then disable ipv6 and get rid of all associated firewall rules and address lists.
    I think the failover lte connection may use ipv6, but I’m not sure. Those are definitely default. I’d be happy to remove them.

  16. MOdify routing rules to following, and order is important.
    From:…
    I’ll implement this. Thanks.

  17. In terms of ROUTES, they need much work as well.
    ->It would appear that you have two WANs?..
    I think I was trying to be too tricky for my own good on this one. If I remember correctly, my intent was to check both 9.9.9.9 and 1.1.1.1 before failing over to lte. I wanted to make sure the internet was really down and not just the dns. I was trying to use recursive routing, yes.

*1E indicates you have a problem with this interface.
That’s a vestige from my attempt at getting Mullvad to work. I removed the Mullvad interface, but I forgot to remove the route that I added watching a guide.

Thanks again for all the feedback. It took me forever to answer you, so I imagine it took longer to look through my awful config file for clues. I’m truly very grateful.

So now for what feels like the punchline of a really bad joke… My intent was to setup this WireGuard connection to look like I was in Florida. For some reason, whatsmyip shows me in Colorado Springs after getting this working. I am in neither state, so I guess it’s back to Mullvad after fixing some of the more glaring issues that you’ve pointed out.

10

@anav can i ask you - why you are playing with protocol-mode=none?

I understand if u have virtual and physical combine together to use none, even on MT wiki that is recommended