SXT LTE6 - SXTR&FG621-EA - Wireguard not working

RouterOS Beginner Basics
1

Hello,

I’m really struggling with wireguard on my SXT LTE. I really wish MT would allow the Back to home on this, like my old hAPac2, but hey ho.

I’m starting with a default config so I can try to understand this.

It all looks ok, the wireguard on the W11 shows connected, but I’m unable to winbox into the SXT.

here is my MT config

[admin@MikroTik] > export hide-sensitive
# 2024-07-16 19:07:16 by RouterOS 7.15.2
# software id = 17MM-EWUD
#
# model = SXTR
# serial number = xxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-read=no
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=vodafone.co.uk ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.2/24 endpoint-address=XXXXXXXX.sn.mynetname.net \
    endpoint-port=51820 interface=wg0 name=peer1 public-key=\
    "iip8dCtE--------------------------4fluirwk="
/ip address
add address=192.168.188.1/24 comment=defconf interface=bridge network=\
    192.168.188.0
add address=10.0.0.1/24 interface=wg0 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 gateway=\
    192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.188.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=51820 protocol=udp
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    10.0.0.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=\
    192.168.188.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > /ip

here are the screenshots of my W11 Wireguard setup.

https://forum.mikrotik.com/download/file.php?mode=view&id=67637
https://forum.mikrotik.com/download/file.php?mode=view&id=67638
https://forum.mikrotik.com/download/file.php?mode=view&id=67636

Would someone please give me a hand?

All i want to do (at the moment) is remote login to winbox on the device.
Thank you.
CaptureW11pc-log.PNG
CaptureW11pc-settings.PNG
CaptureW11pc-tunnel.PNG

2

The question is what is at both ends of the tunnel.
Are both ends under your control
Does one end have a public IP or its possible to port forward from upstream router to the MT device.

Eventually would need configs of both
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc. )

3

hello,

All I need is to be able to use winbox or the Mikrotik app on my iphone or PC to see the stats and configure the SXT remotely, nothing cleverer than this.

my concern is that the SXT might be behind a nat, which may prevent me doing this.

See images
wg1.PNG
wg2.PNG

4

here are answers to your questions Anav

one end = mikrotik SXT LTE6
other end = iphone or laptop

SXT has dynamic ip

I put both configs supplied in original message.

  1. mikrotik output from SXT
  2. windows 11 laptop wireguard config (shown as images)
5

ON SXT some idea.

\

  1. add wireguard to LAN interface
    add interface=wg0 list=LAN

  2. Wireguard allowed IPs need adjustment.
    /interface wireguard peers
    add allowed-address=10.0.0.2/32 interface=wg0 name=peer1 public-key=
    “iip8dCtE--------------------------4fluirwk=”

  3. Slight re-ordering of firewall rules:

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“wireguard handshake” dst-port=51820 protocol=udp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=accept chain=forward comment=“allow remote users to LAN” dst-address=192.168.188.0/24 in-interface=wg0 *****
add action=drop chain=forward comment=“drop all else”

*** if you had multiple wg users, then you would use src-address list to delineate which ones could access your local LAN subnet for example, if not all could.


This rule is not required. Unless you need to access your remote windows laptop via wireguard, from which would be highly unusual…??
And why would you want all LAN users to be able to do that anyway… ?
add action=accept chain=forward dst-address=10.0.0.2/24 src-address=192.168.188.0/24

  1. /tool mac-server
    set allowed-interface-list=NONE

mac-server by itself is not a secure protocol

WINDOWS CLIENT SETTINGS — no issues.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other things to check!!

a. no windows firewall rules blocking traffic
b. have keys set right.
Public key generated by MT set on allowed IP settings on windows device for peer MT.
Public key generated by windows client used on allowed IPs of windows peer on MT device.

c. can ping SXT from windows device using IP cloud.
d. IP Cloud address showing on MT is the same WAN IP getting in the LTE settings… ( are you actually getting a public IP from your provider )