Unable to access network share over Wireguard

Hello,

I have set up Wireguard and a peer on my Mikrotik Rb5009 with the following IP setup

Wireguard Interface: 192.168.100.1/24
Wireguard Peer: 192.168.100.2/32

I have set my mobile device to use 0.0.0.0/0 for Allowed IPs to allow all traffic to the local lan.

I also set the following firewall rules:

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=21 in-interface-list=WAN log=yes log-prefix=“FTP - DomainsCOZA - " protocol=tcp
src-address-list=allow_domainsCOZA_RS60_traffic
add action=accept chain=input dst-port=21 in-interface-list=WAN log-prefix=“FTP - UptimeRobot - " protocol=tcp src-address-list=
allow_uptime_robot_traffic
add action=accept chain=input comment=”::Allow Wireguard Traffic::” dst-port=13231 protocol=udp
add action=accept chain=input comment=“::Allow Wireguard Traffic::” src-address=192.168.100.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN

Here is my IP Address list:

/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.100.1/24 interface=Wireguard1 network=192.168.100.0

Here is my route list:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 pppoe-out1 1
DAc 10.0.0.0/24 bridge 0
DAc 41.AAA.XX.YY/32 pppoe-out1 0
DAc 192.168.100.0/24 Wireguard1 0

The Wireguard connection is successfully made and I am able to access all web based interfaces on the internal LAN and I can additionally access the internet. However, I am unable to access a network share on my Windows 11 Machine that is on my local network when going through the Wireguard VPN.

If I disconnect the VPN and switch back to the wireless network, I am able to access the network share.

So at this point I wondered if my windows firewall was the cause so I disabled it temporarily and retested with the VPN but the problem was still there. This led me to believe the problem was with my configuration on my Mikrotik.

I would appreciate it if someone could assist me with figuring this out.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Also, do you have any Servers on the LAN
Single or dual wan and if dual wan how are they suppposed to be used…

Thanks for being willing to help.
I think I managed to removed everything that should not be visible! I hope so.

Just a side note, you may find yourself asking about the SFP port. Well I figured that I don’t use the SFP port for anything so I decided to make that port my WAN port instead freeing up ether1 for a LAN port.

# 2024-11-07 06:39:58 by RouterOS 7.15.3
# software id = 
#
# model = RB5009UPr+S+
# serial number = 
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1[INTERNET]"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp-sfpplus1[INTERNET]" \
    name=pppoe-out1 use-peer-dns=yes user=XXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard1
/disk
set usb1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb1 partition-number=1 \
    partition-offset="1 048 576" partition-size="300 060 508 160" type=\
    partition
add media-interface=none media-sharing=no parent=usb1 partition-number=2 \
    partition-offset="300 061 556 736" partition-size="700 007 317 504" type=\
    partition
set usb2 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb2 partition-number=1 \
    partition-offset="1 048 576" partition-size="300 060 508 160" type=\
    partition
add media-interface=none media-sharing=no parent=usb2 partition-number=2 \
    partition-offset="300 061 556 736" partition-size="700 007 317 504" type=\
    partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.0.0.50-10.0.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/ip smb users
add name=sambauser
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/ip smb
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=ManuallyAdded interface=ether1 internal-path-cost=\
    10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add interface="sfp-sfpplus1[INTERNET]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=Wireguard1 name=\
    Wireguard-Peer1 public-key="XXXXXXX"
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.100.1/24 interface=Wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface="sfp-sfpplus1[INTERNET]"
/ip dhcp-server lease
add address=10.0.0.100 client-id=1:b4:2e:99:a3:8f:58 comment="" \
    mac-address=B4:2E:99:A3:8F:58 server=defconf
add address=10.0.0.9 client-id=1:48:b0:2d:2a:ea:bd comment="" \
    mac-address=48:B0:2D:2A:EA:BD server=defconf
add address=10.0.0.8 client-id=1:4:4b:ed:a6:43:fa comment="" \
    mac-address=04:4B:ED:A6:43:FA server=defconf
add address=10.0.0.5 client-id=1:94:b5:55:92:9f:dc comment=\
    "" mac-address=94:B5:55:92:9F:DC server=defconf
add address=10.0.0.7 client-id=1:e8:fb:1c:97:e5:4b comment="" \
    mac-address=E8:FB:1C:97:E5:4B server=defconf
add address=10.0.0.6 comment="" mac-address=80:64:6F:B9:43:70 \
    server=defconf
add address=10.0.0.4 client-id=1:64:c6:d2:1b:7c:d7 comment="" \
    mac-address=64:C6:D2:1B:7C:D7 server=defconf
add address=10.0.0.10 comment="" mac-address=00:19:BA:13:0C:94 \
    server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=104.131.107.63 list=allow_uptime_robot_traffic
add address=122.248.234.23 list=allow_uptime_robot_traffic
add address=128.140.106.114 list=allow_uptime_robot_traffic
add address=128.140.41.193 list=allow_uptime_robot_traffic
add address=128.199.195.156 list=allow_uptime_robot_traffic
add address=13.127.188.124 list=allow_uptime_robot_traffic
add address=13.56.33.4 list=allow_uptime_robot_traffic
add address=135.181.154.9 list=allow_uptime_robot_traffic
add address=138.197.150.151 list=allow_uptime_robot_traffic
add address=139.59.173.249 list=allow_uptime_robot_traffic
add address=142.132.180.39 list=allow_uptime_robot_traffic
add address=146.185.143.14 list=allow_uptime_robot_traffic
add address=157.90.155.240 list=allow_uptime_robot_traffic
add address=157.90.156.63 list=allow_uptime_robot_traffic
add address=159.203.30.41 list=allow_uptime_robot_traffic
add address=159.69.158.189 list=allow_uptime_robot_traffic
add address=159.89.8.111 list=allow_uptime_robot_traffic
add address=165.227.83.148 list=allow_uptime_robot_traffic
add address=167.235.143.113 list=allow_uptime_robot_traffic
add address=167.99.209.234 list=allow_uptime_robot_traffic
add address=168.119.123.75 list=allow_uptime_robot_traffic
add address=168.119.53.160 list=allow_uptime_robot_traffic
add address=168.119.96.239 list=allow_uptime_robot_traffic
add address=178.62.52.237 list=allow_uptime_robot_traffic
add address=18.116.158.121 list=allow_uptime_robot_traffic
add address=18.116.205.62 list=allow_uptime_robot_traffic
add address=18.180.208.214 list=allow_uptime_robot_traffic
add address=18.221.56.27 list=allow_uptime_robot_traffic
add address=18.223.50.16 list=allow_uptime_robot_traffic
add address=208.115.199.18 list=allow_uptime_robot_traffic
add address=208.115.199.19 list=allow_uptime_robot_traffic
add address=208.115.199.20 list=allow_uptime_robot_traffic
add address=208.115.199.21 list=allow_uptime_robot_traffic
add address=208.115.199.22 list=allow_uptime_robot_traffic
add address=208.115.199.23 list=allow_uptime_robot_traffic
add address=208.115.199.24 list=allow_uptime_robot_traffic
add address=208.115.199.25 list=allow_uptime_robot_traffic
add address=208.115.199.26 list=allow_uptime_robot_traffic
add address=208.115.199.27 list=allow_uptime_robot_traffic
add address=208.115.199.28 list=allow_uptime_robot_traffic
add address=208.115.199.29 list=allow_uptime_robot_traffic
add address=208.115.199.30 list=allow_uptime_robot_traffic
add address=216.144.248.18 list=allow_uptime_robot_traffic
add address=216.144.248.19 list=allow_uptime_robot_traffic
add address=216.144.248.20 list=allow_uptime_robot_traffic
add address=216.144.248.21 list=allow_uptime_robot_traffic
add address=216.144.248.22 list=allow_uptime_robot_traffic
add address=216.144.248.23 list=allow_uptime_robot_traffic
add address=216.144.248.24 list=allow_uptime_robot_traffic
add address=216.144.248.25 list=allow_uptime_robot_traffic
add address=216.144.248.26 list=allow_uptime_robot_traffic
add address=216.144.248.27 list=allow_uptime_robot_traffic
add address=216.144.248.28 list=allow_uptime_robot_traffic
add address=216.144.248.29 list=allow_uptime_robot_traffic
add address=216.144.248.30 list=allow_uptime_robot_traffic
add address=216.144.250.150 list=allow_uptime_robot_traffic
add address=216.245.221.82 list=allow_uptime_robot_traffic
add address=216.245.221.83 list=allow_uptime_robot_traffic
add address=216.245.221.84 list=allow_uptime_robot_traffic
add address=216.245.221.85 list=allow_uptime_robot_traffic
add address=216.245.221.86 list=allow_uptime_robot_traffic
add address=216.245.221.87 list=allow_uptime_robot_traffic
add address=216.245.221.88 list=allow_uptime_robot_traffic
add address=216.245.221.89 list=allow_uptime_robot_traffic
add address=216.245.221.90 list=allow_uptime_robot_traffic
add address=216.245.221.91 list=allow_uptime_robot_traffic
add address=216.245.221.92 list=allow_uptime_robot_traffic
add address=216.245.221.93 list=allow_uptime_robot_traffic
add address=3.105.133.239 list=allow_uptime_robot_traffic
add address=3.105.190.221 list=allow_uptime_robot_traffic
add address=3.111.88.158 list=allow_uptime_robot_traffic
add address=3.12.251.153 list=allow_uptime_robot_traffic
add address=3.20.63.178 list=allow_uptime_robot_traffic
add address=3.21.136.87 list=allow_uptime_robot_traffic
add address=3.212.128.62 list=allow_uptime_robot_traffic
add address=3.79.92.117 list=allow_uptime_robot_traffic
add address=34.198.201.66 list=allow_uptime_robot_traffic
add address=34.233.66.117 list=allow_uptime_robot_traffic
add address=35.153.243.148 list=allow_uptime_robot_traffic
add address=35.166.228.98 list=allow_uptime_robot_traffic
add address=35.170.215.196 list=allow_uptime_robot_traffic
add address=35.84.118.171 list=allow_uptime_robot_traffic
add address=37.27.28.153 list=allow_uptime_robot_traffic
add address=37.27.29.68 list=allow_uptime_robot_traffic
add address=37.27.30.213 list=allow_uptime_robot_traffic
add address=37.27.34.49 list=allow_uptime_robot_traffic
add address=37.27.82.220 list=allow_uptime_robot_traffic
add address=37.27.87.149 list=allow_uptime_robot_traffic
add address=44.227.38.253 list=allow_uptime_robot_traffic
add address=46.101.250.135 list=allow_uptime_robot_traffic
add address=46.137.190.132 list=allow_uptime_robot_traffic
add address=49.13.130.29 list=allow_uptime_robot_traffic
add address=49.13.134.145 list=allow_uptime_robot_traffic
add address=49.13.164.148 list=allow_uptime_robot_traffic
add address=49.13.167.123 list=allow_uptime_robot_traffic
add address=49.13.24.81 list=allow_uptime_robot_traffic
add address=5.161.61.238 list=allow_uptime_robot_traffic
add address=5.161.75.7 list=allow_uptime_robot_traffic
add address=5.78.118.142 list=allow_uptime_robot_traffic
add address=5.78.87.38 list=allow_uptime_robot_traffic
add address=52.15.147.27 list=allow_uptime_robot_traffic
add address=52.22.236.30 list=allow_uptime_robot_traffic
add address=52.60.129.180 list=allow_uptime_robot_traffic
add address=52.70.84.165 list=allow_uptime_robot_traffic
add address=52.8.208.143 list=allow_uptime_robot_traffic
add address=54.167.223.174 list=allow_uptime_robot_traffic
add address=54.224.73.211 list=allow_uptime_robot_traffic
add address=54.225.82.45 list=allow_uptime_robot_traffic
add address=54.241.175.147 list=allow_uptime_robot_traffic
add address=54.249.170.27 list=allow_uptime_robot_traffic
add address=54.64.67.106 list=allow_uptime_robot_traffic
add address=54.67.10.127 list=allow_uptime_robot_traffic
add address=54.79.28.129 list=allow_uptime_robot_traffic
add address=54.94.142.218 list=allow_uptime_robot_traffic
add address=63.143.42.242 list=allow_uptime_robot_traffic
add address=63.143.42.243 list=allow_uptime_robot_traffic
add address=63.143.42.244 list=allow_uptime_robot_traffic
add address=63.143.42.245 list=allow_uptime_robot_traffic
add address=63.143.42.246 list=allow_uptime_robot_traffic
add address=63.143.42.247 list=allow_uptime_robot_traffic
add address=63.143.42.248 list=allow_uptime_robot_traffic
add address=63.143.42.249 list=allow_uptime_robot_traffic
add address=63.143.42.250 list=allow_uptime_robot_traffic
add address=63.143.42.251 list=allow_uptime_robot_traffic
add address=63.143.42.252 list=allow_uptime_robot_traffic
add address=63.143.42.253 list=allow_uptime_robot_traffic
add address=65.109.129.165 list=allow_uptime_robot_traffic
add address=65.109.142.78 list=allow_uptime_robot_traffic
add address=65.109.8.202 list=allow_uptime_robot_traffic
add address=69.162.124.226 list=allow_uptime_robot_traffic
add address=69.162.124.227 list=allow_uptime_robot_traffic
add address=69.162.124.228 list=allow_uptime_robot_traffic
add address=69.162.124.229 list=allow_uptime_robot_traffic
add address=69.162.124.230 list=allow_uptime_robot_traffic
add address=69.162.124.231 list=allow_uptime_robot_traffic
add address=69.162.124.232 list=allow_uptime_robot_traffic
add address=69.162.124.233 list=allow_uptime_robot_traffic
add address=69.162.124.234 list=allow_uptime_robot_traffic
add address=69.162.124.235 list=allow_uptime_robot_traffic
add address=69.162.124.236 list=allow_uptime_robot_traffic
add address=69.162.124.237 list=allow_uptime_robot_traffic
add address=69.162.124.238 list=allow_uptime_robot_traffic
add address=78.46.190.63 list=allow_uptime_robot_traffic
add address=78.46.215.1 list=allow_uptime_robot_traffic
add address=78.47.173.76 list=allow_uptime_robot_traffic
add address=78.47.98.55 list=allow_uptime_robot_traffic
add address=88.99.80.227 list=allow_uptime_robot_traffic
add address=99.80.1.74 list=allow_uptime_robot_traffic
add address=99.80.173.191 list=allow_uptime_robot_traffic
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=21 in-interface-list=WAN log=yes \
    log-prefix="FTP - " protocol=tcp src-address-list=\
    allow_hostprovider_traffic
add action=accept chain=input dst-port=21 in-interface-list=WAN log-prefix=\
    "FTP - " protocol=tcp src-address-list=\
    allow_uptime_robot_traffic
add action=accept chain=input comment="::Allow Wireguard Traffic::" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment="::Allow Wireguard Traffic::" \
    src-address=192.168.100.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-out1 \
    protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=35200 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.100 to-ports=32400
add action=dst-nat chain=dstnat comment="Steam Link3" dst-port=27036 \
    in-interface-list=WAN protocol=udp to-addresses=10.0.0.100 to-ports=27036
add action=dst-nat chain=dstnat comment="Steam Link2" dst-port=27036 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.100 to-ports=27036
add action=dst-nat chain=dstnat comment="Steam Link1" dst-port=27031 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.100 to-ports=27031
add action=dst-nat chain=dstnat comment="Steam Link4" dst-port=27037 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.100 to-ports=27037
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set telnet disabled=yes
set ssh address=10.0.0.0/24 port=XX
set www-ssl disabled=no
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip smb shares
add directory=usb1-part1/Backups invalid-users=guest name=Backups \
    valid-users=sambauser
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=MikroTikRouter
/system note
set show-at-login=no
/system scheduler
add interval=5m name=NoIP-Updater on-event="# Data to be modified\r\
    \n:local  noipuser \"XXXXXXXXX\"\r\
    \n:local  noippass \"XXXXXXXXX\"\r\
    \n:local  noiphost \"XXXXXXXXX\"\r\
    \n\r\
    \n# From now on, do not modify\r\
    \n:local  cIP [/ip cloud get public-address]\r\
    \n\r\
    \n:if ([:resolve \$noiphost] != \$cIP) do={\r\
    \n    # Important, has been replaced \"\?\" with \"\\3F\" to avoid problem\
    s.  \r\
    \n    /tool fetch url=\"http://\$noipuser:\$noippass@dynupdate.no-ip.com/n\
    ic/update\\3Fhostname=\$noiphost&myip=\$cIP\" keep-result=no\r\
    \n    :log info \"NO-IP: \$noiphost -> IP updated: \$cIP\"\r\
    \n} else={\r\
    \n    :log info \"No-IP: No update needed. Current: \$cIP\"\r\
    \n}\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add comment="::FTP USERS GROUP ONLY::" name=FTPUsers policy="ftp,read,write,!l\
    ocal,!telnet,!ssh,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sen\
    sitive,!api,!romon,!rest-api"

RULES THAT MAKE NO SENSE

1. If you are attempting FTP for example, the input chain is NOT used for this… One uses the dstnat chain. One rule is used in the forward chain to allow port forwarding in general.
   add action=accept chain=input dst-port=21 in-interface-list=WAN log=yes
   log-prefix="FTP - " protocol=tcp src-address-list=
   allow_hostprovider_traffic
   add action=accept chain=input dst-port=21 in-interface-list=WAN log-prefix=
   "FTP - " protocol=tcp src-address-list=
   allow_uptime_robot_traffic

2. To make that port forwarding rule clear, remove this default
   add action=drop chain=forward comment=
   “defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
   connection-state=new in-interface-list=WAN

Replace with
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“remote users to LAN” in-interface=Wireguard1 dst-address=10.0.0.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

3. Why do you mangle your outgoing ppppoe traffic… is there an issue with normal internet connectivity???

4. I would put the vpn masquerade source nat rule at the top vice bottom, but not 100% sure.,

5. If you give wireguard user ( probably you as admin ) access to input chain, dont forget you also have to include the subnet in /ip service

6. FROM ( for better security )
   /tool mac-server
   set allowed-interface-list=LAN
   /tool mac-server mac-winbox
   set allowed-interface-list=LAN
   TO:
   /tool mac-server
   set allowed-interface-list=NONE
   /tool mac-server mac-winbox
   set allowed-interface-list=LAN

The FTP server is running on the router. I have a USB storage device linked to the router where the FTP files are being stored. Therefore I thought that in order to open the port for 21 on the router,s this rule was needed on input as the FTP server is on the router itself. So when you say “One rule is used in the forward chain to allow port forwarding”, wouldn’t that be to a device on the LAN which hosts the FTP server?

The second rule is again on the input for uptime robot monitor to test that the FTP service is indeed up and running. I’m not sure how else to configure this?

I was told in a previous thread that the default rules that come with routeros are sufficient for a SOHO set up. I’m confused why you are asking me to replace it now?

If you could elaborate on what you mean by “mangle”? I’m not sure what you are referring to.

Is this suggestion to try and resolve my issue with not being able to access a network share via Wireguard? Which service would I add the subnet to?

I’m just not sure which suggestion here will solve my issue with my wireguard?

The advice is to properly config the router and make it secure as well as address any wireguard issues…

1. Okay so the idea is you are trying to reach the USB held files…
   Well how do you propose to reach the files if the USB port has no identification path for the router to use ( ip address and/or route )
   What you did do was make many assumptions not realizing what you did is extremely dangerous.

The input chain is traffic TO the router. THe purpose of the input chain is to control/limit access to ROUTER SERVICES.
Such as VPN services, and also access to CONFIG the router. What you have done is open up an un-encrypted a path to the configuration door of your router by every hacking bot in the world that searches on port 21. The only thing protecting the config is your user name and password (plain text) which is easily defeated by AI and quickly.
Suggest the first you do is unplug the router and netinstall a fresh copy.

2. There are better ways to test if something is working on the MT router, so that can be addressed after fixing the above, and determining the viability of accessing uSB files externally… me thinks its not possible. This document related entry, seems not to indicate any ability to do so… https://help.mikrotik.com/docs/spaces/ROS/pages/130220183/USB+Features
   Now you may be able to access files internally from the command line as per here… https://help.mikrotik.com/docs/spaces/ROS/pages/2555971/Files
   My recommendation is to ask on the forum what can and cannot be done via the USB port as a separate question.

3. Yes they are sufficient for the INITIAL CONNECTION and if your setup does not change. However you have gone way beyond connecting a single PC on ether2.
   The changes I have introduced, make it very clear what is allowed in the forward chain ( through the router ) basically wan to lan, lan to wan, lan to lan at layer 3)
   We allow internet for lan users
   We allow wireguard users access to LAN ( and in the input chain to the router for config access )
   We allow port forwarding
   We drop all else.

The default rule say
Block all traffic coming from the WAN except traffic for port forwarding ( the router monitors the dst ports in DSTNAT rules to figure that out ).


Discussion: So as you can see the default rule is safe in that it stops any WAN to LAN traffic (except bonafide incoming traffic to LAN servers)
It does not stop anything else. So basically it only addresses the most obvious and bad traffic.

Most of us then quickly change the concept of BLOCK KNOWN BAD and allow all else to ALLOW ONLY KNOWN GOOD and block everything else.
I am no expert, and I have no idea what constitutes bad traffic as much of its is layered or nuanced and not obvious. So the updated method, says you dont have to, since you know what traffic you need, just drop everything else…

The rules are clean, clear and they work.

4. Mangle, is not to hard to find, were you the one that works on the config?? Your mangle rule, did you add it? If so why?
   /ip firewall mangle
   add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-out1
   protocol=tcp tcp-flags=syn tcp-mss=1453-65535

5. I dont care if it resolves your issue or not. I am telling you that if:
   a. add a rule for wireguard to access router services ( aka a remote user hopefully you as the admin ) with incoming wireguard IP address within subnet A, with the expectation of using winbox to access the config (port XXXXX) and
   b. your IP services for that port states only subnet B

What do you think will happen. Use logic.

6. No its a security fix, the mac-server entry is not encrypted, the mac-server mac-WINBOX entry is encrypted

+++++++++++++++++++++++++++++++++++++++++++++++++++++

To explain.
There are layers of protection for access to config the router and rightly so. Hence why opening up port21 is bad, it defeats all the safeguards!

1. Assign the winbox port in IP services. I always change the default port as I do for any security port.
2. Assign the SUBNETS in IP services that will need access for config.

• could included the trusted subnet on the local router
• could include the wireguard subnet
• could include a trusted subnet on a remote router that is connected by wireguard.

3. Mac-winbox CAN be used Optional, to limit access via winbox to specific INTERFACES…
4. The most granular and refining layer is in the input chain. This is where one can and should limit to single or list of IP addresses.

Discussion: Typically default config comes with
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

What does this rule say based on what you have learned to date.
It says
→ drop all traffic not coming from the LAN
I dont like unnecessary use of the not symbol and thus prefer
→ accept all traffic from the LAN
—> drop all else

In any case we are allowing ALL LAN users access to router services. In reality most users 99.999 only need access to DNS services and sometimes NTP services.
So in reality the input chain only need be
—> accept all traffic from the LAN with destination port 53
—> drop all else.

So what have we done is ensure all users get access to needed router services and they NO LONGER can access the config of the router.
We dont want all users to access all service, ONLY the admin so…

We add a rule prior to the LAN rules
—> accept all traffic from admin IP

However most of the time its best expressed as a firewall address list of IPs.
-admin local PC wired
-admin local laptop wifi
-admin local smartphone wifi

• admin remote laptop wireguard
• admin remote smartphone wireguard
• admin remote router remote PC on trusted subnet wireguard

Note that if you have a bunch of wireguard users that are not just the admin but workers that need access to subnets on the router…this list ensures
they are NOT included in full access to the router services, ONLY the admin IPs.

Hope this helps.

As to windows shares, no idea. There is no windows share identifier or functionality withing RoS, that I am aware of. Seems like a window OS issue.

I really appreciate all the guidance and advice you are providing but I really want to focus my efforts on the wireguard issue for now.

Regarding the config of the router for the firewall, there are a few rules that I added but the rest are stock standard.

Regarding the PPPOE traffic, I never did anything with mangle. I simply created an interface for PPPOE over the SFP port. That’s it. So I’m not sure what you are referring to wrt mangle.

The majority of this router is stock standard out of the box.I simply set up the bidge, the interfaces etc

1. Okay so the idea is you are trying to reach the USB held files…
   Well how do you propose to reach the files if the USB port has no identification path for the router to use ( ip address and/or route )
   What you did do was make many assumptions not realizing what you did is extremely dangerous.

This statement is confusing. I’m not sure what you mean that the USB port has no identification path for the router? The USB storage is connected DIRECTLY to the USB port on the router? You have made a claim that what I did was EXTREMELY dangerous without realising it and yet all I did was plug in a USB storage device in to the USB port the way the MT team intended us to do. I don’t know what I am missing here. Are you saying that we should NEVER use the USB port that has been provided to us by the MT team?

The input chain is traffic TO the router. The purpose of the input chain is to control/limit access to ROUTER SERVICES.

I agree with the fact that the input chain is for traffic to the router but the storage device is linked DIRECTLY to the router and therefore I use the input chain. How else am I supposed to upload files to the FTP server without opening up access to the FTP server?

Such as VPN services, and also access to CONFIG the router. What you have done is open up an un-encrypted a path to the configuration door of your router by every hacking bot in the world that searches on port 21. The only thing protecting the config is your user name and password (plain text) which is easily defeated by AI and quickly.

Well, how else do I allow access to the FTP server from the internet? All I did was plug in a usb storage device. Enable the FTP service and open the port 21 so that I can FTP files to the storage device on the router. This is working perfectly. How else am I supposed to upload files to the FTP server from the public internet without opening the port on port 21? the FTP transfers will anyway only be allowed based on the allowed list of source IP addresses. The hacker or bots would need to be running from one of those IPs in order to even gain access on port 21.

add action=accept chain=input dst-port=21 in-interface-list=WAN log=yes
log-prefix="FTP - " protocol=tcp src-address-list=
allow_hostprovider_traffic
add action=accept chain=input dst-port=21 in-interface-list=WAN log-prefix=
"FTP - " protocol=tcp src-address-list=
allow_uptime_robot_traffic

Suggest the first you do is unplug the router and netinstall a fresh copy.

This feels very dramatic. This router is very stock standard barring a few additional rules to the firewall and enabling the wireguard interfaces.

but again, I need assistance with Wireguard and while I do appreciate your various comments on the issues with the security of the router, (which I am surprised to say the least because I did not change very much on this router set up.) I feel like we are digressing from the main issue of this thread.

I will open alternative threads based on your comments on my configuration so that I can improve things but I need to get the wireguard working for now.

Based on your feedback, I dont think there is anything I can add.
Hopefully others have more input.
Good luck!

Look, I appreciate your input but you have made MANY and I mean MANY claims that my set up is wrong and bad and incorrect etc etc

I need my wireguard set up and working and maybe you have MUCH more experience than I do but your posts are so detailed and full of information that a person honestly just gets lost in all your knowledge.

It would be easier if you took one problem at a time and dealt with it and assisted in that manner. I am SUPER appreciative of your time to write up so much info but most of the info is besides the point of this thread.

This thread is about wireguard connectivity and being able to access shares on a LAN.

Your posts were all about the bad config of my router. PLEASE PLEASE don’t misunderstand my intention here. I am just overwhelmed by all the information you threw at me. I don’t even know where to start to respond to you.

Just to close the loop on this one.

I eventually figured out that the problem was not with Wireguard OR with the windows shares. The problem was the way the client software was authenticating with the windows share. It had a bug in it that was not passing the full password on to the smb server for authentication. There is a workaround and so I applied the workaround and everything worked.

So therefore everything was actually working all along.

Thats good news!!,
If you want to clean up the rest of the config, feel free to ask about any specific part of the comments.

My PC to PC network shares won’t work but I can access my NAS at \192.168.100.15 at my remote site.
VNC works both ways, my IP network here is 192.168.200.0.

I can see my NAS here at 192.168.200.25 from the remote site.
I can ping any PC at the far end but can’t map drives or use file explorer to see local drives.

The NAS devices are WD and Seagate so after seeing your post I’m wondering if I have a windows authentication issue through Wireguard.

Any ideas on how to proceed?

thanks

Your post has nothing to do with this thread, start a NEW thread.
a. post network diagrams
b. complete config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )