VPN 2 Sites With Mikrotik But only one has public ip

RouterOS General
1

Hi there, this was my first post, i’m so desperate to solve my problem

i have 2 sites says site A and site B both site mikrotik RB750Gr3 has been configured both the mikrotik itself and the LAN behind it can access the internet.
both has the same ROS v 7.14.3

Here the brief configuration
Site A: Has Pulbic IP Address, can ping the cloud xxxxx.sn.mynetname.net
Local IP : 192.168.90.1/24

Site B: No Public IP Address, cannot ping the cloud yyyyy.sn.mynetname.net
Local IP : 192.168.91.1/24

i’ve following both wireguard and l2tp/ipsec guide from this forum but not working
both wireguard and l2tp/ipsec has been set up, but no handshake

i’ve reset both router with no default configuration for each setup, but there was still no handshake

can anyone give me some guide to solve this ?

thanks before

2

It “should” work so the best course of action is to post the exports of the configuration of both devices (after removing any serial numbers, logins to external services, and replacing the prefixes of public addresses in such a way that the relationship between the individual configuration elements would stay visible). The forum can then either pinpoint a mistake or suggest some tests to be done to identify and hopefully fix the issue.

3

how can i get the configurtaion ? and how can i check if the wireguard connection was working ?

4

Here’s why and how.


/interface/wireguard/peers/print detail shows items like current-endpoint-address, current-endpoint-port, rx, tx, last-handshake.

5

here my server a config
Site A

# 2024-09-09 15:52:18 by RouterOS 7.13.5
#
# model = RB750Gr3
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=192.168.90.0/24 interface=wireguard1 public-key=\
    "LDL1Vliuv6GV9XGimYGb9hxFtSbje+3/hbYRkj2RZBk="
/ip address
add address=192.168.80.1/24 interface=ether2 network=192.168.80.0
add address=192.167.1.3/24 interface=ether1 network=192.167.1.0
/ip dns
set allow-remote-requests=yes servers=203.142.82.222,203.142.84.222
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.167.1.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no

site-b

# 2024-09-09 15:49:47 by RouterOS 7.13.5
#
# model = RB750Gr3
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Telkom
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_Telkom
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface wireguard peers
add allowed-address=192.168.80.0/24 client-listen-port=13231 \
    endpoint-address=113.11.176.79 endpoint-port=13231 interface=wg_Telkom \
    public-key="ftLk0W8v7DZ2IBBJcmM07RXD1f3qYAcgJLR6Cl2onnw="
/ip address
add address=192.167.1.3/24 interface=ether1-Telkom network=192.167.1.0
add address=192.168.90.1/24 interface=bridge1 network=192.168.90.0
add address=10.0.0.2/24 interface=wg_Telkom network=10.0.0.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-Telkom
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.167.1.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no

how can i check if there was successfull handshake ?

6

The last-handshake column as mentioned above is completely absent if no successful handshake took place yet. If the column is present but the time shown is longer than 2 minutes, it is also suspicious.

There is a moment in your exports that I don’t understand. You wrote that only one of the Tiks had a public IP, but in both exports the address attached to ether1 is the same, 192.167.1.3, and the addresses of the gateways of the default routes are also identical, 192.167.1.1.

Since 192.167/16 is a public prefix assigned to an Italian ISP, should I understand that as a confusing way of obfuscation of thе actual public address, or is this an address range Telkom uses as the default LAN subnet on their CPEs and when you say that one of the Mikrotiks has a public address, you actually have in mind that the public IP is on the WAN of the Telkom’s CPE and there is a port forwarding rule or DMZ configured on the CPE towards the WAN address of the Mikrotik? BTW you forgot to obfuscate the public address of site A in the export from site b…

Other than that, you are apparently missing one important moment regarding how Wireguard is implemented, and the examples in the manual are unfortunately not very helpful as they do not explain things that are obvious to seasoned network engineers who write the manuals but far from obvious to first time users.

Each Wireguard instance (represented by the “interface” object) that runs on a router behaves as an independent virtual router with its own routing table. Unlike IPsec that overrides the results of the common routing, the Wireguard instance only handles traffic that the “big” router explicitly sends to it, and uses the allowed-address lists configured for the individual peers to choose the proper destination peer for each packet. So the fact that you have configured allowed-address=192.168.80.0/24 for the single Wireguard peer on site b had no impact on the “big” router - you have to add a route dst-address=192.168.80.0/24 gateway=wg_Telkom. This is a different experience than on the prototype implementation of Wireguard on Linux where the startup scripts bundled to the installation package take care of this - they copy the destinations linked to the peers in the Wireguard configuration into the routing table of the machine.

Of course you have to do the same on Site A. On the other hand, attaching address 10.0.0.2/24 to interface wg_Telkom creates a route dst-address=10.0.0.0/24 gateway=wg_Telkom dynamically, but as none of the peers has allowed-address=10.0.0.x/y, the “big” router will send packets for 10.0.0.x to the Wireguard instance but the Wireguard instance will drop them.

Lastly, Wireguard uses a “stealth” behavior so it does not attempt to establish a session until there is a payload justifying that, or unless a keepalive is activated. Since site b is (apparently) behind a NAT, a packet for 192.168.90.x from Site A would never be sent as Site A does not know the public address and port of site b, so the first packet causing the session to establish after a long pause would always have to be sent from site b to 192.168.80.x; this is not practical, so you have to add persistent-keepalive=30s to the configuration of the peer at site b.

So I’d suggest you implement the changes above, and if it still does not work, post the exports again so that we could look what else is missing.

Also, if the router at Site A has the public IP on itself (or if all traffic from the public IP is forwarded to it), the absence of any firewall rules on it means that the only thing that prevents it from becoming a zombie in a botnet is a strong password.

7

the configuration was both of my isp has GPON with local ip of 192.167.1.1 and my mikrotik port 1 was set to 192.167.1.3
the site a has public ip and accessible from the internet, but site B not having public ip address, and not accessible from internet

Also, if the router at Site A has the public IP on itself (or if all traffic from the public IP is forwarded to it), the absence of any firewall rules on it means that the only thing that prevents it from becoming a zombie in a botnet is a strong password.

the site a was a GPON with forward rule, and in site a i has other working mikrotik router as current gateway for live daily networking,
RB750gr3 was just other mikrotik for testing and implementing VPN for the other site, and once the configuration was working i would reset the router and implement the default configuration firewall rule

earlier i’ve tried using Starlink as site b, but it still not working, both Wireguard and IPSec

so here the question and solution i would to try

  1. should Set keepalive on site b to 30s, but not on site A or on both site ?
  2. should i add ip address for both wireguard interface? and add route for both interface?
  3. should i add 10.0.0.0/24 to allowed address on both site ?
  4. are there any ways to check if the handshake was successfully? because when i tried to disconnect the port 1 on both router the handshake timer keep reseting after 30s as i configured keep alive on both site to 30s, are there other way to check if the connection was success other than handshake ?
  5. Are there any firewall rule should i implement to give access to port 13231 on both site ? because when i tried to check open port from internet it said not open
8

site b only.


Only add the routes corresponding to allowed-address at the same device. There is no need to attach an interface to the Wireguard interface at all - it is just a way to make the configuration simpler for the “road warrior” scenarios, which is irrelevant for your site-to-site case.


No need - see above.


The default handling in Mikrotik firewall is accept, i.e. if a packet doesn’t match any rule, it is allowed to pass. Since there are no firewall rules in your filter, you don’t need to do anything to allow incoming traffic to UDP port 13231 to get processed. If the forwarding rule at the GPON box at site A is only for UDP port 13231, you don’t need to care about other firewall rules either; if the forwarding rule at site A forwards all incoming traffic towards the public IP of the site to the Mikrotik, no matter what the protocol and port is, you have to set up a proper firewall prohibiting any incoming connections via ether1 at least in chain input in filter, and add an exception for UDP port 13231 to it.


This is another effect of the stealthy behavior of Wireguard. If it does not like the contents of the incoming handshake packet, it behaves as if nothing came in. So the port scanner gets the same effect as if nothing was listening on that port. It won’t get an ICMP message either, but that’s the case also if the device being port-scanned is behind a firewall that silently drops packets, so the port scanners usually report both cases (no response at all as well as ICMP "destination port unreachable"¨) as “not open”.


This is a tough one - I did not know it shows a time since a handshake has been sent, not since it has been responded. So instead of relying on this, run /tool/sniffer/quick port=13231 on both devices, in a command line window as wide as your screen allows, and see whether there are any incoming packets or only outgoing ones (which would only be present on site b as site A does not know where to send them until it receives the first packet with proper contents from site b). If you can see the packets to be sent at site b but not to be received at site A, either the port forwarding rule is broken or something is blocking the packets on the way between the sites.

9

i’ve tried the road warrior using windows client and it worked

here the configuration on the site-a, now i’ve changed it to work behind my production mikrotik router than directly connected to the GPON, and made it using port5 instead of default port 1

# 2024-09-10 13:57:59 by RouterOS 7.13.5
# model = RB750Gr3

/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether5 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wireguard1 public-key=\
    "ityH7bII6Zmesect/nxNzTzK1Ix9MVh5o85wYURCrjU="
/ip address
add address=10.1.88.1/24 interface=bridge1 network=10.1.88.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
add address=192.168.88.2/24 interface=ether1 network=192.168.88.0
/ip dhcp-client
add interface=ether5
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="allow Wireguar" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow Wireguar" disabled=yes dst-port=\
    13231 protocol=tcp src-port=13231
add action=accept chain=forward disabled=yes in-interface=ether5 src-address=\
    192.168.4.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=dstnat comment="Open Port Wireguard" disabled=yes \
    dst-address=192.168.4.1 dst-port=13231 protocol=udp
add action=accept chain=dstnat comment="Open Port Wireguard" disabled=yes \
    dst-address=192.168.4.1 dst-port=13231 protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no

are there any changes i should made to the configuration for the site to site wireguard work ?

thanks for your response

10

I’m not sure I understand properly, but the fact that it works for the road warrior means that the port 13231 on site A is reachable from the internet. So in order to add the site-to-site functionality,

  • return the /interface/wireguard/peer row representing site b (with allowed-address=192.168.90.0/24) and the route with dst-address=192.168.90.0/24 gateway=wireguard1 to the configuration of site A above.
  • change the route and allowed-address on site b to match the LAN subnet on site A, i.e. 10.1.88.0/24.
11

update, i just configured the site b to connect to site a with the current configuration, but i’m adding other peer to differentiate it for roadwarrior
are there any problem with that ? and tried to i add other wireguard interface and it not running,
so whats the best solution for multiple site ?
will one wireguard interface with multiple peer work ?

12

Both ways are possible, each Wireguard interface may have multiple peers, that’s how it is designed.

13

i just tried to add other wireguard interface, but the interface was not running, how can i solve this ?

now i successfully configured and running the wireguard, both router can ping each other, but cannot ping the network behind the router
the network behind each router can ping the opposite router, but not the network behind

i’ve already add route to the wireguard interface for the opposite network
how can i solve this

here site A config

# 2024-09-10 18:38:33 by RouterOS 7.13.5
#
# model = RB750Gr3
/interface bridge
add name=bridge1
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wg_Biz-Tlk
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether5 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="wg Windows RW" interface=wireguard1 \
    public-key="ityH7bII6Zmesect/nxNzTzK1Ix9MVh5o85wYURCrjU="
add allowed-address=10.1.89.0/24,10.0.0.0/24 comment="wg to Telkom" \
    interface=wireguard1 public-key=\
    "WO7qrmmZSVbeEYpFpDWwv50+c1JvroAfgzTNVzfhygU="
/ip address
add address=10.1.88.1/24 interface=bridge1 network=10.1.88.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
add address=192.168.88.2/24 disabled=yes interface=ether1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether5
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="allow Wireguar" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow Wireguar" disabled=yes dst-port=\
    13231 protocol=tcp src-port=13231
add action=accept chain=forward disabled=yes in-interface=ether5 src-address=\
    192.168.4.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=dstnat comment="Open Port Wireguard" disabled=yes \
    dst-address=192.168.4.1 dst-port=13231 protocol=udp
add action=accept chain=dstnat comment="Open Port Wireguard" disabled=yes \
    dst-address=192.168.4.1 dst-port=13231 protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=10.1.89.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no

Site B Config

# 2024-09-10 18:37:12 by RouterOS 7.13.5
#
# model = RB750Gr3
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether5 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wireguard1 list=LAN
add disabled=yes interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.0/24,10.1.88.0/24 endpoint-address=113.11.176.79 \
    endpoint-port=13231 interface=wireguard1 persistent-keepalive=10s \
    public-key="v2BeZ8iOJaf+Cxnmf9qJWGFNk6c2ZVUOgjvNEozguB8="
/ip address
add address=192.169.1.2/24 interface=ether5 network=192.169.1.0
add address=10.1.89.1/24 interface=bridge1 network=10.1.89.0
add address=10.0.0.2/24 interface=wireguard1 network=10.0.0.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.169.1.1 routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.1.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
14

The routes and allowed-address items seem fine to me. Windows devices by default only respond to pings coming from the own subnet of the interface, could it be this simple?

15

are there any error with the subnet?

how can i make it can ping to other subnet on other mikrotik

i’ve tried tracert from windows and it here was the result

C:\Users\ASUS>tracert 10.1.88.2

Tracing route to 2.88.1.10.in-addr.arpa [10.1.88.2]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  1.89.1.10.in-addr.arpa [10.1.89.1]
  2    10 ms    10 ms    11 ms  1.0.0.10.in-addr.arpa [10.0.0.1]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

it seem that the connection was rejected on the other wireguard

are there is problem with Router OS that i’m using ?

Update i can connect ultravnc to the from 10.1.89.3 to 10.1.88.2 and vice versa, but cannot ping between computer.
i cannot make sure the PC was turn on if i cannot ping it

16

As written above - Windows by default would not respond to ping requests that arrive from outside its local subnets, i.e. where the ping response would have to be sent via a gateway. So you have to change the Windows firewall settings, use some other method to determine that the PC is alive, or use some ugly trick like a masquerade rule: /ip firewall nat add chain=srcnat protocol=icmp icmp-options=8 src-address=10.1.89.0/24 out-interface=bridge action=masquerade at the destination Mikrotik (where the 10.1.88.0/24 subnet is hosted) to make the ping from your previous post work.

17

and how if i want to access the windows service such smb or windows sharing ?

here was the current topology of site a

Internet ↔ Mikrotik Router ↔ Mikrotik WG router A ↔ Test PC A
Other PC that connect to Mikrotik Router

topology of site B

Internet ↔ Mikrotik WG Router B ↔ Test PC B

right now i can access VNC PC B from PC A and vice versa, so how can i access windows share on PC A from PC B ? and how can i access other PC from PC B vice versa ?

the current mikrotik router was on running and work well

where the ping response would have to be sent via a gateway. So you have to change the Windows firewall settings, use some other method to determine that the PC is alive, or use some ugly trick like a masquerade rule: /ip firewall nat add chain=srcnat protocol=icmp icmp-options=8 src-address=10.1.89.0/24 out-interface=bridge action=masquerade at the destination Mikrotik (where the 10.1.88.0/24 subnet is hosted) to make the ping from your previous post work.

why you said that masqueerade rule was ugly ?

what windows firewall setting should i change ? or can i just change the subnet to 10.1.89.0/16 and 10.1.88.0/16 to accomodate that ?


/ip firewall nat add chain=srcnat protocol=icmp icmp-options=8 src-address=10.1.89.0/24 out-interface=bridge action=masquerade

Update I Just tried this and not working still cannot ping the network behind 10.1.89.1

18

No idea, I’m not that deep into Windows so I have no idea what is the default behavior for their various proprietary protocols.


Since this works, and since there are no firewall rules on the Mikrotiks, the firewall settings on the Windows must be adjusted so that other protocols between the two PCs would work.


Sorry, I don’t understand the context of this remark, can you elaborate?


Because it is a workaround. Normally the firewall rules on the Windows should be adjusted so that pinging and other protocols would be accepted frrom the remote site.


Something in the firewall, I can’t give you more details, even if I was sitting in front of the Windows I would spend many minutes trying to figure that out

That wouldn’t work alone - if you did that (actually, 10.1.88.0/23 would be enough), Windows would not send the packets via the gateway but would send an ARP request for the destination address on the remote site. So you would have to set arp=proxy-arp on the Mikrotik bridge, so that the Mikrotik would respond with its own MAC address to make the Windows send the packet to it. It is also a workaround, a bit less ugly one, though.


When you ping something in 10.1.89.1, the rule must be on the device where 10.1.89.1/24 is on the bridge, and it must match on src-address=10.1.88.1. And vice versa.

19

the current mikrotik router was on running and work well

Sorry, I don’t understand the context of this remark, can you elaborate?

right now i have other mikrotik running, and it working well of forwarding the ping and network from vpn network outside the current mikrotik router, but i cannot determine how can it work and what rule inside that production router that make it work

20

Many things may be set up differently on both the Mikrotiks and the Windows PCs. Since the pinging between the bridge addresses of the Mikrotiks themselves works, and even some connection between the two PCs does (the VNC one), it means that Wireguard itself and the associated routes are OK. Unless you have added some firewall rules to your Mikrotiks since posting its configuration that would selectively drop some the forwarded traffic, the issue with the other (non-VNC) communication between the two PCs must be outside the Mikrotiks. As for the “other Mikrotik” where it does work - when you connect Windows to a particular network for the first time, they ask you whether it is private or public and whether you want the PC to be “visible”. Are you sure you answered those questions the same way when connecting that very PC to the “working” Mikrotik and to the “non-working” one?