VPN S2S, one way problem

skypeja · June 4, 2025, 4:53am

edit: sorry, but somehow the “code” areas messedup

Hi, please, can anyone help me. I’ve tried to setup VPN site to site, but i’m stucked at point, when site B, can ping devices in site A, but site A can’t ping devices in site B. Both routers can ping each other.

Site A (have two VPNs set)
public IP, WireGuard “server” named “Zavratec”, IP 192.168.60.1, local IP 192.168.10.0/24
Site B:
nonpublic IP, WireGuard peer, IP 192.168.60.2, local IP 192.168.30.0/24

Setup of Site A router

# 2025-06-04 06:22:43 by RouterOS 7.16.1
# software id = CPBV-3LI7
#
# model = RB750Gr3
# serial number = xxxxxxx
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=channel11
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5180 name=channel36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5200 name=channel40
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=local
/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=C4:xx:xx:xx:02:BB name=1_WAN
set [ find default-name=ether2 ] name=2_LAN
set [ find default-name=ether3 ] name=3_LAN
set [ find default-name=ether4 ] name=4_LAN
set [ find default-name=ether5 ] name=5_LAN
/interface wireguard
add listen-port=13231 mtu=1420 name="Personal VPN"
add listen-port=13232 mtu=1420 name=Zavratec
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=heslo
/caps-man configuration
add country="czech republic" datapath=local distance=indoors mode=ap name=\
    Janecek-2G rx-chains=0,1,2 security=heslo ssid=Janecek-2G tx-chains=0,1,2
add channel=channel36 country="czech republic" datapath=local distance=\
    indoors mode=ap name=Janecek-5G rx-chains=0,1,2 security=heslo ssid=\
    Janecek-5G tx-chains=0,1,2
/caps-man interface
add configuration=Janecek-2G disabled=no l2mtu=1600 mac-address=\
    C4:AD:34:7C:C5:1C master-interface=none name=Obyvak_2G radio-mac=\
    C4:AD:34:7C:C5:1C radio-name=C4AD347CC51C
add configuration=Janecek-5G disabled=no l2mtu=1600 mac-address=\
    C4:AD:34:7C:C5:1D master-interface=none name=Obyvak_5G radio-mac=\
    C4:AD:34:7C:C5:1D radio-name=C4AD347CC51D
add configuration=Janecek-2G disabled=no l2mtu=1600 mac-address=\
    C4:AD:34:7C:C5:10 master-interface=none name=Satna_2G radio-mac=\
    C4:AD:34:7C:C5:10 radio-name=C4AD347CC510
add configuration=Janecek-5G disabled=no l2mtu=1600 mac-address=\
    C4:AD:34:7C:C5:11 master-interface=none name=Satna_5G radio-mac=\
    C4:AD:34:7C:C5:11 radio-name=C4AD347CC511
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.20-192.168.10.254
add name=vpn ranges=192.168.15.2-192.168.15.254
add name=vpn_zavratec ranges=192.168.60.1-192.168.60.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.1 local-address=192.168.15.1 \
    remote-address=vpn
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=2_LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=3_LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=4_LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=5_LAN internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=1_WAN list=WAN
add interface=bridge1 list=LAN
add interface="Personal VPN" list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.15.2/32 comment="Peja Telefon" interface=\
    "Personal VPN" name=peer1 preshared-key=\
    "xxxxx" public-key=\
    "xxxxxx= "
add allowed-address=192.168.15.3/32 comment="Peja NTB" interface=\
    "Personal VPN" name=peer2 preshared-key=\
    "xxxxx" public-key=\
    "xxxxx"
add allowed-address=192.168.15.4/32 comment="Peja Tablet" interface=\
    "Personal VPN" name=peer3 preshared-key=\
    "xxxxxxx" public-key=\
    "xxxxxxx"
add allowed-address=192.168.60.0/24,192.168.30.0/24 comment="Zavratec MKTK" \
    endpoint-address=xxxxxx.sn.mynetname.net endpoint-port=13232 \
    interface=Zavratec name=peerZ3 preshared-key=\
    "xxxxxx" public-key=\
    "xxxxxxx"
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.15.1/24 interface="Personal VPN" network=192.168.15.0
add address=192.168.60.1/30 comment="VPN zavratec" interface=Zavratec \
    network=192.168.60.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=1_WAN
/ip dhcp-server lease
add address=192.168.10.243 mac-address=10:BF:48:8B:A5:AF server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 caps-manager=192.168.10.1 gateway=192.168.10.1
/ip firewall address-list
add address=192.168.10.0/24 comment="Domaci LAN" list=SecureIP
add address=192.168.10.254 comment=AP_Obyvak list=InfrastructureIP
add address=192.168.10.1 comment=RB_Main list=InfrastructureIP
add address=192.168.10.217 comment=AP_Satna list=InfrastructureIP
add address=192.168.15.0/24 comment="Domaci VPN" list=SecureIP
add address=192.168.60.0/24 comment="VPN Zavratec" list=SecureIP
add address=192.168.30.0/24 comment="VPN Zavratec-vnitrni sit" list=SecureIP
/ip firewall filter
add action=accept chain=input comment="Povolit WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Povolit WireGuard-Zavrazec" dst-port=\
    13232 protocol=udp
add action=accept chain=input comment="Povol WireGuard traffic" src-address=\
    192.168.15.0/24
add action=accept chain=input comment="Povol WireGuard traffic-Zavratec" \
    src-address=192.168.60.0/24
add action=accept chain=input comment="====== OCHRANA ROUTERU ======" \
    disabled=yes
add action=accept chain=input comment=\
    "Povol established, related, untracked spojeni" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Zahod invalid spojeni" connection-state=\
    invalid
add action=accept chain=input comment="Povol veskere ICMP pakety" protocol=\
    icmp
add action=accept chain=input comment="Povol vse z AdresList \"SecureIP\"" \
    src-address-list=SecureIP
add action=drop chain=input comment="Zahod vse ostatni"
add action=accept chain=forward comment=\
    "====== OCHRANA KONCOVYCH STANIC =======" disabled=yes
add action=fasttrack-connection chain=forward comment="Fast Track" \
    connection-state=related hw-offload=yes
add action=accept chain=forward comment=\
    "Povol established, related, untracked spojeni" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Zahod invalid spojeni" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "Povol vse z IL \"LAN\" do IL \"WAN\"" in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Povol vse z AL \"SecureIP\"" \
    src-address-list=SecureIP
add action=drop chain=forward comment="Zahod vse z AL \"InfrastructureIP\"" \
    dst-address-list=InfrastructureIP
add action=accept chain=forward comment="Povol presmerovane porty" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Zahod vse ostatni"
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.15.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic Zavr" \
    src-address=192.168.60.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=10.218.105.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set enabled=yes
/ppp secret
add name=vpn
/routing bfd configuration
add disabled=no
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=RB_main
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=217.31.202.100
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1w name=package_upgrade on-event="system package update install" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2020-03-07 start-time=07:25:00
add interval=1d name=RB_upgrade on-event=":global Var1\r\
    \n:global Var2\r\
    \n:set Var1 \"\$[/system package get system version]\"\r\
    \n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
    \n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\
    \n/system reboot;\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2020-03-07 start-time=07:38:00
/system script
add dont-require-permissions=no name=vytvorit_zalohy owner=peja policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global filename;\r\
    \n:global identity [/system identity get name];\r\
    \n:set filename (\$identity);\r\
    \n/system backup save name=\$filename;\r\
    \n:delay 3s;\r\
    \n:global rsc \$filename;\r\
    \n/export file=\$rsc;"
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add name=apigroup policy="read,write,api,!local,!telnet,!ssh,!ftp,!reboot,!pol\
    icy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"

Setup of Site B router

# 2025-03-27 12:41:03 by RouterOS 7.18.2
# software id = Q9F4-0N6B
#
# model = RB951Ui-2HnD
# serial number = xxxxxxx
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="czech republic" \
    disabled=no frequency=2462 mode=ap-bridge ssid=fafa86 wireless-protocol=\
    802.11
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp ranges=192.168.30.2-192.168.30.254
add name=vpn ranges=192.168.60.2-192.168.60.255
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=xx:xx:xx:8B:AC:4D name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.60.0/24,192.168.10.0/24,192.168.30.0/24 \
    endpoint-address=212.xxx.xxx.xxx endpoint-port=13232 interface=wireguard1 \
    name=Kladno persistent-keepalive=5m preshared-key=\
    "xxxxxx" public-key=\
    "xxxxxx"
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.30.1/24 interface=bridge1 network=192.168.30.0
add address=192.168.60.2/30 interface=wireguard1 network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="povol VPN" dst-port=13232 protocol=udp
add action=accept chain=input comment="povol VPN traffic" src-address=\
    192.168.60.0/24
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.60.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=Zavratec disabled=no distance=1 dst-address=192.168.10.0/24 \
    gateway=192.168.60.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ppp secret
add name=peja
add name=vpn
/system clock
set time-zone-name=Europe/Prague
/system gps
set set-system-time=no
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=217.31.202.100 disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Ping test from Site A:

[peja@RB_main] > ping 192.168.60.2          
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.60.2                               56  64 10ms723us 
    1 192.168.60.2                               56  64 10ms870us 
    2 192.168.60.2                               56  64 10ms846us 
    3 192.168.60.2                               56  64 10ms494us 
    4 192.168.60.2                               56  64 10ms572us 
    sent=5 received=5 packet-loss=0% min-rtt=10ms494us avg-rtt=10ms701us 
   max-rtt=10ms870us 

[peja@RB_main] > ping 192.168.30.253        
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.30.253                                               timeout       
    1 192.168.30.253                                               timeout       
    2 192.168.30.253                                               timeout       
    3 192.168.30.253                                               timeout       
    sent=4 received=0 packet-loss=100% 

[peja@RB_main] >

Ping test from Site B:

[peja@RB_main] > ping 192.168.60.2          
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.60.2                               56  64 10ms723us 
    1 192.168.60.2                               56  64 10ms870us 
    2 192.168.60.2                               56  64 10ms846us 
    3 192.168.60.2                               56  64 10ms494us 
    4 192.168.60.2                               56  64 10ms572us 
    sent=5 received=5 packet-loss=0% min-rtt=10ms494us avg-rtt=10ms701us 
   max-rtt=10ms870us 

[peja@RB_main] > [peja@MikroTik] > ping 192.168.60.1         
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.60.1                               56  64 10ms716us 
    1 192.168.60.1                               56  64 11ms76us  
    2 192.168.60.1                               56  64 22ms787us 
    sent=3 received=3 packet-loss=0% min-rtt=10ms716us avg-rtt=14ms859us 
   max-rtt=22ms787us 

[peja@MikroTik] > ping 192.168.10.63        
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.10.63                              56  63 14ms586us 
    1 192.168.10.63                              56  63 20ms618us 
    2 192.168.10.63                              56  63 24ms577us 
    sent=3 received=3 packet-loss=0% min-rtt=14ms586us avg-rtt=19ms927us 
   max-rtt=24ms577us 

[peja@MikroTik] >

And the question under the line… How to setup winbox acces from WAN (with aloowed IP list, of course).
Thak you very much for your help

TheCat12 · June 4, 2025, 12:35pm

Firstly, I would suggest changing the allowed addresses of the peers from 192.168.60.0/24 to the ones set on the WG interfaces of the opposite router, and fixing the netmask of the Site B WG address as well as removing 192.168.30.0/24 from the peer allowed IPs:

Site A:

/interface wireguard peers
set [ find name=peerZ3 ] allowed-address=192.168.60.2/32,192.168.30.0/24

Site B:

/interface wireguard peers
set [ find name=Kladno ] allowed-address=192.168.60.1/32,192.168.10.0/24

/ip address
set [ find interface=wireguard1 ] address=192.168.60.2/24

Secondly, I hope that the router at Site B is behind a firewall, as one does not exist on the router itself.
Thirdly, you’re missing routes:

Site A:

/ip route
add dst-address=192.168.30.0/24 gateway=Zavratec

Site B:

/ip route
add dst-address=192.168.10.0/24 gateway=wireguard1

Fourthly, the NAT masquerade rules for the .60.0 subnet on both routers aren’t necessary.

Fifthly, on Router A there are some redundant and some not well defined rules:

Redundant rules:

add action=accept chain=input comment="Povol WireGuard traffic" src-address=\
    192.168.15.0/24
add action=accept chain=input comment="Povol WireGuard traffic-Zavratec" \
    src-address=192.168.60.0/24

Rule to be refined:

add action=accept chain=forward comment="Povol presmerovane porty" \
    connection-nat-state=dstnat

to:

add action=accept chain=forward comment="Povol presmerovane porty connection-nat-state=dstnat in-interface-list=WAN

anav · June 4, 2025, 2:36pm

ROUTER A

What I saw on first glance is IP pools assigned to wireguard is WRONGO
/ip pool
add name=dhcp ranges=192.168.10.20-192.168.10.254
add name=vpn ranges=192.168.15.2-192.168.15.254
add name=vpn_zavratec ranges=192.168.60.1-192.168.60.254

Whats funny is you gave in the address for zavratec a /30 subnet yet in the pool above ( to be removed anyway ) a pool of 1-254, left hand and right hand not talking!!

Change this all to NONE, known to cause weird issues!!!
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=
LAN wan-interface-list=WAN
I can understand giving your personal/admin wireguard remote connection the ability to reach the router for config purposes, but I cannot understand why you do so for other remote users??
add action=accept chain=input comment=“Povol WireGuard traffic” src-address=
192.168.15.0/24
add action=accept chain=input comment=“Povol WireGuard traffic-Zavratec”
src-address=192.168.60.0/24
Something is rubbing me the wrong way with your firewall rules… they are too loosey goosey at the moment.
add action=accept chain=forward comment=“Povol vse z AL "SecureIP"”
src-address-list=SecureIP
add action=drop chain=forward comment=“Zahod vse z AL "InfrastructureIP"”
dst-address-list=InfrastructureIP

I dont get it, you play silly games with 10.x.x.1 and 10.x.x.254,
Please be clear by confirm the below is true and then detail any exceptions, with clear reasons.

You want to allow both Private WIREGUARD to local subnet
You want to allow local subnet to enter wireguard heading for the router B remote subnet.
You want remote subnet on Router B to access local subnet
You want private wireguard to reach remote subnet and remote router B for configuration.

What is the purpose of masquerading the two WIREGUARD interfaces.
The private interface is simply traffic coming in from your own devices ( admin and authorized ). There is no traffic from .15, that is going out the normal WAN
unless you want to be able to use local WAN when connecting. Please CONFIRM??

The USER wireguard interface is strictly router to router and which you control at both ends and masquerading severely limits your ability to control traffic specifically via firewall rules…

Why is UPNP enabled??
As noted what is going on here? You are routing to a local subnet from the local wireguard interface makes ZERO sense, REMOVE!

/ip route
add comment=Zavratec disabled=no distance=1 dst-address=192.168.10.0/24
gateway=192.168.60.1 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

As noted you do need a route, to tell your router where to send return traffic back to remote users on Router B, or conversely, where to send originating traffic from local users with destination of .30
/ip route
add dst-address=192.168.30.0/24 gateway=vpn_zavratec routing-table=main

As noted allowed IPs on the user vpn needs to be fixed
from:
add allowed-address=192.168.60.0/24,192.168.30.0/24 comment=“Zavratec MKTK”
endpoint-address=xxxxxx.sn.mynetname.net endpoint-port=13232
interface=Zavratec name=peerZ3 preshared-key=
“xxxxxx” public-key=
“xxxxxxx”
TO:
add allowed-address=192.168.60.2/32,192.168.30.0/24 interface=Zavratec preshared-key=
“xxxxxx” public-key=“xxxxxxx” comment=“Zavratec MKTK”

anav · June 4, 2025, 3:14pm

Rule to be refined:
add action=accept chain=forward comment="Povol presmerovane porty" \
    connection-nat-state=dstnat
to:

add action=accept chain=forward comment="Povol presmerovane porty connection-nat-state=dstnat in-interface-list=WAN

Sorry Disagree, the optimal format of the rule is correct as stated.

One defeats the purpose of port forwarding by being to cute. The rule simply alllows port forwarding and the refinements of who is allowed and ports are executed in DSTNAT rules.
If anyone wants to connect to a server from the LAN using mynetname for example, they will be blocked by your ‘cute addition’.

To OP, keep rule as is:
add action=accept chain=forward comment=“Povol presmerovane porty” connection-nat-state=dstnat

anav · June 4, 2025, 3:21pm

Router B

Same issue no pool required for wireguard.
/ip pool
add name=dhcp ranges=192.168.30.2-192.168.30.254
add name=vpn ranges=192.168.60.2-192.168.60.255
Same same with this, set to none.
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=
LAN wan-interface-list=WAN
WIREGUARD PEER SETTINGS… ITS NOT FOR LOCAL USERS!!!
allowed addresss is to identify remote users coming to this device ( allowed source addresses of incoming traffic ) OR a remote subnet where local users are heading (aka allowed remote dst-addresses )
Thus remove local subnet.
/interface wireguard peers
add allowed-address=192.168.60.0/24,192.168.10.0/24,192.168.15.0/24 endpoint-address=212.xxx.xxx.xxx endpoint-port=13232 interface=wireguard1
name=Kladno persistent-keepalive=5m preshared-key=“xxxxxx” public-key=“xxxxxx”
As noted firewall rules need work. Why do you think you need a handshake input chain rule on this device???
What you need for access to this router is any local admin users anyone from the private .15 wireguard interface and possibly the admin from his normal PC or wifi device while at router A.

/ip firewall address-list
add address=192.168.15.0/24 list=AUTHORIZED comment=“all remote admin wireguard devices”
add address=192.168.30.Z list=AUTHORIZED comment=“local admin PC”
add address=192.168.30.Y list=AUTHORIZED comment=“local admin wifi”
add address=192.168.10.X list=Authorized comment-=“remote admin pc on Router A”
add address=192.168.10.A list=Authorized comment="remote admin wifi connected device on Router A?
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=AUTHORIZED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { add this rule here but last of all rules }
+++++++++++++++++++++++++++++++++++++++++++++
a_dd action=fasttrack-connection chain=forward connection-state=related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wireguard incoming” dst-address=192.168.30.0/24 in-interface=wireguard1
add action=accept chain=forward comment=“wireguard outgoing” src-address=192.168.30.0/24 out-interface=wireguard1
add action=drop chain=forward comment=“drop all else”_

Same same remove masquerade rules for wireguard and ensure you ENABLE the standard rule.
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. vpn traffic” disabled=yes
out-interface=ether1
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.60.0/24
Your route for wireguard is correct, need one more to let the router know where to send the other wireguard traffic.
/ip route
add comment=Zavratec dst-address=192.168.10.0/24 gateway=wireguard1 routing-table=main
add dst-address=192.168.15.0/24 gateway=wireguard1 routing-table=main
Why is UPNP enabled???

NOTE: Once I have a better understanding of wireguard requirements, which I asked for Router A, this will lead to potentially some changes (mostly on Router A, but possibly on Router B).

skypeja · June 4, 2025, 6:55pm

@TheCat12 Thank you very much! It’s working!

Yes, router B is behind a router with FW.

@anav You took it from the ground up, I have to go through your advice carefully and calmly and try to study and understand it. I am self-taught and I have always been afraid of setting up a firewall, unfortunately my knowledge is limited in this regard. I am happy for any advice. Thank you very much!