WG road warrior cannot access LAN

Miso99 · April 23, 2025, 7:54pm

Hello everyone,

I was trying to setup the wireguard server on my mikrotik device, so that I could access my local network remotely. I almost succeeded, I can make a connection from my external device to the mikrotik router and successfully ping it, but I cannot ping any other device on the local network. When looking at the packet counter in the firewall, I can see the packets reaching the forward rule, so the problem might be when they try to reach back to the remote device?
Screenshot 2025-04-23 213329.png
To my surprise, it works the other way around (I can ping the remote device 192.168.87.2 from my local network machine at 192.168.88.26). Any help and/or suggestion on improving my router configuration is appreciated!
Please find the network diagram and router config export attached below. The wireguard in question is the one with rw-wg name.
Screenshot 2025-04-23 212949.png

# 2025-04-23 21:37:00 by RouterOS 7.17
# model = RB750Gr3
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireguard
add listen-port=33627 mtu=1420 name=rw-wg
add listen-port=13231 mtu=1420 name=wireguard-pia
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/queue type
add kind=pcq name=LimitDownload pcq-classifier=dst-address pcq-rate=150M
add kind=pcq name=LimitUpload pcq-classifier=src-address pcq-rate=100M
/queue simple
add comment="Limit UP/DOWN based on PCQ queue type" name=queue1 queue=\
    LimitUpload/LimitDownload target=192.168.88.0/24
/routing table
add disabled=no fib name=PIA
/system logging action
set 3 remote=192.168.88.117 src-address=192.168.88.1
add bsd-syslog=yes name=RemoteError remote=192.168.88.117 src-address=\
    192.168.88.1 syslog-severity=error target=remote
add bsd-syslog=yes name=RemoteWarning remote=192.168.88.117 src-address=\
    192.168.88.1 syslog-severity=warning target=remote
add bsd-syslog=yes name=RemoteInfo remote=192.168.88.117 src-address=\
    192.168.88.1 syslog-severity=info target=remote
add bsd-syslog=yes name=RemoteCritical remote=192.168.88.117 src-address=\
    192.168.88.1 syslog-severity=critical target=remote
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=XX:XX:XX:XX:XX:XX name=ovpn-server1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=\
    xxxx interface=wireguard-pia name=peer1 persistent-keepalive=25s \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.87.2/32 interface=rw-wg \
    name=peer3 private-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=xxx.xxx.xxx.xxx interface=wireguard-pia network=xxx.xxx.xxx.0
add address=192.168.87.1/24 interface=rw-wg network=192.168.87.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=9.9.9.9 gateway=\
    192.168.88.1
/ip dns
set servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow incoming wireguard RW connection" dst-port=33627 log=yes \
    log-prefix=wg-rw- protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "allow traffic from server to PIA VPN" out-interface=wireguard-pia \
    src-address=192.168.88.117
add action=accept chain=forward comment=\
    "Allow access to internal network from RW WG" dst-address=192.168.88.0/24 \
    in-interface=rw-wg
add action=accept chain=forward comment="Allow from GoogleTV allow list" \
    dst-address-list="GoogleTV Allowed" src-address=192.168.88.41
add action=drop chain=forward comment=\
    "Drop any other communication from GoogleTV" src-address=192.168.88.41
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related dst-address-list=\
    "MPC,VPC,MS, MM, VM" hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard-pia src-address=\
    192.168.88.117
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=wireguard-pia \
    pref-src=0.0.0.0 routing-table=PIA scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24 certificate=pubkey disabled=no
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set strong-crypto=yes
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.117/32 \
    table=PIA
/system identity
set name=RouterOS
/system logging
add action=RemoteInfo prefix=mikrotik topics=info
add action=RemoteError prefix=mikrotik topics=error
add action=RemoteInfo prefix=mikrotik topics=firewall
add action=RemoteCritical prefix=mikrotik topics=critical
add action=RemoteWarning disabled=yes prefix=vlg topics=firewall
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
add disabled=yes down-script=\
    "/ip dhcp-server/network/set 0 dns-server=9.9.9.9" host=192.168.88.117 \
    http-codes="" interval=30s test-script="" type=simple up-script=\
    "/ip dhcp-server/network/set 0 dns-server=192.168.88.117"

CGGXANNX · April 23, 2025, 8:20pm

What are devices in your LAN (192.168.88.0/24) running? If they are running Windows then by default they won’t answer ping from other subnets. If you are trying to ping the specific server at 192.168.88.117 then with your current config that won’t work neither (because of the routing configuration).

Miso99 · April 23, 2025, 9:42pm

What are devices in your LAN (192.168.88.0/24) running? If they are running Windows then by default they won’t answer ping from other subnets.

Those are mostly windows machines, so I guess I won’t be able to ping them, thanks for the info!

If you are trying to ping the specific server at 192.168.88.117 then with your current config that won’t work neither (because of the routing configuration).

Indeed this is the main device I am trying to reach. Thank you for pointing me in the right direction with the routing! I added the routing entry below and it seems to be working as expected now. Nice catch!

add action=lookup disabled=no dst-address=192.168.87.0/24 src-address=192.168.88.117/32 table=main