Winbox not working with Wireguard Site-to-Site VPN

korpaczov · February 8, 2025, 3:09pm

Hi all,
I have three site-to-site VPNs to my home router (two L2TP and one WireGuard). I recently set up the WireGuard connection, and everything works fine except for one issue: I cannot access a remote router via Winbox. The problem occurs both ways. Winbox is stuck on “Loggin in” . There have no problems with accessing remote routers via Winbox with l2tp tunnels.
I’m posting a diagram to help illustrate the network topology and the configuration of both routers. Any help would be greatly appreciated.
Thanks!

Site A config:
/interface bridge
add admin-mac= arp=proxy-arp auto-mac=no comment=defconf
name=bridge
/interface wireguard
add comment=GDANSK listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool ranges=
192.168.1.20-192.168.1.198,192.168.1.200-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge lease-time=8h name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *FFFFFFFE interface-list=LAN use-encryption=default
/routing table
add disabled=no fib name=VPN-POLAND
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set package-path=“” require-peer-certificate=no upgrade-policy=none
/interface wireguard peers
add allowed-address=172.16.0.2/32,192.168.88.0/24,192.168.1.0/24 interface=
wireguard1 name=wireguard public-key=
“”
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.1.0/24 list=LAN-IP
/ip firewall filter
add action=accept chain=input comment=WIREGUARD dst-port=13231 in-interface=
ether1 protocol=udp
add action=drop chain=input comment=“DROP PING” in-interface-list=WAN
protocol=icmp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“L2TP VPN PORTS” dst-port=500,4500,1701
protocol=udp
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=
“VPN TO POLAND” src-address=192.168.1.5
add action=mark-routing chain=prerouting connection-mark=“VPN TO POLAND”
new-routing-mark=VPN-POLAND
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN GDANSK”
dst-address=192.168.88.0/24 src-address=192.168.1.0/24
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN GDANSK”
dst-address=192.168.1.0/24 src-address=192.168.88.0/24
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN BAGNA”
dst-address=192.168.188.0/24 src-address=192.168.1.0/24
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN BAGNA”
dst-address=192.168.1.0/24 src-address=192.168.188.0/24
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN BRIGHTON”
dst-address=192.168.3.0/24 src-address=192.168.1.0/24
add action=notrack chain=prerouting comment=“SITE-2-SITE VPN BRIGHTON”
dst-address=192.168.1.0/24 src-address=192.168.3.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=“VPN-POLAND FOR IP .116 AND .5” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=VPN-POLAND scope=
30 suppress-hw-offload=no target-scope=10
add comment=VPN disabled=no dst-address=192.168.3.0/24 gateway=10.10.3.2
routing-table=main suppress-hw-offload=no
add comment=BAGNA disabled=no dst-address=192.168.188.0/24 gateway=10.10.4.2
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.88.0/24 gateway=172.16.0.2 routing-table=
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=SSL-Self-signed disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/ppp secret
add local-address=192.168.1.1 name=adam remote-address=192.168.1.3 service=
l2tp
add local-address=10.10.3.1 name=BRIGHTON profile=default-encryption
remote-address=10.10.3.2 service=l2tp
add local-address=192.168.1.1 name=POLAND remote-address=192.168.1.5 service=
l2tp
add local-address=10.10.4.1 name=bagna remote-address=10.10.4.2 service=l2tp
/routing rule
add action=lookup disabled=no src-address=192.168.1.116/32 table=VPN-POLAND
add action=lookup disabled=yes src-address=192.168.1.98/32 table=VPN-POLAND
add action=lookup-only-in-table comment=“ANY REMOTE LAPTOP” disabled=no
src-address=192.168.1.5/32 table=VPN-POLAND
/system identity
set name=“Default Gateway”
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-dst-ip-address=192.168.88.1/32 filter-interface=*F00009
filter-src-ip-address=192.168.1.1/32

SITE B CONFIG

/interface bridge
add arp=proxy-arp comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] comment=“POSSIBLY FAULTY” disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface=bridge name=dhcp1
/routing table
add disabled=no fib name=VPN-POLAND
add disabled=no fib name=NETFLIX
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.0.1/32,192.168.1.0/24,0.0.0.0/0 endpoint-address=
endpoint-port=13231 interface=wireguard1
name=wireguard persistent-keepalive=10s public-key=
“”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=172.16.0.2/30 interface=wireguard1 network=172.16.0.0
/ip arp
add address=192.168.88.253 comment=TV interface=bridge mac-address=

/ip dhcp-client
add default-route-distance=2 interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface=
ether1 protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=output dst-address=192.168.1.0/24 dst-port=8291
new-routing-mark=NETFLIX passthrough=yes protocol=tcp src-address=
192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=
192.168.88.0/24
add action=notrack chain=prerouting dst-address=192.168.88.0/24 src-address=
192.168.1.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=“ROUTE VPN FROM POLAND” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=192.168.0.1 routing-table=VPN-POLAND scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
vrf-interface=ether1
add comment=“NETFLIX VIA WIREGUARD” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=wireguard1 routing-table=NETFLIX scope=30
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.1/32
set www-ssl address=192.168.88.0/24,192.168.1.0/24 certificate=server
disabled=no port=54321
set api disabled=yes
set api-ssl certificate=server disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.1.116/32
table=VPN-POLAND
add action=lookup-only-in-table disabled=no src-address=192.168.1.5/32 table=
VPN-POLAND
add action=lookup-only-in-table disabled=no interface=bridge src-address=
192.168.88.0/24 table=NETFLIX
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=GDANSK
/system leds
add leds=user-led type=on
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

anav · February 8, 2025, 7:35pm

Nice first post,
Typically the issue is
a. wireguard peers incorrect
b. firewall rules do not allow access

Lets review.
by the way if IPV6 is not being used remove all the noise
This is a good start but remove all the IPV6 firewall address lists and modify rules to only two rules:
add chain=input action=drop
add chain=forward action=drop

Wireguard peer on main router is incorrect. Remember peers identifies REMOTE devices/users ( be they the target of local users, or inbound to your router )
Get rid of the local subnet!!!
/interface wireguard peers
add allowed-address=172.16.0.2/32,192.168.88.0/24,192.168.1.0/24 interface=
wireguard1 name=wireguard public-key=“”

I do not recommend using SourceNAT for router to router traffic where you have control of subnets and firewall rules… Thus remove.
If using a third party VPN where one is given a single IP address it makes sense.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1

I do recommend adding to LAN interface list…
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add comment=defconf interface=ether1 list=WAN

Will need a route for each remote subnet identified in wireguard peers… this a good cross-check, in that they should match!!!
/ip route
add dst-address=192.168.88.0/24 interface=wireguard1 routing-table=main
( NOT: add disabled=no dst-address=192.168.88.0/24 gateway=172.16.0.2 routing-table=
main suppress-hw-offload=no )

Lets clean up the firewall rules and simplify and get rid of unhelpful rules ( keep chains together )
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“L2TP VPN PORTS” dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment=WIREGUARD dst-port=13231 protocol=udp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

Now lets insert the missing rules for wireguard traffic.
++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment=“remote subnet and remote admin to local subnet” in-interface=wireguard1 dst-address=192.168.1.0/24
add action=accept chain=forward comment=“local users to remote subnet” out-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward comment=“relay remote admin to remote router” in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

Now it should be coming clearer to you that,
a. the admin should have remote access to both routers for config purposes and possibly the LAN subnets as well. The relay rule above allows the admin on his laptop at a cafe to wireguard into the main router and then access the site b router.
b. the admin could be at site B and could be at site A and could be remote and needing access.
c. users are also on the wireguard and they do not need access ever to the router itself.
Conclusion: Some refinement on security is needed and the easiest way is to define authorized users on both devices and the list will be basically identical.

/ip firewall address list ( good for both devices !! )
add address=192.168.1.X list=Authorized comment=“admin at site A - desktop”
add address=192.168.1.Y list=Authorized comment=“admin at site A - laptop”
add address=192.168.1.Z list=Authorized comment=“admin at site A - smartphone/ipad”
add address=192.168.88.A list=Authorized comment=“admin at site B - desktop”
add address=192.168.88.B list=Authorized comment=“admin at site B - laptop”
add address=192.168.88.C list=Authorized comment=“admin at site B - smartphone/ipad”
add address=172.16.0.3/24 list=Authorized comment=“remote admin - laptop”
add address=172.16.0.4/24 list=Authorized comment=“remote admin - smartphone/ipad”
add address=172.16.0.5/24 list=Authorized comment=“remote admin - home desktop”

(admin rules)
add action=accept chain=input comment=“L2TP VPN PORTS” dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment=WIREGUARD dst-port=13231 protocol=udp
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port-53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port-53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { insert this rule here but only after all other rules confirmed in place! }

/ip neighbor discovery-settings
set discover-interface-list=LAN
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Also assuming you are using perhaps up to five wireguard IPs change this to:
/ip address
add address=172.16.0.2**/29** interface=wireguard1 network=172.16.0.0

=========================================================================
Site B:

Wireguard peers again incorrect…
You need to come clean on intentions due to the fact you had 0.0.0.0/0 as one of your entries. This implies the users at subnet site B, should be able to go out internet of Main site.
This is not indicated by anything else though? If so, then the ONLY ENTRY required is 0.0.0.0/0 as it includes other entries to the wireguard peers. Only two possibilities.

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=13231 interface=wireguard1
name=wireguard persistent-keepalive=10s public-key=
OR
/interface wireguard peers
add allowed-address=172.16.0.0/29,192.168.1.0/24 endpoint-address= endpoint-port=13231 interface=wireguard1
name=wireguard persistent-keepalive=10s public-key=

and of course this change needed:
/ip address
add address=172.16.0.1**/29** interface=wireguard1 network=172.16.0.0

Commensurate with the 0.0.0.0/0 ( hidden or overt 192.168.1.0) you need a route
/ip route
add dst-address=192.68.1.0/24 gateway=wireguard1 routing-table=main

Additional changes:
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add comment=defconf interface=ether1 list=WAN
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Not sure if this is an error or on purpose…
/ip dns static
add address=192.168**.1.1** comment=defconf name=router.lan type=A

Either change to .88, or preferably remove, not required.

Remove wireguard sourcenat rule…
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1

WHY**???** This device is the client peer for handshake and initiates the connection, REMOVE!
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface=
ether1 protocol=udp

Rest of firewall rules will be very similar to ABOVE.
/ip firewall address list ( good for both devices !! )
add address=192.168.1.X list=Authorized comment=“admin at site A - desktop”
add address=192.168.1.Y list=Authorized comment=“admin at site A - laptop”
add address=192.168.1.Z list=Authorized comment=“admin at site A - smartphone/ipad”
add address=192.168.88.A list=Authorized comment=“admin at site B - desktop”
add address=192.168.88.B list=Authorized comment=“admin at site B - laptop”
add address=192.168.88.C list=Authorized comment=“admin at site B - smartphone/ipad”
add address=172.16.0.3/24 list=Authorized comment=“remote admin - laptop”
add address=172.16.0.4/24 list=Authorized comment=“remote admin - smartphone/ipad”
add address=172.16.0.5/24 list=Authorized comment=“remote admin - home desktop”[/i]

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port-53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port-53 protocol=tcp
add action=drop chain=input comment=“Drop all else”[/i] { insert this rule here but only after all other rules confirmed in place! }
+++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“remote subnet and remote admin to local subnet” in-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward comment=“local users to remote subnet” out-interface=wireguard1 dst-address=192.168.1.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

+++++++++++++++++++++++++++++++++++++++

On site B, we have instituted proper access to subnets and config of router ( by the way I highly suggest you change default port of winbox as a standard security practice )
SO
REMOVE all the mangle and netflix garbage.
add comment=“NETFLIX VIA WIREGUARD” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=wireguard1 routing-table=NETFLIX scope=30
suppress-hw-offload=no target-scope=10

/ip firewall mangle
add action=mark-routing chain=output dst-address=192.168.1.0/24 dst-port=8291
new-routing-mark=NETFLIX passthrough=yes protocol=tcp src-address=
192.168.88.1

korpaczov · February 8, 2025, 8:52pm

Thank you for reviewing my config. It is a massive help. I will go through your notes and apply changes accordingly.

Just to clarify the intentions of a wireguard tunnel - All the devices on Site B should send the traffic through the tunnel when communicating to the internet and be masqueraded with site A Public IP address, hence the srcnat rule - Sorry I should have mentioned that in my first post. That’s why I have NETFLIX mangle rules, routing tables and rules

anav · February 11, 2025, 3:41pm

Not Required!
The reason being is that the Traffic from Router B enters RouterA, at roughly the LAN level.
Because we set the wireguard interface to be part of the LAN interface list, the firewall rules that note LAN interface apply to wireguard traffic.
This means in the forward chain.
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN,

This allows local lan subnets and also incoming wireguard users out the WAN interface.
Due to the sourcenat rule
add chain=srcnat action=masquerade out-interface-list=WAN
All traffic leaving the router is natted to and gets the public IP address of the router.

Summary: all your netflix stuff/mangles is NOT required.

korpaczov · February 12, 2025, 5:17pm

correct me if I am wrong but with the above rule all devices on LAN behind router B would be communicating out to the internet with Public IP of Site B, right?

I want to avoid that and make sure that only Site A public IP is in use

I understand that wireguard interface is now part of LAN interface list however surely I need a rule that is routing the traffic out to the internet through the wireguard tunnel. My understanding is that if I remove mangle/netflix rules, the traffic will be masqueraded with Site B public IP.