Winbox over wireguard

rilliam · November 25, 2025, 6:32pm

I am trying to access the mtik (mAP-001) using winbox at its wireguard IP of 192.168.32.5 through a Cloud Hosted Router (CHR) with a wireguard IP of 192.168.32.1 via its (CHR) WAN IP.

It would be nice if I could just connect to CHR RoMon and see MAP-001 and connect to it, but I’m unsure how to make this happen, could someone please help? Thanks for your kindness.

CHR config:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.22.0/24 interface=wireguard1 name=peer2
public-key="xxxx"
add allowed-address=192.168.32.0/24 disabled=yes interface=wireguard1 name=
MAP-001 public-key="xxxx"
add allowed-address=192.168.32.0/24 disabled=yes interface=wireguard1 name=
laptop public-key="xxxx”
add allowed-address=192.168.32.0/24 interface=wireguard1 name=mAP-001
public-key="xxx"
/ip address
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
add address=192.168.22.1/24 interface=wireguard1 network=192.168.22.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="remote access" dst-port=8291 protocol=
tcp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes
ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=CHR-001
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set authenticate=no enabled=no

mAP-001 config:

/interface bridge
add admin-mac=08:55:31:xx:xx:xx auto-mac=no comment=defconf name=bridge
port-cost-mode=short
add name=bridge-WAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-ATA
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=xxxx
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX
country="united states3" disabled=no frequency=auto mode=ap-bridge name=
wlan1-WAN security-profile=xxxx ssid=xxxx
wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge-WAN comment=defconf ingress-filtering=no interface=
ether2-ATA internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1
internal-path-cost=10 path-cost=10
add bridge=bridge-WAN interface=ether1-WAN
add bridge=bridge-WAN interface=wlan1-WAN
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1-WAN list=WAN
add comment=defconf interface=wg1 list=LAN
add interface=ether1-WAN list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:63:00:4C:0E:00 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.32.1/32 endpoint-address=CHR-001
endpoint-port=13231 interface=wg1 name=CHR-001 public-key=
"xxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.32.5/24 interface=wg1 network=192.168.32.0
/ip dhcp-client

Interface not active

add comment=defconf interface=wlan1-WAN

DHCP client can not run on slave or passthrough interface!

add interface=ether1-WAN
add default-route-tables=main interface=bridge-WAN
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=input dst-port=22 protocol=tcp src-address=
!192.168.32.1
add action=accept chain=input comment="remote access" dst-port=8291 protocol=
tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=mAP-001
/system scheduler
add name=schedule1 on-event="ping 192.168.32.1" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

anav · November 25, 2025, 7:55pm

ONLY Changes shown:
will comment that your input chain rule for winbox is a very bad bad ideas and will get you hacked eventually, especially using the default winbox port. Recommend you change that to something else, and we dont need to see what it is......
You have multiple wireguard clients besides map. Just for the example sake I will assume that 22.2 is a worker bee that simply needs access to a subnet on MAP , whereas the two addresses on 32.2 and 32.3 are admin devices ( laptop and ipad for example ). If all are admin clients then one does not really need the additional separation of a firewall address-list to split off those on the wireguard interface who are just worker bees and who is the admin. Its just an example and you can massage as needed.

fw rules need work and proper order

/interface list
add comment=defconf name=WAN
add comment=defconf name=MANAGE
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=MANAGE
/interface wireguard peers
add allowed-address=192.168.22.2/24 interface=wireguard1 name=peer2
public-key="xxxx"
add allowed-address=192.168.32.2/24 interface=wireguard1 name=
PIAB-001 public-key="xxxx"
add allowed-address=192.168.32.3/24 disabled=yes interface=wireguard1 name=
laptop public-key="xxxx”
add allowed-address=192.168.32.4/**24 interface=wireguard1 name=mAP-001
public-key="xxx"
/ip firewall address-list
add address=192.168.32.2/32 list=Authorized
add address=192.168.32.3/32 list=Authorized
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="admin access via wg" **
in-interface-list=MANAGE src-address=list=Authorized
add action=drop chain=input comment="drop all else" { add this rule here but last of all rules }
++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="relay rule for wireguard traffic" **
in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
disabled=yes { enable if required or remove }
add action=drop chain=forward comment="drop all else"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

anav · November 25, 2025, 8:12pm

Tried to look at MAP but confused by bridge WAN? Why two bridges, and what is it about WAN that needs a bridge, is this dual WAN, or WAN coming in a WIFI link??
I thought WAN was cellular LTE ??
Clearly you have WAN issues from what your router is reporting ( interface not active etc. )

Interface not active
DHCP client can not run on slave or passthrough interface!

In terms of wireguard, here is where we can fix some things:

/interface wireguard peers
add allowed-address=192.168.32.0/24 endpoint-address=CHR-001
endpoint-port=13231 interface=wg1 name=CHR-001 public-key= "xxxx"
persistent-keep-alive=30s

Also very bad and not safe...
add action=accept chain=input comment="remote access" dst-port=8291 protocol=tcp

change to
/ip firewall address-list
add address=192.168.32.2/32 list=Authorized comment="admin wireguard remote1"
add address=192.68.32.3/32 list=Authorized comment="admin wireguard remote2"
etc.
add address=192.168.88.X list=Authorized comment="admin wired PC local"
add address=192.168.88.Y list=Authorized comment="admin wifi local"

THEN replace the 8291 rule with
add action=accept chain=input comment="admin access" src-address-list=Authorized

add dont forget to change winbox port to something not standard!!!!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Firewall rules should be a direct copy of what I provided above for the CHR except clearly there will be no relay rule and you should replace it with the following rule:

add action=accept chain=forward comment="allow incoming WG" in-interface=wg1
dst-address=192.168.88.0/24

+++++++++++++++++++++++++++++++++++++++

Since all user incoming on the mAP are remote clients with source address already known to the MAP ( aka the wireguard address), there are no extra required routes.

It would appear that you dont use the WAN of the CHR for any outgoing traffic from any clients.

rilliam · November 25, 2025, 8:25pm

@anav Am I understanding your changes correctly that I should be able to romon into MAP-001 by just including it in the allowed interface list for mac-server and mac-winbox and ip neighbors?

Because I tried that and its not working. Nothing shows up in romon.

I understand 8291 shouldn’t be wide open, also understand that there are goofy things with dhcp-client, and what I have labelled as WAN, and that the wlan1 interface is bridged to WAN.

Is a EoIP interface required for this to work?

anav · November 25, 2025, 10:11pm

I dont use romon.
If using Winbox running on a laptop, or on an IPhone IPAD, it will work just fine
If you want to reach the CHR, for config purposes, after making the vpn connection,
Simply put:
192.168.32.1:winboxport-CHR ( not the default because you should have changed it yesterday LOL).

If you want to reach the MAPS for configuration
Put
192.168.32.4:winboxport-MAP

If you wan to reach 192.168.88.0 subnet
AHHHHHHHHHHH ????

I missed two steps......

CHR SETUP
-routing addition
-peer setting addition

We have to let the CHR know where to send dst traffic for a non-local subnet!!

/ip route
add dst-address=192.168.88.0/24 gateway=wireguard1 table=main

We have to match that in the peer settings as well. So please modify the peer setting as follows"

add allowed-address=192.168.32.4/24,**192.168.88.0/24** interface=wireguard1 name=mAP-001
public-key="xxx"

You will note I have not addressed anything specifically for the interface address .22 because you have not fully identified all the requirements

rilliam · November 26, 2025, 12:02am

@anav I appreciate the help but I think you are misunderstanding what I am trying to accomplish. Maybe a diagram could help. I am trying to access the mtik (mAP-001) using winbox at its wireguard IP of 192.168.32.5 through a Cloud Hosted Router (CHR) with a wireguard IP of 192.168.32.1 via its (CHR) WAN IP.

What I am understanding from your replies is that you simply have to have the correct interfaces on the allow-list for mac-server, mac-winbox and ip neighbors. I have done this but its not working. In winbox I want to connect to the CHR and have the CHR show me its discovery, and then connect through the CHR romon into the mAP-001.

Could it be that wireguard doesn’t support multicast packets and I need an Ethernet over IP bridge over the wireguard to make this work? Or am I not understanding something you are saying? Thanks.

anav · November 26, 2025, 12:15am

What do you mean multicast packets, when was that ever stated as a requirement?
As I stated I dont know how to use romon,
I was imply showing you the way, for a remote device (laptop or iphone) to connect to the CHR and to the map via wireguard for the purposes of reaching the config of both. I also showed how that remote user/device can reach the subnet on the map. This is done using winbox after connecting pt to pt wireguard.

If you want some sort of layer 2 functionality, not yet articulated, then you can consider EOIP over wireguard or perhaps use Zerotier, which may be better suited approaches.

anav · November 26, 2025, 12:20am

Please show me your latest config exports to verify the settings are correct.

rilliam · November 26, 2025, 12:53am

Romon uses multicast, and my new understanding since posting is that wireguard isn’t going to work for that. Again summarizing your proposed changes are just relating to allow-lists, unless I’m missing something from your replies, are you suggesting more than that and I am missing something from your replies?

anav · November 26, 2025, 12:59am

Yes you can use wireguard with EOIP to do what you want. I just dont understand why the extra hassle just to use romon, when you can connect directly with what you want via winbox. Is it simply seeing all the routers at the same time like I do for all the MT devices in my own networK?
When I am away I simply use winbox to connect to any device I desire, I dont need to see them just know the winbox port and which subnet gateway I wish to use ( aka a trusted one, a management vlan for example )

rilliam · November 26, 2025, 1:07am

Ok, I still can’t winbox into map-001 with the changes you are proposing. Again, my understanding of the changes you are suggesting are to add the appropriate interfaces on the allow-lists. Nothing more than that. I’ve asked four times now is that correct? If so what address am I typing into winbox? 192.168.32.5 ? That won’t work because I’m on a laptop not connected to the wireguard network.

lurker888 · November 26, 2025, 1:15am

RoMoN only works properly (as in: as you want to use it) in L2 domains. Others have confirmed that it does work through EoIP and also through ZeroTier (in L2 configurations.)

If you don't otherwise need L2 connectivity, I'd simply drop romon. I don't have much patience for it even when it works.

If proper routing and firewalling is present, WinBox, ssh and all the other goodness is ready for you.

rilliam · November 26, 2025, 1:21am

@lurker888 I tried setting up a forward rule to 192.168.32.5 but that didn’t work either. Do you have another suggestion? Summarizing the suggestions made so far have been to add the interface to the mac-server mac-winbox allow list - which doesn’t seem to do anything and I am unsure what I’d be typing in as a address in winbox because I’m on a laptop not connected to the wireguard network.

anav · November 26, 2025, 1:31am

rilliam, post both your configs, so I can point out where your errors might be, as basic winbox and wireguard works just fine. I already pointed out the firewall rules that are needed.

You keep changing requirements. What laptop are you using to try to reach the CHR or MAP??
If its not behind the MAP where is it?? and of course you need to connect the laptop to the CHR, and the means to do that is wireguard.

The only laptop on your diagram has to connect to the CHR via wireguard........... so you see my confusion
"That won’t work because I’m on a laptop not connected to the wireguard network." ???????

Post both configs for review.

PS there is no such thing as ALLOW lists.
There are interface lists, there are firewall-address lists.

lurker888 · November 26, 2025, 1:40am

Sort out your routing. Anav will help you, he's very good with configuration over forum.

If you don't have connectivity to your network, nothing will help. You will have to establish that.

Everything mac-whatever only works (well, mostly) over an L2 link. It has no effect, positive or negative, on normal unicast ip-based winbox.

rilliam · November 26, 2025, 1:43am

I got this to work by using EoIP, no bridge necessary. Now I can see romon discovery and connect to that mac address via the CHR.

@anav No my laptop isn’t connected via wireguard. Thats why I put the laptop by itself and the wireguard network by itself in my diagram.

MAP-001

/interface/eoip add name="EoIP-CHR" tunnel-id=0 remote-address=192.168.32.1 disabled=no

CHR

/interface/eoip add name="EoIP-MAP-001" tunnel-id=0 remote-address=192.168.32.5 disabled=no

anav · November 26, 2025, 2:38am

Connecting to your CHR without VPN is not wise.
Glad you got it working!