Wireguard Client QNAP

RouterOS General
1

Good morning guys,

I am writing for the first time I introduce myself I am Alessandro Bozzo, I am writing from the province of Savona in Italy.
I have a problem on a Mikrotik: I have successfully activated a client vpn with the Wireguard server on QNAP, I can ping the IPs in the qnap subnet within the Mikrotik terminal without problems, but in my internal Mikrotik subnet it does not work, I set up a source nat with suorce address my subnet dest address subnet of the qnap and out interface wireguard but nothing.
I am attaching configuration of the mikrotik:

jun / 13/2022 06:17:50 by RouterOS 7.3.1

software id = V5EL-CMUG

model = RouterBOARD mAP L-2nD

serial number =

/ interface wireless
set [find default-name = wlan1] band = 2ghz-b / g / n disabled = no mode = ap-bridge
ssid = MikroTik
/ interface wireguard
add listen-port = 13231 mtu = 1420 name = wireguard1
/ interface wireless security-profiles
set [find default = yes] supplicant-identity = MikroTik
/ ip hotspot profile
set [find default = yes] html-directory = hotspot
/ ip pool
add name = pool1 ranges = 192.168.200.50-192.168.200.100
/ ip dhcp-server
add address-pool = pool1 interface = wlan1 name = server1
/ interface wireguard peers
add allowed-address = 0.0.0.0 / 0 endpoint-address = 82.215.131.20 endpoint-port =
51820 interface = wireguard1 persistent-keepalive = 10s public-key =
“WdrBS / JgIrJORFBjYEvV1pwdRlZipWr + HTv2LiSSphA =”
/ ip address
add address = 198.18.7.4 / 24 interface = wireguard1 network = 198.18.7.0
add address = 192.168.200.1 / 24 interface = wlan1 network = 192.168.200.0
/ ip dhcp-client
add interface = ether1
/ ip dhcp-server network
add address = 192.168.200.0 / 24 dns-server = 8.8.8.8 gateway = 192.168.200.1 netmask =
24
/ ip firewall nat
add action = masquerade chain = srcnat out-interface = ether1
add action = accept chain = srcnat dst-address = 172.20.0.0 / 16 out-interface =
wireguard1 src-address = 192.168.200.0 / 24
/ ip route
add disabled = no distance = 1 dst-address = 172.20.0.0 / 16 gateway = 198.18.7.1
pref-src = “” routing-table = main scope = 30 suppress-hw-offload = no
target-scope = 10
[admin @ MikroTik]>

2

I don’t think that rules with action=accept in the NAT section do what you think it does.
Try setting that up in the Filter section.

3

Thanks for the answer,
I don’t have any filter rules, do you think I should try to create a forward rule between the two subnets?
I continued with the tests and I don’t understand why I keep being able to see and ping from the mikrotik to the internal network of the wireguard server but nothing from the internal network of my mikrotik.

4

Oh, I thought you just left that part out. I don’t understand anything from that config.
Post the config from both sides.
And write the subnets from both sides.

5

Site A: (Server VPN Wireguard QNAP)
Subnet LAN: 172.16.0.0/16
IP Wireguard 198.18.7.1

Sito B: (client wireguard Mikrotik ip 198.18.7.4)
Subnet LAN: 192.168.200.0/24

Inside Mikrotik from the terminal I see the 172.16 network and the ping (idem 198.18..), from the local network instead no, that is from 192.168.200.0 I cannot ping 172.16.

TNX

6

I solved, I agree if anyone was in the same situation as me. I created a NAT masq with source address my lan, dest address lan “site a” with out interface wireguard.
thank you all

7

Or you can set up proper routing between 172.16.0.0/16 and 192.168.200.0/24 via the wireguard tunnel.
But hey, if you guys like NAT so much.