Wireguard configuration Mikrotok LTE18Kit with build in LTE

Dear forum users, I hope you can help me out. I guess it’s just a simple thing missing, but it drives me crazy.

My setup:

• Mikrotok LTE18Kit Router with build in LTE module
• Standard configuration (local DHCP with IP 192.168.188.0/24 net)
• Setup configuration to use wireguard: https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel (part “WireGuard-RoadWarriorWireGuardtunnel”) - also IP used from example: wireguard 192.168.100.0/24
• added additional firewall rule to give forward permission from both sub-nets to the other subnet.

My problem:

• Wireguard handshake from external net AND internal net works, but after connection no packets were transferred to internet.
• If connect to wireguard from internal net, i can access local IPs like the router itself. But also no connection to any external internet IP.

What is missing?

Some Pics

What is missing?

Hmm, the pictures are nice, but not really helpful. What’s missing is your export of configuration:
/export file=myconf.rsc (remove sensitive info like serials, public IPs, etc.)
From there we can start troubleshooting the problem.

Thanks for the command for exporting the config. Was very helpful.

Attached my config:
myconf.rsc (6.79 KB)

Your config export is missing the routes. Perhaps you aren’t using custom defined routes?

Also, address=192.168.100.1 for the wireguard1 interface should be address=192.168.100.1/24.

Correct, I did not add any custom route. Regarding some tutorials it was not necessary.

You are completely right. Address wireguard1 interface should be address=192.168.100.1/24 and not address=192.168.100.1/32. I changed and it works. Finally I have connection to the web. Thanks a lot!!

Regarding the routes or/and other necessary config. You see anything i have to add like must-have?
Thanks again, you are my hero!

Nope, all you have is one remote client coming in to access your router or config (admin probably you LOL).

This rule allows the user to access the router for config purposes
add action=accept chain=input comment=“WireGuard traffic” in-interface=
wireguard1

THis rule allows the remote user to access the LAN
add action=accept chain=forward comment=“WireGuard to LAN” dst-address=
192.168.188.0/24 src-address=192.168.100.0/24

One always has to ask the question, okay so the remote client can reach the router and the LAN after exiting the tunnel, but what about the RETURN TRAFFIC.
That is where we should be concerned about routes. Remember if the subnet or user is not known to the router, NOT LOCAL, the router will drop such traffic.
Since we created an IP address for the wireguard interface, the router automatically create a route for that subnet dst-addresss=192.168.100.0/24 gwy=wireguard1

So when the remote client access the router or LAN due to the above firewall rules, and return traffic arises, the router says, I know where to send the traffic from that source address…
Now imagine if the remote client is not MAC, but another MT router with many subnets and some of those subnets are visiting your routers subnets.
Then we would need to manually make routes for those subnets so your router would know where to send the return traffic ( mainly back into the tunnel ).

Regarding the routes or/and other necessary config. You see anything i have to add like must-have?
Thanks again, you are my hero!

You’re welcome. I intend to focus on the problem at hand, but feel free to digest on further discussions by reputable members of this forum, one of which has already given the above. You can pickup a thing or two from them.