I leave my configuration of my Mikrotik
I need help thanks
myconfig.rsc (2.16 KB)

Is this router connected to the internet. If so unplug immediately as you have no firewall protection.
You dont know how to setup wireguard but you removed the perfectly good default firewall rules protecting your network ???
You are missing the allowing of handshake rule in the input chain and many more firewall rules.

Hello, if the router is connected to the internet, I made some changes and requested my public IP from the provider and I already have it, this is my configuration, I perform the steps that are in the mikrotik channel to connect Wireguard to my phone, but it does not work If the connection is successful, I would appreciate it if you could explain to me how to add the necessary missing rules in my MK
myconfig.rsc (1.18 KB)

The WANIP as shown is private not public.

thank you, but it is a configuration error, how can I solve it, or my internet provider, I contacted them and they recently assigned me the public IP in my home

Hello, I was doing a little research, and I realized that I have a problem with double nat, any suggestions in my configuration, I still can’t successfully use wireguard, thanks for the attention
myconfigINGCONREG.rsc (4.09 KB)

Well your config is confused…
You have two ether1-wans, and one is disabled.
The one that is disabled seems to be a public IP
The one that is enabled seems to be a private IP

This makes sense if what you are saying about double NAT. It would seem you have an upstream modem/router and thus you are getting a private vice public IP.
Is that correct?

If so, then all you need to do is FORWARD the wireguard port on the ISP modem/router to the IP of your mikrotik router.
For example.
ON ISP ROUTER
port=13231 forward to-address=192.168.1.99

Are you able to directly or ask your ISP provider to forward the port to the LANIP of your router?

Hello, what you say is correct, I opened the port on my router that is before the mikrotik but they still do not work

Show me the port forwarding rule on the upstream router and you have confirmed the upstream router gets a public IP??

Look, the port is now open, and you also see the public IP offered by the provider.

This article shows a successful WG config with double NAT. Not ideal, but I ran that way for about a year before I was able to replace the border router with an ax³ and move WG service to it.

More concerning is the port forwarding of the default port for winbox.
Are you actually accessing the router externally using the default winbox port???

It would appear yes, you have the port forwarding setup appropriately

Mainly changes shown.
Removed persistent keep alive to a peer (client for handshake, its the client that uses that setting)
Removed wrong WAN address
Modifed dns settings slightly. not sure what 192.168.1.1 was doing there as its not a local subnet.
Biggest issue is with your firewall rules. Too much noise. Focus on needed traffic, drop all else…
Why all the other VPN types, only to disable them on input chain?? Is the idea to get wireguard working and use only that…
Removed them from firewall rules for the moment
Old route removed as well.

model = RB750r2

serial number = “hidden”

/interface list
add name=WAN
add name=LAN

/interface detect-internet
set detect-interface-list=none

/interface list member
add interface=ether1wan list=WAN
add interface=bridge list=LAN
add interface=wireguard list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1
public-key=“++++++++++++++++++++++=”
add allowed-address=192.168.100.3/24 interface=wireguard1 public-key=
“*************************************************=”

/ip address
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.1.99/24 interface=ether1wan network=192.168.1.0

/ip dhcp-server network
add address=10.10.10.0/24 dns-server**=10.10.10.1** gateway=10.10.10.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall address list
add address=10.10.10.XX list=Authorized comment=“admin local pc”
add address=192.168.100.0/24 list=Authorized comment=“admin remote wg”

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{ admin rules }
add action=accept chain=input comment=“Habilitar WireGuard” dst-port=13231 protocol=udp
add action=accept chain=input comment=“Permitir admin” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“Permitir usesr services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“Permitir usesr services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in the very last }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Permitir wg” in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment=“drop all else”

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

Look, I made the corrections in the mikrotik but it still doesn’t work, the amount of RX packets that come out of the client is very low and there is no internet, I have a question, is rule number 8 well located there or do I have to lower it all the way down?
configanav.rsc (4.6 KB)

It’s as far down as it can get already. Rules apply within a given chain, so with no other “input” chain rules after it, that one is at the end already. Pushing it further down in the list shown by WinBox will do zilch.

The only thing I see that is really weird that I have never seen before are the following rules…

add action=dst-nat chain=dstnat disabled=yes dst-address=8.8.8.8 to-addresses=0.0.0.0/24 ???
add action=src-nat chain=srcnat disabled=yes out-interface=ether1wan src-address=0.0.0.0/24 to-addresses=8.8.8.8 ???
add action=src-nat chain=srcnat src-address=192.168.100.0/24 to-addresses=192.168.1.99 ???
add action=masquerade chain=srcnat out-interface=ether1wan

The only one to leave in places is the last one.

And this one…
/ip firewall mangle
add action=change-ttl chain=forward disabled=yes new-ttl=set:2 out-interface=
ether1wan passthrough=yes ???

In terms of IP ROUTE you have duplicate rules for your main WAN ??? Get rid of one of them.
The other route with gateway to something not local nor defined anywhere ???

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 *gateway=179.1.11.1 * ???
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10