Wireguard - IPv4 on WAN broken at 7.21.3

RouterOS General
1

Hello forum,
Unfortunately, I am now having a problem with Wireguard with RouterOS 7.21.3.
I can no longer establish a connection via IPv4.

I have a dual-stack WAN connection.
This means I have my own IPv4 and IPv6 addresses.
Both are dynamic and change every 24 hours.
To avoid having to remember the addresses, I have set up a dyndns.

I use Android smartphones with Android 16 as clients, for example.

When I try to establish a VPN connection with Wireguard via an IPv4-only network, it no longer works.
If I enter the current IPv6 address in the Wireguard address field and then connect, everything works fine.

I also don't see in the firewall log that a packet has arrived at the firewall via IPv4.

What I have checked:

  • Domain entered as Wireguard server >> Doesn't work
  • IPv4 entered as Wireguard server >> Doesn't work
  • IPv6 entered as Wireguard server >> Works!
  • Checked from the internet whether the Wireguard port is accessible >> Accessible with IPv4 and IPv6
  • Checked the firewall rules >> Everything seems to be OK
  • Router restarted >> Doesn’t help

No changes have been made to the settings since November 2025.
Only one client was added.
My ISP has not made any changes to the network either. I don't have DS-Light (GCNAT).

Why doesn't the domain work when it has both entries (A + AAAA)?
It seems that Android/Wireguard first receives the A record during DNS resolution and uses it directly.
The AAAA record is probably only delivered afterwards.
That's why the domain doesn't work when I enter both addresses.

Is there a known problem at the moment?
At the moment, it's a bit annoying to always have to query the current IPv6 via nslookup and then manually enter it in the configuration.
I can't use Wireguard from IPv4-only networks.

2

You don't need DS-Lite to have IPv4 put in CGNAT. You should still compare the address currently listed for your WAN interface under /ip address with what services like whatismyip.com show for your connection to be sure that the both IPv4 addresses are the same.

I experience no issue with WG IPv4 endpoints in 7.21.3. It's probably not something related to RouterOS, but to your ISP(s).

Also, in case you are stuck with CGNAT and cannot opt out of it, there are several DDNS providers that allow you to only maintain an AAAA record for the subdomain, for example DynV6, Dynu, DuckDNS.

2 Likes
3

In theory, he could have a public IPv4 address as NAT 1:1, so he would have a private IPv4 address on the WAN and a public IPv4 address at the same time.

However, it is most likely that he will actually be behind CGNAT. Try asking your provider if you have a public IPv4 address.

4

You can also try to ping your public IP from external. ICMP is allowed in default firewall and therefore should respond.

5

I just called my ISP.
They made a mistake.
They broke my public IPv4 and integrated a GCNAT in the worst possible way.
It's an official error and will be fixed.
My Wireguard should be up and running again tomorrow.

I saw my normal public IPv4 on the WAN-Interface and on sites like myip is.
After a reboot and only today i see the 100-IP on the WAN-Interface of the MikroTik Router.

So no Bug in Wireguard :slight_smile:

1 Like