Wireguard issue - L009

Hi Guys

New to Mikrotik but not to networking.

We have a new L009 which we need to configure with the below features;

Allow internet access - done.
Configure Vlans - done
Block intra-Vlan traffic - done
Allow management from WAN - done
Allow NAT from WAN to server on Vlan - done
Allow WIreguard VPN to connect to LAN and Vlans - Not done.

We can configure wireguard for access from an Apple Mac and the Wireguard client connects. We have NO traffic flows though. We cannot ping the bridge, the management interface, the Vlan gateways or an ssh server that is on one of the Vlans. The ssh server has full internet access btw.

I’ suspecting a firewall rule however we do have the below line in the config;

action=accept chain=forward comment=“test rule” connection-state=“” dst-address=192.168.88.0/24 dst-address-list=Vlans in-interface=“wireguard - MH Home” log=yes

The group ‘Vlans’ has 10.0.10.0, 10.0.20.0, 10.0.30.0 - all 24 bit. We cannot ping ANY of the vlan gateways either.

The apple Wireguard config includes AllowedIPs = 0.0.0.0/0 - when we run up Wireguard we seem to be routing ALL traffic to the L009 and we cannot ping anything, including 8.8.8.8. Anything connected to the L009 Lan or any Vlan can ping 8.8.8.8

Configs below. We’ve edited the public/private key info for obvious reasons. The L009 has a public interface on my own LAN (with an IP of 192.168.0.189).

We’ve disabled all rules in the firewall that drop or block anything (just for test purposes)

Wireguard client;
[Interface]
PrivateKey =
ListenPort = 51820
Address = 192.168.100.4/32
DNS = 1.1.1.1

[Peer]
PublicKey = Pzppppppppppppm6aCZioPGopDuXY27l/fgDc6RMrRo=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.0.189:13231
PersistentKeepalive = 10

L009 Config

# 2025-04-22 10:10:34 by RouterOS 7.16.1
# software id = TR2D-QJ5X
#
# model = L009UiGS
# serial number = <edit>
/interface bridge
add comment=LAN-BR-VLAN10 name=LAN-BR-VLAN vlan-filtering=yes
add admin-mac=F4:1E:57:A6:22:6E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireguard
add comment="Remote VPN access" listen-port=13231 mtu=1420 name="wireguard - MH Home"
/interface vlan
add comment=vlan10 interface=LAN-BR-VLAN name=vlan10 vlan-id=10
add comment=Vlan20 interface=LAN-BR-VLAN name=vlan20 vlan-id=20
add comment=vlan30 interface=LAN-BR-VLAN name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="vlan10 pool" name=dhcp_pool8 ranges=10.0.10.2-10.0.10.254
add comment="Vlan20 pool" name=dhcp_pool10 ranges=10.0.20.2-10.0.20.254
add comment="vlan30 pool" name=dhcp_pool11 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool8 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool10 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool11 interface=vlan30 name=dhcp3
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=LAN-BR-VLAN comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=LAN-BR-VLAN comment=vlan10 tagged=LAN-BR-VLAN,ether8 vlan-ids=10
add bridge=LAN-BR-VLAN comment=vlan20 tagged=LAN-BR-VLAN,ether8 vlan-ids=20
add bridge=LAN-BR-VLAN comment=vlan30 tagged=LAN-BR-VLAN,ether8 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.4/32 client-address=192.168.88.4/32 client-dns=1.1.1.1 comment="MH home" interface="wireguard - MH Home" name=MH-VPN public-key="OAWkmVOpppppppTiwN2S/1faJEapppppppgovZ3Xjmw="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.10.1/24 comment=vlan10 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 comment=vlan20 interface=vlan20 network=10.0.20.0
add address=10.0.30.1/24 comment=vlan30 interface=vlan30 network=10.0.30.0
add address=192.168.88.100/24 comment="Wireguard IP" interface="wireguard - MH Home" network=192.168.88.0
add address=172.30.99.1/24 interface=ether2 network=172.30.99.0
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 comment="Vlan 10 Network" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.10.0/24 comment="Vlan 10" list=Vlans
add address=10.0.20.0/24 comment=Vlan-20 list=Vlans
add address=10.0.30.0/24 comment=Alan-30 list=Vlans
add address=10.0.20.0 comment=10.0.20.0 list=10.0.20.0
/ip firewall filter
add action=accept chain=forward comment="test rule" connection-state="" dst-address=192.168.88.0/24 dst-address-list=Vlans in-interface="wireguard - MH Home" log=yes
add action=accept chain=input comment="remote admin" dst-port=80 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="fireguard rule" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT to Pi" dst-address=192.168.0.189 dst-port=22 protocol=tcp to-addresses=10.0.30.12 to-ports=22
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hi, it looks like a mismatch of IP subnets.

Both the bridge address, 192.168.88.1/24 and the wireguard address, 192.168.88.100/24 are in the same subnet.

They should be separate. Try setting the wireguard interface to 192.168.89.1/24 instead, and for the client something in that subnet, e.g. client-address 192.168.89.2/24 and allowed-address to 192.168.89.2/32.

When testing the wireguard tunnel, start out by pinging the other end, of the tunnel, e.g. 192.168.89.2 from the router. Ping is good for testing, as the firewall allows ICMP, hence it’ll always work, and an address in the same subnet requires no routes.

My issue with the config is two bridges. Keep it simple, one bridge.
Ditch the wrongly named one about vlan10 as you have multiple vlans on that bridge, not just 10.
Move the default vlan subnet 88 to a vlan, call it vlan-default.
As was pointed out you have two related discrepancies to deal with.
a. your local subnet and wireguard subnet overlap
b. a wireguard peer has an Ip address that conflicts with a local subnet
Result, changed local subnet from .88 to .188

Also you have ether2 on the bridge but for some reason also gave it its own address which is a conflict.
So the errant address with no other ties anywhere on the config was dropped…or

Bizarre input chain rule TO the router on port 80?? configuring the router should be done within the router and if needing remote access then come in via wiregurd for example and then access the router. Removed,not secure!

The config would look like so ( assumes not using ipv6 ):

# serial number =
/interface bridge
add comment=LAN-BRIDGE name=bridge vlan-filtering=yes frame-type=admit-only-vlan-tagged
/interface wireguard
add comment=“Remote VPN access” listen-port=13231 mtu=1420 name=wg-home
/interface vlan
add comment=vlan10 interface=bridge name=vlan10 vlan-id=10
add comment=Vlan20 interface=bridge name=vlan20 vlan-id=20
add comment=vlan30 interface=bridge name=vlan30 vlan-id=30
add comment=vlan188 interface=bridge name=vlan-default vlan-id=188
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
add comment=“vlan10 pool” name=dhcp_pool8 ranges=10.0.10.2-10.0.10.254
add comment=“Vlan20 pool” name=dhcp_pool10 ranges=10.0.20.2-10.0.20.254
add comment=“vlan30 pool” name=dhcp_pool11 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlan-default name=defconf
add address-pool=dhcp_pool8 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool10 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool11 interface=vlan30 name=dhcp3
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether6 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether7 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp1 pvid=188
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether8 vlan-ids=10,20,30
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=188
/interface list member
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan-default list=LAN
add interface=wg-home list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.4/32 comment=“MH home” interface=wg-home name=MH-VPN public-key=”++++"
/ip address
add address=192.168.188.1/24 comment=defconf interface=vlan-default network=192.168.188.0
add address=10.0.10.1/24 comment=vlan10 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 comment=vlan20 interface=vlan20 network=10.0.20.0
add address=10.0.30.1/24 comment=vlan30 interface=vlan30 network=10.0.30.0
add address=192.168.88.100/24 comment=“Wireguard IP” interface=wg-home network=192.168.88.0
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 comment=“Vlan 10 Network” dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.30.1
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=mynetname.net list=MYWAN { note this is using your IP cloud address if it accurately shows your public IP }
/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="wireguard handshake” dst-port=13231 protocol=udp
add action=accept chain=input comment="only allow LAN” in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { insert this rule here and last of all rules, to avoid getting locked out }
+++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-state=dstnat
add action=accept chain=forward comment="remote users to Subnet” in-interface=wireguard dst-address=192.168.188.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“NAT to Pi” dst-address-list=MYWAN dst-port=22 protocol=tcp to-addresses=10.0.30.12
/ipv6 settings
disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your router has WG IP address 192.168.88.100/24, while the client has 192.168.100.4/32. It won’t work like this. The WireGuard peers must have internal IPs in the same subnet.

Hi Guys

well spotted for the subnet mismatch - i’ve tried a LOT of setups and the mismatch was down to me not setting things back to an original config.

Anyway we now have the bridge on 192.168.88.0 and the wireguard interface on 192.168.100.0 - The peer IP is now set to 192.168.100.x (ie corrected). We still cannot ping 192.168.100.2 - or anything while wireguard is active.

I set up multiple bridges as part of my Vlan setup and moving vlans around via trunks. I take the point this could be the isse so i’ll correct and update the result here.

Managing over port 80 is insecure but it’s only in a lab environment at the moment. Once i get wireguard operational then that will be the remote access method.

thanks for th input guys -

Repost the config, when done if still having problems.

Hi Guys

Issue now sorted.

Discovered an undocumented (or certainly unexpected) feature with Apple Mac Wireguard clients. No matter what the config the Mac will state the Wireguard VPN as connected and will route traffic according to the wireguard config. ie 0.0.0.0/0 kills all outgoing traffic. The traffic was never hitting the Mikrotik. Since I was seeing a 'connected message I never really paid the config much attention.

Wiped the Mikrotik back to default and realised the issue when we still could not connect.

Wireguard now working as expected with firewall rules to allow access to various subnets.

Thanks for the input guys helped point me off in the right direction.

I think this is how Windows client works too, and actually how WireGuard works in general, I believe. It doesn’t maintain a session state like IPSec. WG basically just sends UDP packets to where it thinks they need to go, regardless of whether it works or not. With UDP being a stateless protocol, there is no acknowledgement mechanism at the network level either.

This is also the reason why it’s so fast and supports seamless roaming, e.g. when someone is driving around with a smartphone and hops between different networks, there is no session to lose or re-establish. The client side just throws packets over the new network; the server side replies to whatever last public client IP it saw.