WireGuard - no lan connection

RouterOS Beginner Basics
7

Router C… Same issues as Router A, need to be fixed…

  1. Changes for backup wireguard /interface wireguard
    add listen-port=52810 mtu=1420 name=WireGuard
    add listen-port=52910 mtu=1420 name=WG-C

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=WireGuard list=LAN
add interface=WG-C list=LAN
add interface=Wireguard list=WG-LAN
add interface=WG-C list=WG-LAN[/i]

/interface list
add name=WAN
add name=LAN
add name=WG-LAN


/ip address
add address=195.234.234.88/22 disabled=yes interface=*1 network=195.234.234.0
add address=10.0.1.3/24 interface=WireGuard network=10.0.1.0
add address=10.2.1.2/24 interface=WG-C network=10.2.1.0
add address=192.168.233.10/24 interface=ether2 network=192.168.233.0
2. Allowed IPs.
/interface wireguard peers
add allowed-address=10.0.1.0/24,192.168.4.0/24,192.168.222.0/24 comment=To Router A"
endpoint-address=XXX.myfritz.net endpoint-port=52810 interface=WireGuard
persistent-keepalive=25s public-key=“iD------------------QY=”
add allowed-address=10.2.1.0/24,192.168.222.0/24 comment=“Backup wireguard to Router B”
endpoint-address=PUBLIC-IP-Router-B endpoint-port**=52910** interface=WG-C
persistent-keepalive=45s public-key=“HK-----------------------A8=”

  1. Firewall list
    /ip firewall address-list { use static dhcp leases where applicable }
    add address=192.168..4.X list=Authorized comment=“admin remote router A”
    add address=192.168..4.Y list=Authorized comment=“admin remote laptop router A”
    add address=192.168.222.A list=Authorized comment=“admin remote desktop router B”
    add address=192.168.233.B list=Authorized comment=“admin local desktop router C”
    add address=10.0.1.5/32 list=Authorized comment=“admin laptop remote”
    add address=10.0.1.6/32 list=Authorized comment=“admin smartphone/ipad remote”
    { added list items for backup access to Routers B, C by remote admin }
    add address=10.2.1.5/32 list=Authorized comment=“admin laptop remote for backup wireguard”
    add address=10.2.1.6/32 list=Authorized comment=“admin smartphone/ipad remote for backup wireguard”

  2. FW rules:
    /ip firewall filter
    add action=accept chain=input comment=
    “defconf: accept established,related,untracked” connection-state=
    established,related,untracked disabled=yes
    add action=drop chain=input comment=“defconf: drop invalid” connection-state=
    invalid disabled=yes
    add action=accept chain=input comment=“defconf: accept ICMP” disabled=yes
    protocol=icmp
    add action=accept chain=input comment=
    “defconf: accept to local loopback (for CAPsMAN)” disabled=yes
    dst-address=127.0.0.1
    add action=accept chain=input comment=“Admin Access” src-address-list=Authorized
    add action=accept chain=input comment=“users to services” dst-port=53 protocol=udp in-interface-list=LAN
    add action=accept chain=input comment=“users to services” dst-port=53 protocol=tcp in-interface-list=LAN
    add action=drop chain=input comment=“Drop all else” { put this rule in last so you dont lock yourself out }
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    add action=accept chain=forward comment=“defconf: accept in ipsec policy”
    disabled=yes ipsec-policy=in,ipsec
    add action=accept chain=forward comment=“defconf: accept out ipsec policy”
    disabled=yes ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
    connection-state=established,related disabled=yes hw-offload=yes
    add action=accept chain=forward comment=
    “defconf: accept established,related, untracked” connection-state=
    established,related,untracked disabled=yes
    add action=drop chain=forward comment=“defconf: drop invalid”
    connection-state=invalid disabled=yes
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
    add action=accept chain=forward out-interface-list=WG-LAN src-address=192.168.233.0/24
    comment=“allow local RC users to access to both wg tunnels”
    add action=accept chain=forward in-interface=WireGuard dst-address=192.168.233.0/24
    src-address=192.168.4.0/24 Comment=“allow RA users access to local LAN”
    add action=accept chain=forward in-interface-list=WG-LAN dst-address=192.168.233.0/24
    src-address=192.168.222.0/24 Comment=“allow RB users access to local LAN via both tunnels”
    add action=accept chain=forward comment-=“port forwarding” connection-nat-state=dst-nat disabled=yes { enable if required, or remove }
    add action=drop chain=forward comment=“Drop All else”

  3. ROUTES
    /ip route
    add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main
    add dst-address=192.168.4.0/24 gateway=WireGuard
    routing-table=main
    add dst-address=192.168.222.0/24 gateway=WireGuard
    routing-table=main
    add distance=2 dst-address=192.168.222.0/24 gateway=WG-C
    routing-table=main