Wireguard Not Connecting for Site to Site

RouterOS General
1

Hello there. I have a setup where I need three locations to be connected via wireguard. 2 of the three location will be utilizing existing internet provider by the owner of that location while the other is my own internet setup where I have full control to open/close specific ports.

Currently I have to sites set up: my own location (called Maragang) and the one of the 2 location called KKIP. My issue currently is that I am unable to establish a wireguard connection between the two location. I am able to connect to Maragang via wireguard using my phone set as a RoadWarrior tunnel (i.e. allowable address 0.0.0.0/0)

I have both config files for Maragang and KKIP. Appreciate your assistance on letting me know why the site to site connection is not establishing. Also if there’s anything at all that I seem to be doing wrong/not ideal, do let me know.

# 2025-07-22 15:08:59 by RouterOS 7.19.3
# software id = 7EPL-Q814
#
# model = RB760iGS
# serial number = ********
/interface bridge
add admin-mac=F4:1E:57:CE:58:F9 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=500
add interface=bridge name=vlan_Admin vlan-id=4
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=14
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=h*********************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.48.10-192.168.48.254
add name=adrPool_Admin ranges=10.89.4.10-10.89.4.29
add name=adrPool_Hexide ranges=10.89.14.10-10.89.14.254
add name=adrPool_External ranges=172.30.14.10-172.30.14.69
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=4
add bridge=bridge comment=defconf interface=ether3 pvid=14
add bridge=bridge comment=defconf interface=ether4 pvid=30
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=14
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=4
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.2.12.0/27,10.89.3.0/24,10.89.13.0/24,172.30.13.0/24 \
    interface=wireguard1 name=HexideTRC public-key=\
    "0hmrXF7*************************************"
add allowed-address=10.2.12.0/27 interface=wireguard1 name=Faiz_Samsung \
    public-key="5SQGuud*************************************"
add allowed-address=10.2.12.0/27,10.89.2.0/24,10.89.12.0/24,172.30.12.0/24 \
    interface=wireguard1 name=HexideKKIP public-key=\
    "+7QNpe9*************************************"
/ip address
add address=192.168.48.1/24 comment=defconf interface=bridge network=\
    192.168.48.0
add address=10.89.4.1/24 interface=vlan_Admin network=10.89.4.0
add address=10.89.14.1/24 interface=vlan_Hexide network=10.89.14.0
add address=172.30.14.1/24 interface=vlan_External network=172.30.14.0
add address=10.2.12.1/27 interface=wireguard1 network=10.2.12.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.89.4.0/24 dns-server=10.89.4.1 gateway=10.89.4.1
add address=10.89.14.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.89.14.1
add address=172.30.14.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.30.14.1
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=\
    192.168.48.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.48.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.4.0/24 list=Local_Admin
add address=10.89.14.0/24 list=Local_Hexide
add address=172.30.14.0/24 list=Local_External
add address=10.89.2.0/24 list=WG_Admin
add address=10.89.12.0/24 list=WG_Hexide
add address=172.30.12.0/24 list=WG_External
add address=10.89.3.0/24 list=WG_Admin
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.48.0/24 list=DefaultBridge
add address=10.2.12.24 list=WG_Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=16226 protocol=udp
add action=accept chain=input comment="Allow WG network" disabled=yes \
    src-address=10.2.12.24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Allow WG Admin To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Admin
add action=accept chain=forward comment="Allow Local Admin To WG Admin" \
    dst-address-list=WG_Admin src-address-list=Local_Admin
add action=accept chain=forward comment="Allow WG Admin To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Admin To Local External" \
    dst-address-list=Local_External src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Hexide To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address-list=Local_Hexide
add action=accept chain=forward comment="Allow WG Hexide To Local External" \
    dst-address-list=Local_External src-address-list=WG_Hexide
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Hexide to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_Hexide
add action=drop chain=forward comment="Drop External to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_External
add action=drop chain=forward comment="Drop External to Hexide" \
    dst-address-list=Local_Hexide src-address-list=Local_External
add action=drop chain=forward comment="Drop WG Hexide To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Hexide
add action=drop chain=forward comment="Drop WG External To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_External
add action=drop chain=forward comment="Drop Default to All" disabled=yes \
    dst-address-list=!DefaultBridge src-address-list=DefaultBridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_KKIP disabled=no dst-address=10.89.2.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_KKIP disabled=no distance=1 dst-address=10.89.12.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_KKIP disabled=no distance=1 dst-address=\
    172.30.12.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_Maragang
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

# 2025-07-22 14:49:00 by RouterOS 7.19.3
# software id = 0AFC-R067
#
# model = RB760iGS
# serial number = **********
/interface bridge
add admin-mac=F4:1E:57:CE:59:39 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan_Admin vlan-id=2
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=12
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.28.10-192.168.28.254
add name=adrPool_Admin ranges=10.89.2.10-10.89.2.29
add name=adrPool_Hexide ranges=10.89.12.10-10.89.12.254
add name=adrPool_External ranges=172.30.12.10-172.30.12.69
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether3 pvid=12
add bridge=bridge comment=defconf interface=ether4 pvid=30
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=2
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=12
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wireguard1 list=LAN
add interface=vlan_Hexide list=LAN
/interface wireguard peers
add allowed-address=10.2.12.0/27,10.89.4.0/24,10.89.14.0/24,172.30.14.0/24 \
    comment=Hexide_Maragang endpoint-address=myendpointaddress.fake \
    endpoint-port=16226 interface=wireguard1 name=peer1 public-key=\
    "b5223**********************************YrBw="
/ip address
add address=192.168.28.1/24 comment=defconf interface=bridge network=\
    192.168.28.0
add address=10.89.2.1/24 interface=vlan_Admin network=10.89.2.0
add address=10.89.12.1/24 interface=vlan_Hexide network=10.89.12.0
add address=172.30.12.1/24 interface=vlan_External network=172.30.12.0
add address=10.2.12.2/27 interface=wireguard1 network=10.2.12.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.89.2.0/24 dns-server=192.168.28.1 gateway=10.89.2.1
add address=10.89.12.0/24 dns-server=10.89.12.30 gateway=10.89.12.1
add address=172.30.12.0/24 dns-server=192.168.28.1 gateway=172.30.12.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=\
    192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.28.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.2.0/24 list=Local_Admin
add address=10.89.12.0/24 list=Local_Hexide
add address=172.30.12.0/24 list=Local_External
add address=10.89.4.0/24 list=WG_Admin
add address=10.89.14.0/24 list=WG_Hexide
add address=172.30.14.0/24 list=WG_External
add address=10.89.3.0/24 list=WG_Admin
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.28.0/24 list=DefaultBridge
add address=10.2.12.0/27 disabled=yes list=WG_Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=16226 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Allow WG Admin To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Admin
add action=accept chain=forward comment="Allow Local Admin To WG Admin" \
    dst-address-list=WG_Admin src-address-list=Local_Admin
add action=accept chain=forward comment="Allow WG Admin To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Admin To Local External" \
    dst-address-list=Local_External src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Hexide To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address-list=Local_Hexide
add action=accept chain=forward comment="Allow WG Hexide To Local External" \
    dst-address-list=Local_External src-address-list=WG_Hexide
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Hexide to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_Hexide
add action=drop chain=forward comment="Drop External to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_External
add action=drop chain=forward comment="Drop External to Hexide" \
    dst-address-list=Local_Hexide src-address-list=Local_External
add action=drop chain=forward comment="Drop WG Hexide To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Hexide
add action=drop chain=forward comment="Drop WG External To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_External
add action=drop chain=forward comment="Drop Default to All" disabled=yes \
    dst-address-list=!DefaultBridge src-address-list=DefaultBridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_Maragang disabled=no dst-address=10.89.4.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_Maragang disabled=no distance=1 dst-address=\
    10.89.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_External_Maragang disabled=no distance=1 dst-address=\
    172.30.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Admin_Maragang disabled=no dst-address=10.89.4.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_Maragang disabled=no distance=1 dst-address=\
    10.89.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_External_Maragang disabled=no distance=1 dst-address=\
    172.30.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_KKIP
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

On the /interface/wireguard/peers I would expect a /32 allowed IP address per peer, like:

/interface wireguard peers
add allowed-address=10.2.12.1/32,10.89.3.0/24,10.89.13.0/24,172.30.13.0/24 \
    interface=wireguard1 name=HexideTRC public-key=\
    "0hmrXF7*************************************"

/interface wireguard peers
add allowed-address=10.2.12.2/32,10.89.4.0/24,10.89.14.0/24,172.30.14.0/24 \
    comment=Hexide_Maragang endpoint-address=myendpointaddress.fake \
    endpoint-port=16226 interface=wireguard1 name=peer1 public-key=\
    "b5223**********************************YrBw="
3

Yes I have tried that, but it made no difference in terms of connectivity. I have the /32 running at my home.

The /27 was done based on this guide.

FYI: with my phone there was no issue in connecting to the wireguard tunnel with /27 set:

add allowed-address=10.2.12.0/27 interface=wireguard1 name=Faiz_Samsung \
    public-key="5SQGuud*************************************"
4

I prefer to follow official documentation:

Pretty sure all peer IP addresses should have a /32 IP address in allowed IP’s.

Have you tried turning on Wireguard debug logging?
How did you test if there was a connection?

5

Have changed all peers to have /32. Still no joy.

I’ve added wireguard topic into system log. And I’ve added a log rule for the filter rule number 2 (input for port 16226).

Currently in the Wireguard Peers, only the Samsung phone’s data Tx/Rx counters are going up. The last handshake timer resets every time I make a connection. However for the other site (KKIP), the Rx/Tx counter is at 0 B, and the last handshake is at 00:00:00. Only the endpoint address updates to the right IP address of Maragang site.

In addition, I am able to remote into the Maragang Mikrotik terminal outside of the site.

6

After any update, please share the updated config. And be sure to remove serial (as this could reveal your public IP address).

In addition you could set responder=yes on the “server” peer:

7

What is most important are the requirements.
Who is managing the MT config at all three sites.
What is the purpose of wireguard for the users/devices at each 3 sites.
What access does the admin require ( or admins ).

What kind of setup is required, TWO SITES connect to SERVER at Main site? OR
Mesh approach, each Site has a full connection to the other two sites ( two interfaces at each site )
( depends much too on any internet usage/sharing in the mix )

Next, the WAN connections at all three sites. Are they public WANIPs?
Can the ISP modem router if one exists that gets a public IP, forward ports to the MIKROTIK device??

8

Here is the updated config files:

  1. Server/ Main site (maragang)
# 2025-07-23 12:34:26 by RouterOS 7.19.3
# software id = 7EPL-Q814
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add admin-mac=F4:1E:57:CE:58:F9 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=500
add interface=bridge name=vlan_Admin vlan-id=4
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=14
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=h***************************z
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.48.10-192.168.48.254
add name=adrPool_Admin ranges=10.89.4.10-10.89.4.29
add name=adrPool_Hexide ranges=10.89.14.10-10.89.14.254
add name=adrPool_External ranges=172.30.14.10-172.30.14.69
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=4
add bridge=bridge comment=defconf interface=ether3 pvid=14
add bridge=bridge comment=defconf interface=ether4 pvid=30
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=14
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=4
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wireguard1 list=LAN
add interface=vlan1 list=WAN
/interface wireguard peers
add allowed-address=10.2.12.3/32,10.89.3.0/24,10.89.13.0/24,172.30.13.0/24 \
    interface=wireguard1 name=HexideTRC public-key=\
    "0hmr***************************************="
add allowed-address=10.2.12.24/32 interface=wireguard1 name=Faiz_Samsung \
    public-key="5SQG****************************************"
add allowed-address=10.2.12.2/32,10.89.2.0/24,10.89.12.0/24,172.30.12.0/24 \
    interface=wireguard1 name=HexideKKIP public-key=\
    "+7QNp***************************************"
/ip address
add address=192.168.48.1/24 comment=defconf interface=bridge network=\
    192.168.48.0
add address=10.89.4.1/24 interface=vlan_Admin network=10.89.4.0
add address=10.89.14.1/24 interface=vlan_Hexide network=10.89.14.0
add address=172.30.14.1/24 interface=vlan_External network=172.30.14.0
add address=10.2.12.1/27 interface=wireguard1 network=10.2.12.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.89.4.0/24 dns-server=10.89.4.1 gateway=10.89.4.1
add address=10.89.14.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.89.14.1
add address=172.30.14.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.30.14.1
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=\
    192.168.48.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.48.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.4.0/24 list=Local_Admin
add address=10.89.14.0/24 list=Local_Hexide
add address=172.30.14.0/24 list=Local_External
add address=10.89.2.0/24 list=WG_Admin
add address=10.89.12.0/24 list=WG_Hexide
add address=172.30.12.0/24 list=WG_External
add address=10.89.3.0/24 list=WG_Admin
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.48.0/24 list=DefaultBridge
add address=10.2.12.24 list=WG_Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=16226 log=yes log-prefix=WG_Input \
    protocol=udp
add action=accept chain=input comment="Allow WG network" disabled=yes \
    src-address=10.2.12.24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Allow WG Admin To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Admin
add action=accept chain=forward comment="Allow Local Admin To WG Admin" \
    dst-address-list=WG_Admin src-address-list=Local_Admin
add action=accept chain=forward comment="Allow WG Admin To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Admin To Local External" \
    dst-address-list=Local_External src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Hexide To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address-list=Local_Hexide
add action=accept chain=forward comment="Allow WG Hexide To Local External" \
    dst-address-list=Local_External src-address-list=WG_Hexide
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Hexide to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_Hexide
add action=drop chain=forward comment="Drop External to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_External
add action=drop chain=forward comment="Drop External to Hexide" \
    dst-address-list=Local_Hexide src-address-list=Local_External
add action=drop chain=forward comment="Drop WG Hexide To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Hexide
add action=drop chain=forward comment="Drop WG External To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_External
add action=drop chain=forward comment="Drop Default to All" disabled=yes \
    dst-address-list=!DefaultBridge src-address-list=DefaultBridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_KKIP disabled=no dst-address=10.89.2.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_KKIP disabled=no distance=1 dst-address=10.89.12.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_KKIP disabled=no distance=1 dst-address=\
    172.30.12.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_Maragang
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
  1. Offsite 1 (KKIP)
# 2025-07-23 13:01:12 by RouterOS 7.19.3
# software id = 0AFC-R067
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add admin-mac=F4:1E:57:CE:59:39 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan_Admin vlan-id=2
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=12
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.28.10-192.168.28.254
add name=adrPool_Admin ranges=10.89.2.10-10.89.2.29
add name=adrPool_Hexide ranges=10.89.12.10-10.89.12.254
add name=adrPool_External ranges=172.30.12.10-172.30.12.69
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether3 pvid=12
add bridge=bridge comment=defconf interface=ether4 pvid=30
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=2
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=12
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wireguard1 list=LAN
add interface=vlan_Hexide list=LAN
/interface wireguard peers
add allowed-address=10.2.12.1/32,10.89.4.0/24,10.89.14.0/24,172.30.14.0/24 \
    comment=Hexide_Maragang endpoint-address=************************.net \
    endpoint-port=16226 interface=wireguard1 name=peer1 public-key=\
    "b5223**************************************="
/ip address
add address=192.168.28.1/24 comment=defconf interface=bridge network=\
    192.168.28.0
add address=10.89.2.1/24 interface=vlan_Admin network=10.89.2.0
add address=10.89.12.1/24 interface=vlan_Hexide network=10.89.12.0
add address=172.30.12.1/24 interface=vlan_External network=172.30.12.0
add address=10.2.12.2/27 interface=wireguard1 network=10.2.12.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.89.2.0/24 dns-server=192.168.28.1 gateway=10.89.2.1
add address=10.89.12.0/24 dns-server=10.89.12.30 gateway=10.89.12.1
add address=172.30.12.0/24 dns-server=192.168.28.1 gateway=172.30.12.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=\
    192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.28.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.2.0/24 list=Local_Admin
add address=10.89.12.0/24 list=Local_Hexide
add address=172.30.12.0/24 list=Local_External
add address=10.89.4.0/24 list=WG_Admin
add address=10.89.14.0/24 list=WG_Hexide
add address=172.30.14.0/24 list=WG_External
add address=10.89.3.0/24 list=WG_Admin
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.28.0/24 list=DefaultBridge
add address=10.2.12.0/27 disabled=yes list=WG_Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=16226 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Allow WG Admin To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Admin
add action=accept chain=forward comment="Allow Local Admin To WG Admin" \
    dst-address-list=WG_Admin src-address-list=Local_Admin
add action=accept chain=forward comment="Allow WG Admin To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Admin To Local External" \
    dst-address-list=Local_External src-address-list=WG_Admin
add action=accept chain=forward comment="Allow WG Hexide To Local Hexide" \
    dst-address-list=Local_Hexide src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address-list=Local_Hexide
add action=accept chain=forward comment="Allow WG Hexide To Local External" \
    dst-address-list=Local_External src-address-list=WG_Hexide
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Hexide to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_Hexide
add action=drop chain=forward comment="Drop External to Admin" \
    dst-address-list=Local_Admin src-address-list=Local_External
add action=drop chain=forward comment="Drop External to Hexide" \
    dst-address-list=Local_Hexide src-address-list=Local_External
add action=drop chain=forward comment="Drop WG Hexide To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_Hexide
add action=drop chain=forward comment="Drop WG External To Local Admin" \
    dst-address-list=Local_Admin src-address-list=WG_External
add action=drop chain=forward comment="Drop Default to All" disabled=yes \
    dst-address-list=!DefaultBridge src-address-list=DefaultBridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_Maragang disabled=no dst-address=10.89.4.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_Maragang disabled=no distance=1 dst-address=\
    10.89.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_External_Maragang disabled=no distance=1 dst-address=\
    172.30.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Admin_Maragang disabled=no dst-address=10.89.4.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_Maragang disabled=no distance=1 dst-address=\
    10.89.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_External_Maragang disabled=no distance=1 dst-address=\
    172.30.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_KKIP
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
9

Hi anav, thank you for the reply.

I’ll be a bit more detailed in the setup and the issue (so apologies in advance if this is a bit long)

I am managing all three MT config.
The purpose of having all three sites connected is because we are limited in resources i.e. the server is located in one site, but all three location will require access to it. The admin (mainly me) will need to be able to manage all three locations even if off-site from all three - i.e. in cases where I am at home/off site.

The two sites will connect to the wireguard server on the main site. This is because only the server location is under my full control i.e. directly connected to internet provider and ISP is under my name. In other words, only in the wireguard server location am I freely able to open and close ports. All other sites are rented property where by the owners of the respective location has already an internet provider and gives me internet connectivity via an ethernet cable connected to their existing network. I do not have direct access to their router, but I am able to request for a static private DHCP and specific ports to be open.

Currently neither location have ports open specifically. And I am also aware that in both location I may run into a potential Double NAT situation and that could be an issue. I did a traceroute test in the KKIP location using a device within 10.89.12.0/24 and it seems to show no Double NAT:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (10.89.12.1) 0.577 ms 0.709 ms 0.461 ms
2 1.9.53.254 (1.9.53.254) 9.655 ms 9.640 ms 9.619 ms
3 10.55.170.161 (10.55.170.161) 28.326 ms 28.459 ms 28.207 ms
4 10.55.172.18 (10.55.172.18) 27.979 ms 28.523 ms 10.55.52.12 (10.55.52.12) 27.071 ms
5 * * *
6 72.14.243.52 (72.14.243.52) 26.9t0 ms 72.14.197.66 (72.14.197.66) 25.653 ms *
7 192.178.98.227 (192.178.98.277) 26.106 ms * *
8 dns.google (8.8.8.8) 29.122 ms 28.004 ms 28.343 ms

Traceroute 3 and 4 seems to show private IP addresses, but this is not a network space that is set by the owner’s network nor is it from my router. I am guessing this is part of the ISP’s process. I could be wrong here.

Also as sidenote, I did previously manage to get a wireguard connection between KKIP to the main server and was able to do the following:

  1. Be in the 10.89.2.0/24 network in KKIP and ping devices all network space located in Maragang (10.89.4.0/24, 10.89.14.0/24 and the 172.30.14.0/24) located in Maragang. This is the expected behavior as per firewall rules
  2. Be in the 10.89.2.0/24 network in KKIP and ping devices in 10.89.14.0/24 and 172.30.14.0/24 only but not the 10.89.4.0/24. Again expected behavior
  3. Be in the 172.30.12.0/24 network in KKIP and only able to ping devices in the 172.30.14.0/24

However I noticed that from KKIP location irrespective of what network space I am in, I was still able to access the router. The intended behavior is that only the admin network can access the router. I saw that I had place the wireguard interface as part of the LAN group in interface/interface list. I disabled the inteface list and that was when I lost all connectivity. Reenabling the interface list did not do anything to restore the connectivity.

10

Main Site
Missing detail.
Are you ever local on that satellite remote offices ( aka on any of the IP addresses there (static lease) when visiting). If so you would want to be able to have permissions access to reach other routers for config purposes etc…

  1. Added Interface list MGMT.

  2. You make the error of not completing the vlan setup. You need to remove any subnet hanging off the bridge, Lets call it vlan-bridge for now with an id of 11. It would seem from your config that this traffic only goes on ether5 and sfpplus1 :slight_smile:

  3. Adjusted /interface bridge port and /interface bridge vlan accordingly.

  4. Changed detect internet to none, known to be a problematic setting.

  5. Bridge not part of LAN list, only vlans…

  6. Adjusted interface list members

  7. Assumning wireguard settings are correct, allowed IPs are okay.

  8. If not using IPV6, set it to disable, remove all address lists and leave only two firewall rules
    add chain=input action=drop
    add chain=forward action=drop

  9. modifed tool setting for mac server winbox mac server.

  10. The biggie will be to review your firewall rules to ensure they permit the traffic necessary and clearly.
    For example is it only the admin that needs access to config other routers and perhaps view devices/servers or is it some user or some devices that need access from Router Main to R1, R2 or perhaps from R1 to RMain and R2, or R2 o R1 and RMain ???

The firewall address list of single subnets is mostly useless as you can detail a subnet as a src or dst address in firewall rules. Interface lists are better for defining two or more subnets with a purpose.
So first step is to redefine what is actually needed ( admin IP addresses mostly )
Keep chains together and order is important.

I tend to be more opened ended for traffic leaving wireguard and more sticky about FW rules when at the remote router arriving… so will adjust accordingly…

In summary, the forward chain rules allow you as admin (locally or coming in wireguard) to configure the main router and view all local subnets AS well as go out wireguard to the other routers.
Im assuming to all LAN users require internet access.

 2025-07-23 12:34:26 by RouterOS 7.19.3
# software id = 7EPL-Q814
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add admin-mac=F4:1E:57:CE:58:F9 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=500
add interface=bridge name=vlan_Admin vlan-id=4
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=14
add interface=bridge name=vlan-bridge vlan-id=11
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=h***************************z
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.48.10-192.168.48.254
add name=adrPool_Admin ranges=10.89.4.10-10.89.4.29
add name=adrPool_Hexide ranges=10.89.14.10-10.89.14.254
add name=adrPool_External ranges=172.30.14.10-172.30.14.69
/ip dhcp-server
add address-pool=default-dhcp interface=vlan-bridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=4
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=14
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untaggedinterface=ether4 pvid=30
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untaggedinterface=ether5
pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp1
pvid=11
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=14
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=4
add bridge=bridge tagged=bridge untagged=ether5,sfpplus1  vlan-ids=11
/interface detect-internet
set detect-interface-list=none
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_Admin list=LAN
add interface=vlan-Hide list=LAN
add interface=vlan-External list=LAN
add interface=vlan-bridge list=LAN
add interface=wireguard1 list=LAN
add interface=vlan_Admin list=MGMT
add interface=wireguard1 list=MGMT
/interface wireguard peers
add allowed-address=10.2.12.3/32,10.89.3.0/24,10.89.13.0/24,172.30.13.0/24 \
    interface=wireguard1 name=HexideTRC public-key=\
    "0hmr***************************************="
add allowed-address=10.2.12.24/32 interface=wireguard1 name=Faiz_Samsung \
    public-key="5SQG****************************************"
add allowed-address=10.2.12.2/32,10.89.2.0/24,10.89.12.0/24,172.30.12.0/24 \
    interface=wireguard1 name=HexideKKIP public-key=\
    "+7QNp***************************************"
/ip address
add address=192.168.48.1/24 comment=defconf interface=vlan-bridge network=\
    192.168.48.0
add address=10.89.4.1/24 interface=vlan_Admin network=10.89.4.0
add address=10.89.14.1/24 interface=vlan_Hexide network=10.89.14.0
add address=172.30.14.1/24 interface=vlan_External network=172.30.14.0
add address=10.2.12.1/27 interface=wireguard1 network=10.2.12.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.89.4.0/24 dns-server=10.89.4.1 gateway=10.89.4.1
add address=10.89.14.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.89.14.1
add address=172.30.14.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.30.14.1
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=\
    192.168.48.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.2.12.24 list=TRUSTED comment="admin laptop remote"
add address=10.89.4.0/24 list=TRUSTED comment="admin local subnet"
add address=10.89.2.0/24 list=TRUSTED comment"admin remote subnet R2"
add address=10.89.3.0/24 list=TRUSTED comment"admin remote subnet R3"
add address=10.89.14.0/24 list=Local-Being-Visited comment="remote hexide to local hexide"
add address=172.30.14.0/24 list=Local-Being-Visited comment="remote hexide to local external"
add address=10.89.12.0/24 list=WG_Hexide
add address=10.89.13.0/24 list=WG_Hexide
/ip firewall filter
{ default rules to keep }
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
 { admin rules }
add action=accept chain=input dst-port=16226 log=yes log-prefix=WG_Input protocol=udp
**add action=accept chain=input comment="admin access"  in-interface-list=MGMT src-address-list=TRUSTED**
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { *place this rule here but make sure its the last rule you add to the config!! }* 
+++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward  connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access"  in-interface-list=MGMT src-address=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="Allow Remote Hexide to Local Subnets" 
   dst-address-list=Local-Being-Visited in-interface=wireguard1 src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address=10.89.14.0/24
add action=accept chain=forward comment="wireguard relay for remote admin laptop"  in-interface=wireguard1 out-interface=wireguard1
add action=-drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_KKIP disabled=no dst-address=10.89.2.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_KKIP disabled=no distance=1 dst-address=10.89.12.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_KKIP disabled=no distance=1 dst-address=\
    172.30.12.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no dst-address=10.89.3.0/24 gateway=\
    wireguard1 routing-table=main suppress-hw-offload=no
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall filter
add action=drop chain=input 
add action=drop chain=forward 
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_Maragang
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
11

Offsite 1.
Before going to far into offsite1, something is amiss.

You dont mention any traffic to offsite2 from offsite1 according to the allowed peers in the wireguard settings.
You only identify the Main router 14 series, and nothing of the 13 series.

So can you clarify if there is any traffic between lan subnets on offsite1 and offsite2 >>>
Your firewall rules and address lists seem to indicate so, which landed me in a confused state.

12

Currently I wanted to get offsite 1 to be up and running first before setting up and testing offsite 2. I didn’t want to trouble myself with troubleshooting both at the same time hence why I have only been mentioning connectivity between offsite 1 and the main site.

However one all things are up and running, offsite 1 and offsite 2 will have traffic between them. Since offsite 1 and offsite 2 will utilize existing internet connectivity, the way I intend to set it up is that they will be connected via the main site (hub and spoke system). I understand this might not be the fastest way for offsite 1 and offsite 2 to communicate but I thought this would be the best way considering the situation. I am not sure if the main site could act as a relay server and have offsite 1 and offsite 2 be directly connected nor do I know how to set it up in such a case.

13

Yes I will be local at the remote sites either at offsite 1 or offsite 2. so yes I will be needing to access other routers for config purposes.

  1. understood
  2. yes, I am still not 100% confident with the vlan setup and was afraid I might lose connectivity to the router. Hence why I left the default bridge hanging at eth5. sfpplus1 is not intended to be use at all and was overlooked in config. But looking at the config you provided, I understand now the steps to complete the vlan setup
  3. understood
  4. I wasn’t aware of the detect internet to cause issue. Will have this changed
  5. understood (this relating back to point 2)
  6. understood
  7. noted
  8. yes IPV6 will not be used and should be disabled. noted on the two firewall rules
  9. understood
  10. Only the admins that needs access to config other routers and view devices/servers. Admin will have access to all subnets. Hexide users will have access to Hexide and External subnets. Externals only can communicate with external subnet.

I see, I think this is where my inexperience handling multiple subnets is showing. Thank you for this and showing the example in the config. Makes sense to me.

I am still going through the firewall changes that you have written, but I understand the approach that you are going.

If I were to disallow External subnet from having internet access how would I go about doing it? for the time being I am ok to allow all users to access the internet.

I will go through the firewall rules again, and will implement it. Will update back if this helped in getting the offsite and the main router connect. Thank you so much for your time on this. Really appreciate it

14

I’ve gone through the config you have sent anav, I think the firewall rules does not allow the local external vlan traffic to go through to the offsite locations, apart from that I think the rest should be ok to be implemented.

However currently I am offsite, and from what I see in the FW rules, there is a very high chance that I might be kickout of the router before all the changes can be properly implemented especially when changing LAN → MGMT and implementing FW rules for MGMT). If I run the whole command as a script file, I would expect that any existing config will be doubled up when the add command is used. Similarly, any changes would need to be done using the edit command? Would it be better to alter the config file for all “add” command to “edit” or would it be easiest to just reset the config and run the .rsc script altogether?

15

Yeah that could be tricky, so keep rules generic
Where interface list=MGMT ( neighbours discovery, tools winmac server, and firewall rules, still use LAN.

So in order, first, Create interface list entry, create interface list members, create firewall address lists etc…
Then when you change interface lists back to interface-list=MGMT, all the background pieces will be in place.
then modify rules…

I would not use large script I would simply open up winbox to make changes one at a time.
or modify if skilled in using NEW TERMINAL and command line.

16

As for as what the rules do ON THE MAIN ROUTER… forward chain!!!


{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access"  in-interface-list=MGMT src-address=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="Allow Remote Hexide to Local Subnets" 
   dst-address-list=Local-Being-Visited in-interface=wireguard1 src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow Local Hexide To WG Hexide" \
    dst-address-list=WG_Hexide src-address=10.89.14.0/24  **out-interface=wireguard1**
add action=accept chain=forward comment="wireguard relay for remote admin laptop"  in-interface=wireguard1 out-interface=wireguard1
add action=-drop chain=forward comment="drop all else"

  1. Allows local subnets to go out local WAN for internet.

  2. Allows only users that are members of interface list=MGMT ( currently vlan-MGMT and wireguard1 )
    who are also identified on the firewall address list TRUSTED ( by ip address )
    to have FULL access to all interfaces identified as being part of LAN.

NOW as you expressed concern, until you properly identify a MGMT list and MGMT list members and firewall address list. Keep this rule more generic. and just state the LAN interface only…
But dont leave it that way for long.

  1. The third rule allows all remote hexide users (via wireguard) to access both local hexide and local external users.

  2. The fourth rule allows the local hexide users to access,(via wireguard) both remote hexide sites.
    I added the out-interface=wireguard1 to make it clearer.

  3. The fifth rule allows your remote wireguard laptop to connect to the main router and then go to any of the other two routers for whatever work is required.

  4. The last rule stops any other traffic from occurring.
    ++++++++++++++++++++++++++++++++++++++++

A. Your concern is that the local external set of users should possibly be not allowed to access internet.
If so modify the above internet rule to.

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address=!172.30.14.0/24

B. Yes, no problem having offsite1 and offsite2 reach other securely over wirgeuard.
Can you confirm the following
a. RM hexide (originate traffic) to hexides off1/off2 ( DONE rule 4 )
b. offsite1/offsite2 hexide (originate traffic) to RM hexide and RM External ( DONE rule 3 )

What else needs to be known
c. Did you want RM hexide to reach offsite1/offsite2 externals??
d. Did you want offsite1 hexide to reach offsite2 hexide and external
e. Did you want offsite2 hexide to reach offsite1 hexide and external.

17

Hello anav,

I was able to make the changes to the router. Below is the latest config for the main site

/interface bridge
add admin-mac=F4:1E:57:CE:58:F9 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wg_s2s
/interface vlan
add interface=ether1 name=vlan1 vlan-id=500
add interface=bridge name=vlan_Admin vlan-id=4
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=14
add interface=bridge name=vlanbridge vlan-id=11
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 use-peer-dns=yes user=h*****************************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.48.10-192.168.48.254
add name=adrPool_Admin ranges=10.89.4.10-10.89.4.29
add name=adrPool_Hexide ranges=10.89.14.10-10.89.14.254
add name=adrPool_External ranges=172.30.14.10-172.30.14.69
/ip dhcp-server
add address-pool=default-dhcp interface=vlanbridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=4
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=14
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=14
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=4
add bridge=bridge tagged=bridge untagged=sfp1,ether5 vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wg_s2s list=LAN
add interface=vlan_Hexide list=LAN
add interface=vlanbridge list=LAN
add interface=vlan_External list=LAN
add interface=vlan_Admin list=MGMT
add interface=wg_s2s list=MGMT
/interface wireguard peers
add allowed-address=10.2.12.2/32,10.89.2.0/24,10.89.12.0/24,172.30.12.0/24 comment=KKIP interface=wg_s2s name=peer1 public-key="G**********************************************"
add allowed-address=10.2.12.25/32 comment=S24 interface=wg_s2s name=peer3 public-key="x**********************************************"
/ip address
add address=192.168.48.1/24 comment=defconf interface=vlanbridge network=192.168.48.0
add address=10.89.4.1/24 interface=vlan_Admin network=10.89.4.0
add address=10.89.14.1/24 interface=vlan_Hexide network=10.89.14.0
add address=172.30.14.1/24 interface=vlan_External network=172.30.14.0
add address=10.2.12.1/27 interface=wg_s2s network=10.2.12.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.89.4.0/24 dns-server=10.89.4.1 gateway=10.89.4.1
add address=10.89.14.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.89.14.1
add address=172.30.14.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.30.14.1
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=192.168.48.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.48.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.4.0/24 list=TRUSTED
add address=10.89.14.0/24 list=Local_BV
add address=172.30.14.0/24 list=Local_BV
add address=10.89.2.0/24 list=TRUSTED
add address=10.89.12.0/24 list=WG_Hexide
add address=172.30.12.0/24 list=WG_External
add address=10.89.3.0/24 list=TRUSTED
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.48.0/24 list=DefaultBridge
add address=10.2.12.25 list=TRUSTED
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="FW INPUT LIST -- Allow WG" dst-port=16226 log=yes log-prefix=WG_Input protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=MGMT src-address-list=TRUSTED
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="FW_FWD_LIST --internet_traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access" in-interface-list=MGMT out-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=forward comment="Allow Remote Hexide to Local Subnets" dst-address-list=Local_BV in-interface=wg_s2s src-address-list=WG_Hexide
add action=accept chain=forward comment="allow local Hexide to WG Hexide" dst-address-list=WG_Hexide src-address=10.89.14.0/24
add action=accept chain=forward comment="wireguard relay for remote admin" in-interface=wg_s2s out-interface=wg_s2s
add action=drop chain=forward comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_KKIP disabled=no distance=1 dst-address=10.89.2.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WG_Hexide_KKIP disabled=no distance=1 dst-address=10.89.12.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WG_External_KKIP disabled=no distance=1 dst-address=172.30.12.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no distance=1 dst-address=10.89.3.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall filter
add action=drop chain=input comment="defconf: drop invalid"
add action=drop chain=forward comment="defconf: drop invalid"
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_Maragang
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Updated since I found the issue

I am unable to ping from the main site mikrotik to the off site mikrotik router. It seems like they could still not establish any connection.

I have also tried to remove all previous wireguard interface and peers and recreated each one. I have also updated the public key information on the offsite 1 location and still I was not able to ping the two routers.

I am fairly certain it is the wireguard configuration that somehow amiss tho I do not know why it is or how to go about troubleshooting it.

It seems that I cannot have the same port set for both the main site router and the offsite router. I have now changed the offsite router wireguard Listen Port to be of a different value and presto the connection is established! I don’t know if this is a bug of the firmware of if its something I overlooked.

I am now in the process of checking the firewall rules and ensuring all related network subnets are able to communicate as required and to drop packets for cases where they should not be in communication.

18

Not sure what you mean. Assuming the Main router is the server for wireguard, the only thing that matters is that the listening port on the MAIN router (set in the interface settings), is also identified as the incoming port on the main router input chain rule ( to allow incoming wireguard requests) , and also as the endpoint port on any remote devices ( routers or other devices ).

On the remote sites, there are no ports identified for wireguard in the input chain and the interface itself could have the same port but I alwasy make it different just because its a different device and I prefer to have different settings when possible.

Otherwise config looks okay, you should be good to remove the old config lines you have kept.
Would need to see the other config in any case ( remotesite1 ) if I was to comment more completely.

Is everything works as required thus far??

19

I thought the same too, and have previously set up my personal hotspot mikrotik to use the same port. Hence why it did not occur to me to change the client incoming port to a different value. But nonetheless once it was changed I gained connectivity. If the ports were the same number, they would not connect. In any case, will probably just assign a different number moving forward.

So far I have added some more forwarding rules to allow for Hexide clients to access local Hexide and local External subnets. The only issue remaining now, is that I am only able to access the main router via winbox remotely, but not the offsite router. I have tried using the wireguard address of the offsite router (10.2.12.2), the admin subnet address (10.89.2.1).

Below is the update main site config (mostly unchanged - added a 2nd wg device, renamed the wireguard interface to wg_s2s)

/interface bridge
add admin-mac=F4:1E:57:CE:58:F9 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=16226 mtu=1420 name=wg_s2s
/interface vlan
add interface=ether1 name=vlan1 vlan-id=500
add interface=bridge name=vlan_Admin vlan-id=4
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=14
add interface=bridge name=vlanbridge vlan-id=11
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1  use-peer-dns=yes \
    user=h**************************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.48.10-192.168.48.254
add name=adrPool_Admin ranges=10.89.4.10-10.89.4.29
add name=adrPool_Hexide ranges=10.89.14.10-10.89.14.254
add name=adrPool_External ranges=172.30.14.10-172.30.14.69
/ip dhcp-server
add address-pool=default-dhcp interface=vlanbridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=4
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=14
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=14
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=4
add bridge=bridge comment=vlan11_bridge tagged=bridge untagged=sfp1,ether5 \
    vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wg_s2s list=LAN
add interface=vlan_Hexide list=LAN
add interface=vlanbridge list=LAN
add interface=vlan_External list=LAN
add interface=vlan_Admin list=MGMT
add interface=wg_s2s list=MGMT
/interface wireguard peers
add allowed-address=10.89.2.0/24,10.89.12.0/24,172.30.12.0/24,10.2.12.2/32 \
    comment=KKIP interface=wg_s2s name=peer1 public-key="Gh*****************************************="
add allowed-address=10.2.12.25/32 comment=S24 interface=wg_s2s name=peer3 \
    public-key="xh*****************************************="
add allowed-address=10.2.12.24/32 comment="Faiz Laptop" interface=wg_s2s \
    name=HexideLaptop public-key="iB*****************************************="
/ip address
add address=192.168.48.1/24 comment=defconf interface=vlanbridge network=192.168.48.0
add address=10.89.4.1/24 interface=vlan_Admin network=10.89.4.0
add address=10.89.14.1/24 interface=vlan_Hexide network=10.89.14.0
add address=172.30.14.1/24 interface=vlan_External network=172.30.14.0
add address=10.2.12.1/27 interface=wg_s2s network=10.2.12.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.89.4.0/24 dns-server=10.89.4.1 gateway=10.89.4.1
add address=10.89.14.0/24 dns-server=10.89.12.30 gateway=10.89.14.1
add address=172.30.14.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.30.14.1
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=192.168.48.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.48.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.4.0/24 list=TRUSTED
add address=10.89.14.0/24 list=Local_BV
add address=172.30.14.0/24 list=Local_BV
add address=10.89.2.0/24 list=TRUSTED
add address=10.89.12.0/24 list=WG_Hexide
add address=172.30.12.0/24 list=WG_External
add address=10.89.3.0/24 list=TRUSTED
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.48.0/24 list=DefaultBridge
add address=10.2.12.25 list=TRUSTED
add address=10.2.12.24 list=TRUSTED
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="FW INPUT LIST -- Allow WG" dst-port=\
    16226 log=yes log-prefix=WG_Input protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=MGMT \
    src-address-list=TRUSTED
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="FW_FWD_LIST --internet_traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access" in-interface-list=MGMT \
    out-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=forward comment=\
    "Allow Remote Hexide to Local Subnets" dst-address-list=Local_BV \
    in-interface=wg_s2s src-address-list=WG_Hexide
add action=accept chain=forward comment="allow local Hexide to Local Subnets" \
    dst-address-list=Local_BV src-address=10.89.14.0/24
add action=accept chain=forward comment="allow local Hexide to WG Hexide" \
    dst-address-list=WG_Hexide src-address=10.89.14.0/24
add action=accept chain=forward comment="allow local Hexide to WG External" \
    dst-address-list=WG_External src-address=10.89.14.0/24
add action=accept chain=forward comment=\
    "allow local External to WG External ##" dst-address-list=WG_External \
    src-address=172.30.14.0/24
add action=accept chain=forward comment="wireguard relay for remote admin" \
    in-interface=wg_s2s out-interface=wg_s2s
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_KKIP disabled=no distance=1 dst-address=10.89.2.0/24 \
    gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Hexide_KKIP disabled=no distance=1 dst-address=10.89.12.0/24 \
    gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_KKIP disabled=no distance=1 dst-address=\
    172.30.12.0/24 gateway=wg_s2s routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no distance=1 dst-address=10.89.3.0/24 \
    gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wg_s2s routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall filter
add action=drop chain=input comment="defconf: drop invalid"
add action=drop chain=forward comment="defconf: drop invalid"
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_Maragang
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

The offsite config is as below:

/interface bridge
add admin-mac=F4:1E:57:CE:59:39 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=16122 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan_Admin vlan-id=2
add interface=bridge name=vlan_External vlan-id=30
add interface=bridge name=vlan_Hexide vlan-id=12
add interface=bridge name=vlanbridge vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.28.10-192.168.28.254
add name=adrPool_Admin ranges=10.89.2.10-10.89.2.29
add name=adrPool_Hexide ranges=10.89.12.10-10.89.12.254
add name=adrPool_External ranges=172.30.12.10-172.30.12.69
/ip dhcp-server
add address-pool=default-dhcp interface=vlanbridge name=defconf
add address-pool=adrPool_Admin interface=vlan_Admin name=dhcp1
add address-pool=adrPool_External interface=vlan_External name=dhcp2
add address-pool=adrPool_Hexide interface=vlan_Hexide name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether3 pvid=12
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="Admin VLAN" tagged=bridge untagged=ether2 \
    vlan-ids=2
add bridge=bridge comment="To Server, untagged Hexide, Tagged External" \
    tagged=bridge,ether3 untagged=ether4 vlan-ids=30
add bridge=bridge comment="Hexide VLAN" tagged=bridge untagged=ether3 \
    vlan-ids=12
add bridge=bridge comment=bridgeVLAN tagged=bridge untagged=ether5,sfp1 \
    vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan_Admin list=LAN
add interface=wireguard1 list=LAN
add interface=vlan_Hexide list=LAN
add interface=vlanbridge list=LAN
add interface=vlan_External list=LAN
add interface=vlan_Admin list=MGMT
add interface=wireguard1 list=MGMT
/interface wireguard peers
add allowed-address=10.89.4.0/24,10.89.14.0/24,172.30.14.0/24,10.2.12.1/32 \
    endpoint-address=h*************.mynetname.net endpoint-port=16226 \
    interface=wireguard1 name=maragang public-key=\
    "xk*****************************************="
/ip address
add address=192.168.28.1/24 comment=defconf interface=vlanbridge network=\
    192.168.28.0
add address=10.89.2.1/24 interface=vlan_Admin network=10.89.2.0
add address=10.89.12.1/24 interface=vlan_Hexide network=10.89.12.0
add address=172.30.12.1/24 interface=vlan_External network=172.30.12.0
add address=10.2.12.2/27 interface=wireguard1 network=10.2.12.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.30.12.68 client-id=1:0:00:00:00:00:00 comment=\
    "Face ID Hardware" mac-address=00:00:00:00:00:00 server=dhcp2
add address=172.30.12.89 client-id=1:0:00:00:00:00:00 comment=\
    "Face ID Server" mac-address=00:00:00:00:00:00 server=dhcp2
/ip dhcp-server network
add address=10.89.2.0/24 dns-server=192.168.28.1 gateway=10.89.2.1
add address=10.89.12.0/24 dns-server=10.89.12.30 gateway=10.89.12.1
add address=172.30.12.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.30.12.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=\
    192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.28.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.89.2.0/24 list=TRUSTED
add address=10.89.12.0/24 list=Local_BV
add address=172.30.12.0/24 list=Local_BV
add address=10.89.4.0/24 list=TRUSTED
add address=10.89.14.0/24 list=WG_Hexide
add address=172.30.14.0/24 list=WG_External
add address=10.89.3.0/24 list=TRUSTED
add address=10.89.13.0/24 list=WG_Hexide
add address=172.30.13.0/24 list=WG_External
add address=192.168.28.0/24 list=DefaultBridge
add address=10.2.12.24 list=TRUSTED
add address=10.2.12.25 list=TRUSTED
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT \
    src-address-list=TRUSTED
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="temporary until able to access from WG connection, to replace with drop all" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="## FW FWD LIST: Internet Traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access" in-interface-list=MGMT \
    out-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=forward comment=\
    "Allow remote Hexide to Local Subnets" dst-address-list=Local_BV \
    in-interface=wireguard1 src-address-list=WG_Hexide
add action=accept chain=forward comment="Allow local Hexide to Local Subnets" \
    dst-address-list=Local_BV src-address=10.89.12.0/24
add action=accept chain=forward comment="Allow local hexide to WG Hexide" \
    dst-address-list=WG_Hexide src-address=10.89.12.0/24
add action=accept chain=forward comment="Allow local hexide to WG External" \
    dst-address-list=WG_External src-address=10.89.12.0/24
add action=accept chain=forward comment="Allow local external to WG external" \
    dst-address-list=WG_External src-address=172.30.12.0/24
add action=accept chain=forward comment=\
    "wireguard relay for remote admin laptop" in-interface=wireguard1 \
    out-interface=wireguard1
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=WG_Admin_Maragang disabled=no distance=1 dst-address=10.89.4.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Hexide_Maragang disabled=no distance=1 dst-address=\
    10.89.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=WG_Admin_TRC disabled=no distance=1 dst-address=10.89.3.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_Hexide_TRC disabled=no distance=1 dst-address=10.89.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_TRC disabled=no distance=1 dst-address=172.30.13.0/24 \
    gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WG_External_Maragang disabled=no distance=1 dst-address=\
    172.30.14.0/24 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ipv6 firewall filter
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN"
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN"
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=Hexide_KKIP
/system logging
add topics=wireguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN