WireGuard on MikroTik: How to access full LAN resources and route Internet traffic

BostjanC · February 6, 2026, 11:51am

I have a MikroTik router acting as a WireGuard server.

From the Internet, I can successfully connect to the MikroTik via WireGuard. The tunnel comes up correctly, and all my traffic is routed through the MikroTik; when connected, my public IP address is the MikroTik’s WAN IP.

What I want to achieve is:

Full access to all internal LAN resources behind the MikroTik.
Continue routing Internet traffic through the MikroTik while connected.

What is the recommended MikroTik WireGuard configuration (routing, firewall, and NAT) to allow a remote WireGuard client to access the entire internal LAN behind the router, and use the MikroTik as a full-tunnel Internet gateway?

Any configuration examples or best-practice guidance would be appreciated.

# 2026-02-06 12:18:42 by RouterOS 7.17.2

/interface bridge
add name=bridge1 port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=aa supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no installation=indoor mode=ap-bridge name=\
    wlan2_4 security-profile=aa ssid=aa2_4 wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=uk disabled=no installation=indoor mode=\
    ap-bridge name=wlan5 security-profile=aa ssid=aa5 \
    wireless-protocol=802.11
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
    zt1 name=zerotier1 network=aaa1015
/interface bridge port
add bridge=bridge1   \
    ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=wlan2_4 internal-path-cost=\
    10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=wlan5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1   \
    ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=zerotier1 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:39:7D:57:F1:B9 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.1.200/32,192.168.1.1/24,192.168.1.0/24 interface=\
    wireguard1 name=peer2 persistent-keepalive=25s public-key=\
    "aa="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.1.20 disabled=yes interface=bridge1 network=192.168.1.20
add address=10.147.19.0/24 comment="Zerotier IP adresses" interface=\
    zerotier1 network=10.147.19.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.110 client-id=1:70:85:c2:f4:d2:e1 mac-address=\
    70:85:C2:F4:D2:E1 server=dhcp1
add address=192.168.1.99 client-id=1:c4:ad:34:50:c4:21 comment=\
    "T2 Mikrotik router" mac-address=C4:AD:34:50:C4:21 \
    server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=11.111.1.1,11.111.1.77
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=240.0.0.0/4 comment=RFC6890 list=BOGONS
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    BOGONS
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=forward comment="Allow Zerotier --> LAN" disabled=yes \
    dst-address=192.168.1.0/24 in-interface=zerotier1 out-interface=bridge1 \
    src-address=10.147.19.0/24
add action=accept chain=forward comment=\
    "Allow LAN -> Zerotier (return traffic)" disabled=yes dst-address=\
    10.147.19.0/24 in-interface=bridge1 out-interface=zerotier1 src-address=\
    192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=172.16.10.0/24 \
    src-address=192.168.1.200
add action=accept chain=forward disabled=yes dst-address=192.168.1.200 \
    src-address=172.16.10.0/24
add action=accept chain=forward disabled=yes dst-port=13231 protocol=udp
add action=drop chain=input disabled=yes src-address=110.137.101.106
add action=accept chain=input comment=\
    "enable rule to allow connection to and from router" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="input established related accept" \
    connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
    "input accept src-address-list=allowed_to_router" src-address-list=\
    allowed_to_router
add action=drop chain=input comment="input ether1 bogons drop" in-interface=\
    ether1 src-address-list=BOGONS
add action=drop chain=input comment="input invalid drop" connection-state=\
    invalid
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log-prefix=!public src-address-list=BOGONS
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=\
    " ." disabled=yes dst-address=\
    77.38.64.11 dst-port=21 log=yes protocol=tcp src-address=91.185.213.139 \
    to-addresses=192.168.1.240 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address=77.38.64.11 \
    dst-port=443 protocol=tcp to-addresses=192.168.1.50 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=77.38.64.11 \
    dst-port=80 protocol=tcp to-addresses=192.168.1.50 to-ports=80
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.50 \
    out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.1.200/32 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp disabled=yes port=33
set www disabled=yes
set ssh address=192.168.1.0/24 disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set strong-crypto=yes
/system identity
set name="MikroTik"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=si.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

cpunk · February 6, 2026, 4:15pm

Not sure if this is the best approach, and it’s certainly not the only one, but this is how I have my router set up for what you’re doing.

First, my peers each only have their own single IP/32 as “allowed-address”. Keep in mind that for the Wireguard peer, this allowed-address setting is only specifying what traffic your router will send on this path. In my case it’s a road warrior setup (clients connecting to the router) not site-to-site (routers connecting to the router). If you’re doing site-to-site then you do want other network addresses here.

WIreguard interface in the LAN interface list for the firewall to treat it the same as the local bridge traffic.

/interface list member
add interface=wireguard1 list=LAN-list

This is what I have in the firewall. First the input rule, which I have placed after the drop-invalid rule in that chain. This allows the Wireguard client traffic to the router. You have a similar rule in the forward chain, which I don’t think is correct.

/ip firewall filter
add action=accept chain=input comment="accept Wireguard connections" dst-port=51820 protocol=udp

Then the forward chain rules. These rules permit the traffic inside the Wireguard tunnel to and from the local LAN. My setup is to specify only the allowed traffic types and drop all else, so I am explicitly allowing in each direction.

/ip firewall filter
add action=accept chain=forward comment="wireguard out" in-interface-list=LAN-list out-interface=wireguard1
add action=accept chain=forward comment="wireguard in" in-interface=wireguard1 out-interface-list=LAN-list

These entries are just above my port forwards and the drop-all-else rule. So it’s near the end of the forward chain.

I don’t have anything set for /ip route. The firewall rules are enough. If looks like you have a mix of various rules. You might want to start from a clean default firewall configuration before you fix the Wireguard part.