Hello everyone, I’m newest on Mikrotik environment and I will happy if someone help me 
I have bought a SXT LTE6 Kit for my mother’s house and I would like to connect them from my pc/mobilie using a Wiregurad VPN but unfortunaltly I thing that I did some mistakes or missing something 
The problem is to simle doesn’t work… when try to connect from my pc (over LAN router) the handshake sill doesn’t work: ]
and on the log :
.
I have tried to use some suggestion form the channel but I don’t find a solution 
Apologies for my litle knowledge.
thanks a lot!
have nice rest of the day
myconf_20250302.rsc (6.49 KB)
Sxt LTE usually means CGNAT.
So you can not connect TO it.
But the device can go out. So you need some externally accessible device to act as pivot point.
Then when the connection has been made, you can use the tunnel to get back to that SXT.
Comments:
-
Set this to none, it is known to cause issues.
/interface detect-internet
set detect-interface-list=all -
Since you note on your wireguard peer DNS of 8.8.8.8 and 1.1.1.1 it might be a good idea to add on router.
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 -
The other DNS entry you have on the devices is 192.168.100.1 which matches NOTHING on the router.
Suggest you change this on your Device to:
DNS Servers: 192.168.188.1,8.8.8.8,1.1.1.1 -
Add wireguard to your LAN interface list as the LAN already has access to the ROUTER input chain etc…
/interface list member
add comment=defconf interface=lte1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN -
THus firewall rules can be simplified, and pay attention to order of rules.
/ip firewall filter
{default rules to keep}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“allow LAN to router” in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { insert this rule here, last of all rules }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG to LAN” in-interface=wireguard1 dst-address=192.168.188.0/24
add action=drop chain=forward comment=“drop all else” -
As per the previous poster, WIREGUARD will not be possible if
a. you do not get a public IP address at the MT device
b. the upstream router (ISP device) cannot forward a port to the MT device ( also assumes the ISP device gets a public IP).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solutions if you dont have a public IP.
- buy a chr license and rent a cloud server for about 8$ a month
- find a friend with a mikrotik device and a public IP that is willing to share his connection.
- Depending on what router you have, you can possibly use BTH Wireguard VPN, which Mikrotik provides in case one has no public IP.
Its a bit more work, but suits your needs just fine.
Sadly the sxt lte does not fit the bill. Consider possibly getting a hex refresh, like $60 bucks and this will be able to host BTH VPN for you.
You can simply pass on the LTE connection to the hex and let the hex terminate the LTE connection and let the hex be the router.
Ok, first of all, I want to thank you to all for the sugestion, I will try to follow it in the new weekend (as I explanneded the router is in my mother’s house that I visit on the weekend). Thank you again!!
Hi Anav, sorry but I don’t understand your last suggestion “You can simply pass on the LTE connection to the hex and let the hex terminate the LTE connection and let the hex be the router.”
you mean that if I will buy a hex router and connect it to sxt via LAN port, I can configure and use hex with wireguard without any problem?
about the the Public IP, you are right I don’t have it, but if I have understood well I can use DDNS (like duckdns) it’s right?
You can use the MikroTik Back-To-Home (BTH) via iPhone BTH or Windows/MacOS WireGuard client as you have showed.
If you find the response the slow, you can try another method using a public IP server. Please take a look at the following site:
http://forum.mikrotik.com/t/private-ip-can-be-accessed-by-public-ip-via-wireguard/182225/1
@yhfung Can you please stop spamming threads with your junk post.
@alone. Sadly Im not an SXT LTE expert but I have read that one can use a passthrough mode to pass on your NON-public IP connection to a router etc…
Even if you didnt, you could still use the SXTs private LAN output, as WAN input on the hex and then use the hex as your router another good option that would allow you to use BTH.
So either way the hex refresh is a good option.
Once you have the hex, another options is zerotier which is more complex but gets around not having a public IP.
So do not despair, will get you to a useful setup!
@anav sound good !! so in this case I will buy this hex router https://mikrotik.com/product/hex_2024 and I will disturb the “forum” to help me for the configuration. Thanks a lot!
I’m maybe not following … I have for years used SXT LTE with wireguard to my home network (it was the main reason why I upgraded that SXT to ROS7 at that time, to be able to use wireguard).
You just need on one end a public reachable IP address.
It doesn’t even have to be static (but it makes it easier if it is).
Obviously, if there is no public reachable IP address, then you need something to get Zerotier or Back To Home or … whatever, running.
SXT will simply be a gateway to that device then.
Holvoe, bang on.
(can set up a live session sometime so I can look at your SXT and understand what can and cant be done )
If the SXT receives a public IP (may have to ask provider to do so ???)
then one can use wireguard on the SXT.
However if it only gets a private IP, its does not meet the requirements to use BTH (not ARM etc.).
In this case something like the hex refresh, relatively cheap can be put in place after the SXT to allow for BTH.
Wow I think that I found the Gurus of mikrotik environment 
!! I will wery great if someone found a solution for my problem. The solution help me and my mother (she is 90 years old) to solve lot of problem in her house. i’m waiting for the better idea an solution. Thanks 
I am always up for helping someone help their mother…
+1 for passthrough mode.
I use a SXTLTE6 kit as a modem only (I’ve only added the bands i require), but the SXT is in Passthrough otherwise. I’ve then connected that to a hAP ac lite which then does all the routing and WiFi connectivity. It seems to work very well for my purposes.
To put it in passthrough, you first need to factory reset the device with NO default config. Then reboot. Once rebooted:
/interface lte
set [ find default-name=lte1 ] allow-roaming=no network-mode=\
lte
/interface lte apn
set [ find default=yes ] comment="Passthrough" \
passthrough-interface=bridge1 passthrough-mac=auto \
passthrough-subnet-size=32
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
Just bear in mind that once in passthrough you can not update either the modem or ROS the conventional way due to a lack of DNS. You can manually apply ROS updates, but not for the modem itself. That requires another factory reset but this time with a default config and then apply the modem update; and then ROS through the packages menu + firmware. Once done, reset again with no config and restore passthrough mode. Honestly, modem updates don’t come through often and not every modem requires the update.
Personally, given the setup is to be managed remotely, I would not use passthrough mode. But that’s me.
Factory reset etc to get updates done .. ??
I never had a problem using SXT in normal router mode. And I could update ROS and/or modem FW even from 930km away.
I agree with holvoe with a slight difference.
Get SXT to terminate the LTE connection.
Then assuming its like a router then, to have one flat subnet and one of the LAN IPs on the subnet, and connected by ether port to a new hex refresh, is also the WANIP of the hex refresh.
Through firewall rules from the hex and a BTH connection, the admin can reach the hex and configure the hex and the SXT.
This is the direction I recommend.
So one would need some minimal setup on SXT ( assuming it comes with default rules which is pretty much good to go for a basic terminate and leave it deal ) and a regular router setup on the hex refresh to make it all happen.
I would ensure I wire both ports from SXT to inside the house, in case of any issue with ether1 on the device as backup.
Also consider surge protection at both ends at the SXT (outside) and inside just before the hex.
hi, little update. Unfortunately my priority to implement the connection on STX has been changed dramatically (my mother was recovered in hospital) so in this period I can’t to do any thing.
I don’t know how the forum work about my tread, needs to be close (and when the situation will be solved I will reopen other one) or I can keep the tread opened?
In any case I’m whant to be THANKS SO MUCH to all guys that heped me.
Kind regards
Just leave it like it is, come back when you see the need.
Hoping for the best.