Wireguard server - no DNS or LAN access

RouterOS Beginner Basics
1

after having a hard time getting OpenVPN working properly, I’ve gone as others suggested with a simpler setup of using WireGuard except I’m having some issues with that as well. my mikrotik router is currently set up using the Advanced Firewall from https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall so nothing out of the ordinary. I also used https://help.mikrotik.com/docs/display/ROS/WireGuard to set up WG and am currently able to connect no problems except I cannot access any devices on the LAN nor can I get onto the internet using domain names. From the client I can ping the mikrotik using its LAN IP address - 192.168.100.1 and I can also ping it using the WG IP address - 10.168.100.1. What’s odd is while I can’t reach any devices on the LAN, devices on the LAN can reach the client! any suggestions on what I’m missing?

mikrotik router

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.168.100.2/32 interface=wireguard1 public-key="public_key_from_client"
/ip address
add address=10.168.100.1/24 interface=wireguard1 network=10.168.100.0
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp

client

Interface: home
Public key: public_key_from_client
Addresses: 10.168.100.2/24
DNS servers: 10.168.100.1

Peer:
Public key: public_key_from_server
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
2

if you dont know whats wrong why are you deciding what of the config one sees??

/export file=anynameyouwish (minus router serial number and any public WANIP information keys etc.)

3

hopefully this method of posting the config works

/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN (Internet)" speed=100Mbps
set [ find default-name=ether2 ] comment=LAN name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] comment="IP webcam" speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-g/n comment=test1 \
    country="united states" disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name="wlan1 - 2.4GHz" scan-list=2412,2437,2462 ssid=\
    Federation0fPlanets station-roaming=enabled wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-eC \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name="wlan2 - 5GHz" ssid=\
    FederationOfPlanets station-roaming=enabled wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set "wlan1 - 2.4GHz" comment=test1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless manual-tx-power-table
set "wlan1 - 2.4GHz" comment=test1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
    eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.100-192.168.100.199
add name=vpn-pool ranges=10.168.100.100-100.168.44.199
add name=reserved ranges=192.168.100.240-192.168.100.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge \
    lease-time=2h name=defconf
/ppp profile
add local-address=10.168.100.1 name=vpn-profile remote-address=vpn-pool \
    use-encryption=yes
/system logging action
set 1 disk-file-name=disk1/log
add disk-file-count=10 disk-file-name=disk1/firewallhits name=FirewallHits \
    target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    ether2-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    "wlan1 - 2.4GHz"
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    "wlan2 - 5GHz"
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=1024
/interface list member
add interface=ether2-master list=mactel
add interface="wlan1 - 2.4GHz" list=mactel
add interface=ether2-master list=mac-winbox
add interface="wlan2 - 5GHz" list=mactel
add interface="wlan1 - 2.4GHz" list=mac-winbox
add interface=sfp1 list=mactel
add interface="wlan2 - 5GHz" list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=ether1 list=WAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1 certificate=vpn_server-cert cipher=aes256 default-profile=\
    vpn-profile port=1194 protocol=udp redirect-gateway=def1 \
    require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=*2D default-profile=vpn-profile \
    enabled=yes pfs=yes
/interface wireguard peers
add allowed-address=10.168.100.94/32 interface=wireguard1 public-key=\
    "public_key_of_client"
/ip address
add address=192.168.100.1/24 comment=defconf interface=ether2-master network=\
    192.168.100.0
add address=10.168.100.1/24 interface=wireguard1 network=10.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.100.1 name=router
/ip firewall address-list
add address=0.0.0.0/8 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\
    no_forward_ipv4
add address=169.254.0.0/16 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\
    no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast - IPv4 addresses that cann\
    ot be forwarded, however disable this if you intend to use multicast forwa\
    rding" list=no_forward_ipv4
add address=255.255.255.255 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\
    no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890 - IPv4 addresses that cannot\
    \_be used as src/dst/forwarded, etc." list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890 - IPv4 addresses that canno\
    t be used as src/dst/forwarded, etc." list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation - IPv4 addres\
    ses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation - IPv4 add\
    resses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation - IPv4 addr\
    esses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved - IPv4 addresses th\
    at cannot be used as src/dst/forwarded, etc." list=bad_ipv4
add address=0.0.0.0/8 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=10.0.0.0/8 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=100.64.0.0/10 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=169.254.0.0/16 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=172.16.0.0/12 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=192.0.0.0/29 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=192.168.0.0/16 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark - IPv4 addresses\
    \_that cannot be routed globally" list=not_global_ipv4
add address=255.255.255.255 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\
    not_global_ipv4
add address=224.0.0.0/4 comment=\
    "defconf: multicast - IPv4 addresses that cannot be source address" list=\
    bad_src_ipv4
add address=255.255.255.255 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be source address" list=\
    bad_src_ipv4
add address=0.0.0.0/8 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be destination address" \
    list=bad_dst_ipv4
add address=224.0.0.0/4 comment=\
    "defconf: RFC6890 - IPv4 addresses that cannot be destination address" \
    list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow limited ICMP / pings" disabled=\
    yes limit=50/5s,2:packet protocol=icmp
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    4w2d chain=forward disabled=yes dst-port=443 protocol=tcp src-address=\
    192.168.100.0/24 tls-host=*youtube*
add action=drop chain=forward disabled=yes dst-address-list=Youtube time=\
    11h-13h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment="limit Internet usage after 22:45" \
    src-mac-address=64:6C:80:9C:6D:4F time=\
    22h45m-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow WireGuard" disabled=yes \
    src-address=10.168.100.0/24
add action=accept chain=input comment="Allow WireGuard" disabled=yes \
    src-address=192.168.100.0/24
add action=accept chain=input comment=winbox dst-port=69 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment="SSH for secure shell" disabled=yes \
    dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=log chain=input comment="Log everything else" disabled=yes \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=accept chain=forward comment="defconf: accept all that matches IPSe\
    c policy - if IPsec tunnels are used on the router this rule should be ena\
    bled" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept all traffic coming from LAN" \
    disabled=yes in-interface=all-ppp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall nat
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec\
    \_policy - if IPsec tunnels are used on the router this rule should be ena\
    bled" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="OpenVPN server" disabled=yes \
    src-address=198.168.44.0/24
add action=masquerade chain=srcnat comment="OpenVPN server" disabled=yes \
    src-address=10.168.100.0/24
add action=dst-nat chain=dstnat comment="security camera" dst-port=554 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.100.206 to-ports=554
add action=dst-nat chain=dstnat comment=WOL dst-port=944 in-interface=ether1 \
    protocol=udp to-addresses=192.168.100.44 to-ports=9
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.100.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.100.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment=\
    "defconf: TCP flag filter - drop TCP packets known to be invalid" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: ICMP filtering - echo reply" \
    icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - net unreachable" icmp-options=3:0 protocol=\
    icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - host unreachable" icmp-options=3:1 protocol=\
    icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - protocol unreachable" icmp-options=3:2 \
    protocol=icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - port unreachable" icmp-options=3:3 protocol=\
    icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - fragmentation needed" icmp-options=3:4 \
    protocol=icmp
add action=accept chain=icmp4 comment="defconf: ICMP filtering - echo" \
    icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "defconf: ICMP filtering - time exceeded " icmp-options=11:0-255 \
    protocol=icmp
add action=drop chain=icmp4 comment=\
    "defconf: ICMP filtering - drop other icmp" protocol=icmp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24 port=69
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast - IPv6 a\
    ddresses that cannot be forwarded" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast - IPv6 addresses that cannot \
    be forwarded, however disable this if you intend to use multicast forwardi\
    ng" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo - IPv6 addresses that cannot \
    be used as src/dst/forwarded, etc." list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped - IPv6 add\
    resses that cannot be used as src/dst/forwarded, etc." list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - IPv6 addresses that cannot b\
    e used as src/dst/forwarded, etc." list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation - IPv6 addre\
    sses that cannot be used as src/dst/forwarded, etc." list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid - IPv6 addresses tha\
    t cannot be used as src/dst/forwarded, etc." list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat - IPv6 addresses that cannot b\
    e used as src/dst/forwarded, etc." list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only - IPv6 addresses t\
    hat cannot be routed globally" list=not_global_ipv6
add address=2001::/32 comment=\
    "defconf: RFC6890 TEREDO - IPv6 addresses that cannot be routed globally" \
    list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark - IPv6 addresses t\
    hat cannot be routed globally" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local - IPv6 addresses t\
    hat cannot be routed globally" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified - IPv6 addresses that cannot \
    be destination address" list=bad_dst_ipv6
add address=::/128 comment=\
    "defconf: unspecified - IPv6 addresses that cannot be source address" \
    list=bad_src_ipv6
add address=ff00::/8 comment=\
    "defconf: multicast - IPv6 addresses that cannot be source address" list=\
    bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 drop ll if hop-limit!=255" \
    dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - dst unreachable" icmp-options=1:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - packet too big" icmp-options=2:0-255 protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - limit exceeded" icmp-options=3:0-1 protocol=\
    icmpv6
add action=accept chain=icmp6 comment="defconf: ICMP filtering - bad header" \
    icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - Mobile home agent address discovery" \
    icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - Mobile home agent address discovery" \
    icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - Mobile prefix solic" icmp-options=146:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - Mobile prefix advert" icmp-options=147:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - echo request limit 5,10" icmp-options=\
    128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - echo reply limit 5,10" icmp-options=129:0-255 \
    limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 router solic limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 router advert limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 neighbor solic limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 neighbor advert limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 inverse ND solic limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: ICMP filtering - rfc4890 inverse ND advert limit 5,10 only LAN" \
    hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=\
    5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment=\
    "defconf: ICMP filtering - drop other icmp" protocol=icmpv6
/ppp secret
add name=veepeeen profile=vpn-profile service=ovpn
/system leds
set 1 interface="wlan2 - 5GHz"
/system logging
add action=disk topics=error
add action=disk topics=warning
add action=FirewallHits topics=firewall
add action=disk topics=account
add action=disk topics=info,!firewall
/system note
set note=\
    "Authorized administrators only. Access to this network is monitored."
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.us.pool.ntp.org
add address=1.us.pool.ntp.org
add address=2.us.pool.ntp.org
add address=3.us.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool mac-server ping
set enabled=no
4

What a friggen mess. Why on earth would you mix bridge subnet pool with all your VPN, nightmare disaster…
Dont even understand this pool anyway. add name=vpn-pool ranges=10.168.100.100-100.168.44.199
will look at it after some food LOL…

Homemade baked beans with onions and bacon…sooooooooooooooo good.

One note get rid of all those blackhole address entries until you understand what you are doing…
Never copy and paste sheite from youtube unless you understand it.

/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf fast-forward=no
name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
add name=MANAGE
/ip pool
add name=dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge
lease-time=2h name=defconf
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ip settings
set max-neighbor-entries=8192 rp-filter=LOOSE
/interface list member
add interface=bridge list=LAN
add interface=bridge list=MANAGE
add interface=wireguard1 list=MANAGE
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.168.100.94/32 interface=wireguard1 public-key=
“public_key_of_client”
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=
192.168.100.0
add address=10.168.100.1/24 interface=wireguard1 network=10.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
In terms of firewall rules, order is critical and organization is commonsense.
One cannot block youtube or most other crap either, wasting your time… see duplicates and redundant rules as well.

/ip firewall filter
(default rules)
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input comment=“WireGuard handshake” dst-port=13231
protocol=udp
add action=accept chain=input comment=“Allow admin to Router” in-interface-list=MANAGE src-address=AdminAccess
add action=accept chain=input comment=“users to router services” in-interface-list=LAN dst-port=53,123 protocol=tcp
add action=accept chain=input comment=“users to router services” in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“Drop everything else” disabled=yes ( ENABLE THIS AS THE LAST THING YOU CHANGE )
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
(admin rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.10.0/24
add action=drop chain=forward comment=“drop all else”

WHERE the admin firewall address list called AdminAccess is like so (using fixed static LANIPs or wireguard IP):
/ip firewall address-list
add address=IP_admin-desktop list=AdminAccess
add address=IP_admin-laptop list=AdminAccess
add address=IP_admin-iphone/ipad list=AdminAccess
add address=IP_remote-wireguard_IP list=AdminAccess

DELETE ALL RAW RULES, not needed.
AS for your port forwardings… Suggest if this is for you to view your camera or do something else you use wireguard to access them vice port forwarding, which opens up holes in your router.
Another option is use zerotier but cannot remember which device you are using. This assumes you are not acccessing from fixed WANIPs but from random ones ???

/ip service
set winbox address=192.168.100.0/24 port=69 (NEVER state your winbox port on a config…)

Almost hypocritical …WHY all the security then use UPNP which is not a good security protocol???
/ip upnp interfaces ??
add interface=bridge type=internal
add interface=ether1 type=external

/tool mac-server
set allowed-interface-list=NONE ( not a secure protocol do not use )
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

5

sorry, where do you see the bridge subnet mixed with the VPN? originally I started with OpenVPN being in the same pool, but have since created a vpn-pool that uses the 10.168.100.xxx while my bridge is using 192.168.100.xxx. am I not seeing what you’re seeing?

6

Up to you what to do with info.
I created a clean separate bridge interface, with cleaned up rules, it will work.
a. you will be able to reach the config via wireguard
b. you will be able to reach the LAN via wireguard.
c. you will be safe using the config.
++++++++++++++++++++++++++++
if you want to bogon anything then black hole the bogons in IP routes, but for god sakes dont bogon your own IP addresses.

7
8

Very good for health and gas production…
If you dont know what bogons are, and how you have identified them on your own config, even more reason to not use them…

9

not sure if you saw the remainder of the previous post, but
I’ve modified my firewall filter to what you have above and am sad to report that I am still unable to ping devices on the LAN from the client… the LAN however can ping the client with no problem…


Almost hypocritical …WHY all the security then use UPNP which is not a good security protocol???
/ip upnp interfaces ??
add interface=bridge type=internal
add interface=ether1 type=external
I do have UPNP disabled… is that not enough, should I also disable the interfaces?

10

Post your latest config so that I can see what is going on now.
/export file=anynameyouwish ( minus router serial # and any public WANIP information )

11

I had decided to wipe and start from scratch with the default mikrotik config, but only adding in the WireGuard changes and it worked! I am now able to get internet on the client, as well as ping the client from the LAN. the only issue that remains now is why can’t I reach the LAN from the client?? please see my almost working config below

/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-BE4AE7 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
add name=reserved ranges=192.168.88.240-192.168.88.254
add name=vpn ranges=192.168.100.2-192.168.100.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "public_key_of_client"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
12

YOu dont provide a pool range for wireguard remove!!
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
add name=reserved ranges=192.168.88.240-192.168.88.254
add name=vpn ranges=192.168.100.2-192.168.100.199

Try it again after the change!
Can you access the router for config purposes. You should be able to!!

There is no reason other than my one observation above that you cannot reach the lan devices from the client???

What I can suggest is two things try…
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN

add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept in-interface=wireguard1 dst-address=192.168.88.0/24
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Other than that, the only conclusion is your PC or laptop or client device is blocking return traffic ???

13

[quote=HazellyMores post_id=983892 time=1676269392 user_id=212265]
You can read the rest of the previous post, but I’m sorry to say that even after changing my firewall filter to match what you have stated, I am still unable to ping devices on the LAN from the client. The LAN, on the other hand, can ping the client without any issues.
[/quote]
BS. First not your thread, Second, start your own thread dont hijack others, Third, your opinion is worth shit, when you start your own thread provide the config of both ends as that is evidence that can be used to fix your config.

14

unfortunately I am still unable to reach the LAN from the client with your suggestions. your suggestion of the following line

add action=accept in-interface=wireguard1 dst-address=192.168.88.0/24

I take it that is in the forward chain? I’ve added it there and there I am seeing packets counter increment while sending ping from the client to the LAN… but the ping is not reaching the destination. I can confirm that the client and the LAN computer both can receive ping and that it is not blocked… the client is actually my cellphone connecting to WG and the mikrotik without WiFi turned on - using the cellular connection. when it is on WiFi and on the same LAN as the PC, they can both ping each other no problem. any other suggestions?

15

I always work from the latest config, please post it… my apologies forgetting to put chain in a rule. :frowning:

16

please see below

/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-BE4AE7 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
add name=reserved ranges=192.168.88.240-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "public_key_of_client"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.88.0/24 in-interface=\
    wireguard1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
17

I dont really see any significant problems. :frowning:

The first two rules I would move to after the default loopback rule is about the only change I would make on the input chain…
You also dont really need the first rule anyway because later on you drop all traffic to the router not from the LAN interface list.
Since you made wireguard a member of the LAN interface list, then this traffic is already permitted But for now leave as is.

On the forward chain move your allow rule for wireguard traffic to after the default invalid rule!

Changes illustrated below.

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow WireGuard traffic” src-address=
192.168.100.0/24
add action=accept chain=input comment=“allow WireGuard” dst-port=13231
protocol=udp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward dst-address=192.168.88.0/24 in-interface=
wireguard1
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

+++++++++++++++++++++++++++++++++++++++

Other than that I would need to see the latest config on the client.

18

modifications made, but not change so here is my config on the client
Interface
Name: home
Private key: random key
Public key: random key
Addresses: 192.168.100.2/32
Listen port: (random)
DNS servers: 192.168.100.1
MTU: (auto)

Peer
Public key: random key
Pre-shared key: (optional)
Persistent keepalive: (optional, not recommended)
Endpoint: dynamicDNS.com:13231
Allowed IPs: 192.168.100.0/24, 192.168.88.0/24

19

I would put an entry into persistent key of lets say 30 seconds on the client settings ( peer for router )

At a loss, try also putting dns server of 1.1.1.1 and see if that does anything…

Can you activate the tunnel on your client device, and then go to the browser and enter in whats my ip?
You should get the WANIP of your Routers connection…

Any reason your not using the IP Cloud address already existing on the router???
As the endpoint address ??

Is the client device a windows laptop? Iphone?

Also imagine you have confirmed right keys are where…

Interface
Name: home
Private key: random key
Public key: random key Entered on ROUTER PEER setttings for client device.
Addresses: 192.168.100.2/32
Listen port: (random)
DNS servers: 192.168.100.1
MTU: (auto)

Peer
Public key: random key FROM WIREGUARD SETTINGS FOR INTERFACE on Router wireguard.
Pre-shared key: (optional)
Persistent keepalive: (optional, not recommended)
Endpoint: dynamicDNS.com:13231
Allowed IPs: 192.168.100.0/24, 192.168.88.0/24

also for giggles instead of auto MTU on client interface settings try matching the Router settings of 1420.

20

tried persistent keepalive set to 30 seconds on client config and dns server to 1.1.1.1, no change. interesting bit, after connecting to the VPN and using whatsmyip.com, I am NOT getting the IP of my router’s WAN… website returns a 172.xxx.xxx.xxx address, while my WAN is 104.xxx.xxx.xxx! I was not aware of the IP cloud address existing on the router until recently and the dynamic DNS I’ve had a while so wanted to keep consistent. the client is an Android phone with termux. also tried changing the MTU on the client with no luck