Hi, I’m having a few issues getting this to work. I did have it working at one point but with so many settings I’m not sure why it stopped. I think it may have been the Mikrotik quirk described by The Network Berg at 14:35mins on this video about reauthorizing the peer - https://www.youtube.com/watch?v=P6f8Qc4EItc

Anyway with reference to the below diagram what I’m trying to achieve is connection between Remote PC3 and Computer 2 over effectively 2 Wireguard tunnels (like a hub and spoke design). The dotted lines are internet and solid lines local LAN cables. I have everything working correctly between Computer 1 to Computer 2 and everything working correctly between Computer 3 (with the Wireguard Client installed) to Router 1 and Computer 1 but cannot connect to Router 2 or Computer 2 (going through the 2 routers)

I’m thinking I maybe need some NAT rule on Router 1 translating the 99 subnet to the 101 subnet or firewall rule I’m missing? I would post a script of the settings (and will do if it comes to it) but I’m just trying to understand the VPN routing fundamentals to learn. Any pointers that would assist would be appreciated.

The only thing needed is both configs
R1 & R2
/export file=anynameyouwish ( minus router serial number any public WANIP info keys etc.)

Do both routers have publicly accessble WANIPs?
Assuming at the moment that R1 is the hub for the wireguard network that includes R2 as well as computer PC3.
Should be dirt simple to fix once i see the configs… nice clear diagram…

Router 1 - Fixed Public IP address (I think I've blanked out any sensitive settings) This is currently working as described although some settings are a work in progress, ignore all other Wireguard tunnels which are working correctly. (BTW - I need to replicate routing to all RDKits in the address list & the TEST firewall entries are exactly that)

feb/16/2023 19:11:14 by RouterOS 7.7

software id = ZTYV-43SF

model = RB4011iGS+

serial number = XXXXXXXXXXX

/interface bridge
add admin-mac=08:55:31:A4:67:AB auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.0.200/32 disabled=yes local-address=XXXXXXXXXXXXXXX name=
XXXXXXX
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-192,aes-128,3des nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha1,md5 disabled=yes enc-algorithms=
aes-256-cbc,aes-128-cbc,3des name=XXXXXXXX pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.99.106/32,192.168.106.0/24 comment=
"MRTW6 - HAP AC Lite" endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.3/32,192.168.0.0/24 comment="XXXXXXXXXXXXXXX"
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.4/32,192.168.100.0/24 comment=MAP2N
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.5/32,192.168.90.0/24 comment="HAP AC2"
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.254/32,192.168.18.0/24 comment=
"XXXXXXXXXXX" endpoint-address=XXXXXXXXXXXXXXXXXXXXXXXXX
endpoint-port=13231 interface=Wireguard persistent-keepalive=10s
public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.101/32,192.168.101.0/24 comment=MRTWP1
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.103/32,192.168.103.0/24 comment=MRTWP3
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=192.168.99.104/32,192.168.104.0/24 comment=MRTWP4
endpoint-port=13231 interface=Wireguard public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
add address=192.168.99.1/24 interface=Wireguard network=192.168.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.23 client-id=1:e4:8d:8c:9c:98:c0 mac-address=
E4:8D:8C:9C:98:C0 server=defconf
add address=192.168.0.238 client-id=1:b4:2e:99:9d:f2:ee mac-address=
B4:2E:99:9D:F2:EE server=defconf
add address=192.168.0.16 client-id=1:dc:f5:5:21:a8:85 mac-address=
DC:F5:05:21:A8:85 server=defconf
add address=192.168.0.8 client-id=1:18:68:cb:89:6d:b4 mac-address=
18:68:CB:89:6D:B4 server=defconf
add address=192.168.0.38 client-id=1:0:11:32:2c:a7:85 mac-address=
00:11:32:2C:A7:85 server=defconf
add address=192.168.0.158 client-id=1:98:df:82:1e:b8:71 mac-address=
98:DF:82:1E:B8:71 server=defconf
add address=192.168.0.45 client-id=1:60:81:f9:72:77:d6 mac-address=
60:81:F9:72:77:D6 server=defconf
add address=192.168.0.30 client-id=1:74:d4:35:b:8b:ba mac-address=
74:D4:35:0B:8B:BA server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.101.0/24 list=RDKits
add address=192.168.102.0/24 list=RDKits
add address=192.168.103.0/24 list=RDKits
add address=192.168.104.0/24 list=RDKits
add address=192.168.105.0/24 list=RDKits
add address=192.168.106.0/24 list=RDKits
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=accept chain=forward comment=TEST dst-address=192.168.101.0/24
src-address=192.168.0.0/24
add action=accept chain=forward comment=TEST dst-address=192.168.0.0/24
src-address=192.168.101.0/24
add action=accept chain=forward comment="Wireguard RDK's" dst-address-list=
RDKits in-interface=Wireguard src-address=192.168.0.0/24
add action=accept chain=input comment="iPad to RB4011 INPUT" dst-address=
192.168.0.0/24 in-interface=Wireguard
add action=accept chain=forward comment="Wireguard RDK's" dst-address=
192.168.0.0/24 in-interface=Wireguard src-address-list=RDKits
add action=accept chain=forward comment="Wireguard (Home to Office)"
dst-address=192.168.18.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Wireguard (Office to Home)"
dst-address=192.168.0.0/24 src-address=192.168.18.0/24
add action=accept chain=input comment="Allow router access across Wireguard"
in-interface=Wireguard src-address=192.168.18.0/24
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
src-port=""
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop brute forcers" dst-port=
21,22,23,3389,8728 protocol=tcp src-address-list=bruteforce_blacklist
add action=add-src-to-address-list address-list=bruteforce_blacklist
address-list-timeout=1w3d chain=forward connection-state=new dst-port=
21,22,23,3389,8728 protocol=tcp src-address-list=bruteforce_stage3
add action=add-src-to-address-list address-list=bruteforce_stage3
address-list-timeout=1m chain=forward connection-state=new dst-port=
21,22,23,3389,8728 protocol=tcp src-address-list=bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2
address-list-timeout=1m chain=forward connection-state=new dst-port=
21,22,23,3389,8728 protocol=tcp src-address-list=bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1
address-list-timeout=1m chain=forward connection-state=new dst-port=
21,22,23,3389,8728 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.89.0/24 out-interface=
Wireguard
add action=masquerade chain=srcnat dst-address=192.168.100.0/24
out-interface=Wireguard
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NVR Rule" dst-port=8000
in-interface=ether1 protocol=tcp to-addresses=192.168.0.8 to-ports=8000
add action=dst-nat chain=dstnat comment=Helium dst-port=44158 in-interface=
ether1 protocol=tcp to-addresses=192.168.0.45 to-ports=44158
add action=dst-nat chain=dstnat comment="Mikrotik SSTP" dst-port=443
in-interface=ether1 protocol=tcp to-addresses=192.168.0.23 to-ports=443
add action=dst-nat chain=dstnat comment="3CX Presence and Provisioning HTTPS"
dst-port=5001 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30
to-ports=5001
add action=dst-nat chain=dstnat comment="3CX SIP UDP" dst-port=5060
in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TCP" dst-port=5060
in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TLS" dst-port=5061
in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=5061
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=5090
in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=5090
in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Media UDP" dst-port=9000-10999
in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=
9000-10999
add action=dst-nat chain=dstnat comment="NAS Rules" dst-port=
21,22,873,5000,5001,8080 in-interface=ether1 protocol=tcp to-addresses=
192.168.0.38
add action=dst-nat chain=dstnat comment="NAS Rules 2" dst-port=3478
in-interface=ether1 protocol=udp to-addresses=192.168.0.38
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=XXXXXXX
/ip ipsec policy
add disabled=yes dst-address=192.168.18.0/24 peer=XXXXXXX proposal=XXXXXXX
src-address=192.168.0.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.89.0/24 gateway=Wireguard
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=192.168.100.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.90.0/24 gateway=Wireguard
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=192.168.18.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
add disabled=no dst-address=192.168.101.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.103.0/24 gateway=Wireguard
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=192.168.104.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
add disabled=no dst-address=192.168.106.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/London
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1h name=ChangeIP on-event="/system script run ChangeIP" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=dec/18/2021 start-time=12:17:45
add disabled=yes interval=1d name="Port 9 OFF" on-event=
"/interface disable ether9" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/15/2023 start-time=00:01:00
add interval=1d name="Port 9 ON" on-event="/interface enable ether9" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/15/2023 start-time=06:00:00
/system script
add dont-require-permissions=no name=ChangeIP owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
_~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
\n# EDIT YOUR DETAILS / CONFIGURATION HERE\r
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
\n:global ddnsuser "XXXXXXX"\r
\n:global ddnspass "XXXXXX"\r
\n:global ddnshost "XXXXXXXX"\r
\n:global ddnsinterface "ether1"\r
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
\n# END OF USER DEFINED CONFIGURATION\r
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
\n:global ddnssystem ("mt-" . [/system package get [/system package find
_name=system] version] )\r
\n:global ddnsip [ /ip address get [/ip address find interface=$ddnsinter
face] address ]\r
\n:global ddnslastip\r
\n\r
\n:if ([:len [/interface find name=$ddnsinterface]] = 0 ) do={ :log info
"DDNS: No interface named $ddnsinterface, please check configuration."
}\r
\n\r
\n:if ([ :typeof $ddnslastip ] = "nothing" ) do={ :global ddnslastip 0.
0.0.0/0 }\r
\n\r
\n:if ([ :typeof $ddnsip ] = "nothing" ) do={\r
\n\r
\n:log info ("DDNS: No ip address present on " . $ddnsinterface . ", p
lease check.")\r
\n\r
\n} else={\r
\n\r
\n:if ($ddnsip != $ddnslastip) do={\r
\n\r
\n:log info "DDNS: Sending UPDATE: $ddnsip!"\r
\n:log info [ :put [/tool dns-update name=$ddnshost address=[:pick $ddns
ip 0 [:find $ddnsip "/"] ] key-name=$ddnsuser key=$ddnspass ] ]\r
\n:global ddnslastip $ddnsip\r
\n\r
\n} else={\r
\n\r
\n:log info "DDNS: No changes necessary: $ddnsip."\r
\n\r
\n}\r
\n\r
\n}\r
\n\r
\n# END OF SCRIPT"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Router 2 is connected via LTE (CGNAT) so thats why I cant connect directly. I had this working with SSTP but wanted to swap to Wireguard for better performance

feb/16/2023 19:33:04 by RouterOS 7.7

software id = YMY5-IEAP

model = RB951Ui-2HnD

serial number = XXXXXXXXXXX

/interface bridge
add admin-mac=E4:8D:8C:AB:30:DB auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country="united kingdom" disabled=no distance=indoors frequency=auto
mode=ap-bridge ssid=MRTWP1 station-roaming=enabled wireless-protocol=
802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.101.10-192.168.101.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/interface sstp-client
add certificate=cert_export_CA.crt_0 connect-to=XXXXXXXXXXXXXXXXXXXX
http-proxy=0.0.0.0 name=MTRDK1 pfs=yes profile=default-encryption
tls-version=only-1.2 user=MTRDK1 verify-server-certificate=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge hw=no ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge list=LAN
add interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.99.1/32,192.168.0.0/24 comment=MRTWP1
endpoint-address=XXXXXXXXXXXXXXXXXXXX endpoint-port=13231
interface=Wireguard persistent-keepalive=10s public-key=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.101.1/24 interface=bridge network=192.168.101.0
add address=192.168.99.101 interface=Wireguard network=192.168.99.0
/ip dhcp-server network
add address=192.168.101.0/24 comment=defconf gateway=192.168.101.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.101.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=input src-address=10.0.0.0/24
add action=accept chain=input in-interface=Wireguard src-address=
192.168.0.0/24
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=forward comment="Wireguard MRTWP1" dst-address=
192.168.101.0/24 in-interface=Wireguard
add action=accept chain=forward comment="Wireguard MRTWP1" dst-address=
192.168.101.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=MTRDK1
add disabled=no dst-address=192.168.0.0/24 gateway=Wireguard routing-table=
main suppress-hw-offload=no
/ppp secret
add local-address=192.168.100.2 name=test remote-address=192.168.100.1
service=pptp
/system clock
set time-zone-name=Europe/London
/system identity
set name=MTRDK1
/system routerboard settings
set silent-boot=yes
/system scheduler
add disabled=yes name=schedule1 on-event="system reboot" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=apr/21/2020 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

In general one should focus on the big three.
A. Right Allowed IP rules
B. Right Firewall Rules
C. Right Routes

R1
(1) Peer settings error…
add allowed-address=192.168.99.3/32,192.168.0.0/24 comment=“XXXXXXXXXXXXXXX”
endpoint-port=13231 interface=Wireguard public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”

This caught my eye because 192.168.0..0/24 is a LOCAL subnet on R1. Allowed peers never addresses local addresses or subnet!!!

(2) Furthermore, I think this is the peer setting for your REMOTE WARRIOR laptop PC3. If that is the case then you simply need ( endpoint port not required etc.)
add allowed-address=192.168.99.3/32 comment=“XXXXXXXXXXXXXXX” interface=Wireguard public-key=
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”

(3) There are fine for test rules but I prefer accuracy and clear defining of traffic. (easy to read and understand)
add action=accept chain=forward comment=TEST dst-address=192.168.101.0/24
src-address=192.168.0.0/24
add action=accept chain=forward comment=TEST dst-address=192.168.0.0/24
src-address=192.168.101.0/24

add action=accept chain=forward out-interface=wireguard dst-address=192.168.101.0/24 src-address=192.168.0.0/24
add action=accept chain=forward in-interface=wiregard src-address=192.168.101.0/24 dst-address=192.168.0.0/24

(4) Here is what I do for RELAY traffic ( in this case for PC3 to R2…
add action=accept chain=forward in-interface=wireguard out-interface=wireguard

Therefore any PC3 traffic on its way to R1, exits the tunnel at R1 and is then sitting at something equivalent to the LAN level at the router, so it needs to re-enter the tunnel to go to R2.
This handles the return traffic as well or the reverse scenario of R2 users to PC3

In this case I dont need to set four rules in the relay only ONE!

add chain=forward action=accept in-interface=wireguard scr-address=192.168.99.3
add chain=forward action=accept out-interface=wireguard dst-address=192.168.101.0/24 src-address=192.168.99.3
add chain=forward action=accept in-interface=wireguard src-address=192.168.101.0/24
add chain=forward action=accept out-interface=wireguard dst-address=192.168.99.2 src=address=192.168.101.0/24

The rule may appear to be a bit loosey goosy but I rely upon the firewall rules where appropriate to allow.refine traffic and thus why I insist upon clear defining rules where it makes sense…aka before actually hitting the LAN devices (end point).

(5) Firewall rules are not complete and not in order so that needs to be cleaned up!!

(6) Drop all the brute force crap that has nothing to do with traffic you need to support.

(7) The only time one needs to masquerade traffic normally is if one is passing many users to a third party VPN vendor which is only expecting the IP single IP it provided you with.
Other times people are lazy but if you have control over both ends of the tunnel R1 and R2, one should use Allowed IPs to delineate allowed traffic.

Be that as it may sometimes there are logical reasons to apply such rules. just looking for your logic for these two…
One for the fact I dont see these subnets identifited anywhere…
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.89.0/24 out-interface=Wireguard
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 out-interface=Wireguard

R2

(8) Allowed IPs, change to.
/interface wireguard peers
*add allowed-address=192.168.99.0/24,192.168.0.0/24 comment=MRTWP1 *
endpoint-address=XXXXXXXXXXXXXXXXXXXX endpoint-port=13231
interface=Wireguard persistent-keepalive=10s public-key=\

(9) IP addresses change to.
/ip address
add address=192.168.101.1/24 interface=bridge network=192.168.101.0
add address=192.168.99.101/24 interface=Wireguard network=192.168.99.0

(10) These input chain rules make no sense to me as they are not idenfied anywhere on R2??

add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=input src-address=10.0.0.0/24

(11) Why do you have this rule, R2 is not capable of hosting…assuming CGNAT etc…
add action=accept chain=input dst-port=13231 protocol=udp

(12) This rule is really weak
add action=accept chain=forward comment=“Wireguard MRTWP1” dst-address=
192.168.101.0/24

DO you really want everybody to be able to access the subnet…
So either refine it at this end:
Clearly you want 192.168.0.0 to do so, and 192.168.99.3 so put those in a firewall address list ALLOWED for example.
add action=accept chain=forward in-interface=Wireguard src-address-list=ALLOWED dst-address=192.168.101.0/24
OR
refine who can enter the tunnel heading for R2 on R1 rules…one or the other, I always find it easier at the end point…

(13) It also appears you have duplicate rules… one with and one without the wireguard interface…

add action=accept chain=forward comment=“Wireguard MRTWP1” dst-address=
192.168.101.0/24 in-interface=Wireguard
add action=accept chain=forward comment=“Wireguard MRTWP1” dst-address=
192.168.101.0/24

(14) same need to cleanup firewall rules…

Thanks Anav,

After reading that a few times I understand it a bit more.
That all makes sense, the point which I think makes more sense to me now is the relay one

(4) Here is what I do for RELAY traffic ( in this case for PC3 to R2…
add action=accept chain=forward in-interface=wireguard out-interface=wireguard

I hadn’t thought of it as two separate tunnels with a LAN level in the middle and having wireguard in and wireguard out in the same rule. Tweaked the settings you mentioned and as soon as this one went in it started working as iintended!

Yes, its hard to bend the head around that one but it seems to work well.

What is key is handling any whole subnets involved in relay because IP routes is never an issue for roadwarriors with Wireguard IPs, that have automated routes created on the routers due to IP address. The key for road warriors (single IPs) is that they put the subnet of the wireguard network down and not the single IP of the server router when creating the peer to the server Router (R1)… in the case when one isnt using 0.0.0.0/0.
Thus on the R1, since you have traffic coming in from somewhere (in this case road warrior) to a destination or subnet that is not local to R1, we need a path or route to that destination. Coincidentally this path or route may also be required for local users on R1 also wanting to get to R2. Finally, we need the route for the case where remote users from R2 have visited R1 and the router needs to know where to send their return traffic. .
Thus potentially multiple reasons for the the IP route on R1 -->add dst-address=192.168.101.0/24 gwy=Wireguard table = main.

Follow the bouncing ball…
OUT FROM PC
1 - allowed IPs on PC3 include (not sure but guessing), 192.168.99.0/24,192.168.101.0/24
(comment: This allows pinging of any wireguard device for testing purposes, also to reach subnet .101, if for example you needed to reach 0.0 then you would have a third 192.168.0.0/24)
(if you also wanted to be able to reach the internet of R1, or R2 then you would use one address of 0.0.0.0/0 for everything)

2- Your PC firewall may have to be manipulated to allow traffic to head out to the internet on port 13321 to initiate a handshake but other than no firewall considerations on the remote client. etc…

3. No routing required in this case as its only standard internet out the wifi, the wire or the wireless to a local provider.

AT PC3

1. The first traffic packets heading out the door cause the wireguard tunnel to fire up (unless you fire it up manually like on my phone), the tunnel is established.
2. The list of allowed IPs is used to match and select the right peer with the destination IP in the traffic. In this case there is only one peer and the destination is 192.168.101.XX. Thus on the PC3 one should have allowed IPs=192.168.99.0/24,192.168.101.0/24 ( and possibly 192.168.0.0/24) or maybe even 0.0.0.0/0
   AT R1
3. First, the wireguard processing is applied: TO EXIT the tunnel to reach the other local interfaces on the router, the allowed IPs are filtered, aka must include the PC3 peer with source address of 192.168.99.3.
4. Next consider the firewall rules: TO reach any destination noted on the traffic ( traffic is just sitting there at the moment at the mouth of the tunnel) it has to be allowed via firewall rules.
   So we need a rule that says okay we let this traffic go to the LAN for example (forward chain), or to the router for config (input chain).
   Thats great to reach local LAN 192.168.0.0/24, but the destination is for a LAN subnet not on the local router but on the remote router.
   So the destination traffic has to go back into the tunnel. Another forward chain rule is required to allow that.
   The relay rule does both, it says, we allow wireguard traffic to exit the tunnel and re-enter the tunnel (clearly not useful for remote traffic headed for local traffic).

Let me be clear, once the original traffic from PC3 exits the tunnel at R1, it is no longer considered PC3 traffic. It now local traffic and thus we have to let it back into the tunnel like other local subnet traffic.
Further, a nuance, since its “now local” it is considered not to require special routing or special wireguard routing in terms of the R1 to R2 peer to peer tunnelling. It would follow the same process as any other local traffic at R1. Thus its destination address should be on the allowed IPs of R2 peer found on R1 ( aka R2 peer on R1 must have 192.168.101.0/24 as an allowed IP) similarly there must be a route on R1 telling the router where to send traffic destined for 192.168.101.0/24.
To summarize, PC3 traffic is now treated like local traffic such as 192.168.0.0/24 trying to reach 192.168.101.0/24 on R2.

There is a differerence to note at R2, at R2 we dont need a route forPC3 (autocreated) whereas we would need a route on R2 for return traffic to back into the tunnel to R1 if the traffic originated from 192.168.0.0/24 users.

3. The second piece of the puzzle at R1 is the routing…
   The traffic exits the tunnel, because it meets the wireguard filtering ( R1 peer for pC3 contains the source address of PC3) and the router knows the destination is not local and due to the route provided it knows aha, for 192.168.101.10/24 I need to push traffic out the wireguard tunnel. So the traffic is turned around and pointed back into the tunnel.
4. The final piece of the puzzle is the Wireguard Processing when going back into the tunnel… the destination address is matched against all peers starting at the top of the list of peers, until it finds a match and says oh yeah I know that address is on the list and its supposed to go my R2 peer. ( now you know why duplicate addresses on different peers is a no no )
5. Thus the traffic heads out the tunnel to the correct peer and then arrives at R2.
   6 . At R2, it says okay before I let this traffic exit the tunnel is it on the list of allowed IPs from my R1 peer (filtering) .. ( that is why its critical to have 192.168.99.0/24 ( and not just 192.168.99.1/32 of R1 on the allowed peers for R1 at R2)
6. Then R2 checks is there a firewall rule allowing this traffic to reach its destination of 192.168.101.XX. The answer is yes and traffic reaches the destination.
7. Then the LAN provides the answer to the query and sends traffic back to PC3. Does R2 know the route back to use…yes due to the allowed IP it matches 192.168.99.0/24 on a peer and that is to peer R1. Now if it was returning 192.168.0.X traffic we would need to provide a route for that traffic.

Return traffic is not discussed.
So all in all one should get the sense of
Traffic leaving
needs to be allowed to enter the tunnel (fw rule)
needs an IP route so the router knows to send it out the tunnel
needs to match and select the right peer to send the traffic to ( destination address is identified as an allowed IP on a specific peer )
Traffic arriving
needs to be filtering by wirguard first ( the incoming remote source address is on the allowed IPs for that specific incoming peer traffic)
needs to be allowed to exit the tunnel (fw)
needs a route ( normally applies to the return traffic )

One thing should be realized that creating routes for traffic (like subnets more often than naught has a twofold purpose… To direct a subnet into a tunnel or to direct return traffic back into a tunnel.
In other words anytime there is a non-local subnet in the mix a route is needed.

++++++++++++++++++++++++++++++++++++++++++++++++++++++