Have some issues with Connecting to wiredguarg on my L009GuiS router…
Wireguard only connects when I disable the “Block all not from !LAN” which is at the bottom
I have already place chain input for wireguard ports at the top but but once I Enable the “block all not from lan” I can no longer connect…
What seems to be the isse
Two likely reasons:
Please share your config, especially the firewall part:
/ip firewall export
Sounds like you haven’t added the firewall rule:
/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp place-before=1
I have it works soon a i add. once i reboot my router is doenst.
firewall rule
/ip firewall address-list
add address=10.10.20.0/27 list=“VLAN 20”
add address=10.10.30.0/27 list=“VLAN 30”
add address=10.10.40.0/27 list=“VLAN 40”
/ip firewall filter
add action=accept chain=input comment=“WireGuard Allow from WAN” connection-state=established,related,new dst-port=13231,51820 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN log=yes log-prefix=“DROP NOT LAN”
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat src-address=192.168.88.0/24
Remove the connection-state and the in-interface-list in the Wireguard rule.
Can you als add:
/interface wireguard export
i have removed the connection state
/interface wireguard
add comment=back-to-home-vpn listen-port=13098 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=192.168.88.2/32 interface=wireguard1 public-key=“xxx=”
add allowed-address=192.168.216.3/32,fc00:0:0:216::3/128 client-address=192.168.216.3/32,fc00:0:0:216::3/128 client-dns=192.168.216.1 client-endpoint=xxx.vpn.mynetname.net
client-keepalive=30s comment=“MikroTik_L009UiGS | L009UiGS | Google Pixel 9 Pro XL” interface=back-to-home-vpn persistent-keepalive=30s private-key=
“xxx=” public-key=“xxx=”
Are you running both Wireguard as the back-to-home option and as the manual added version? Why do you have port 51820 open in your firewall (it is not used by Wireguard according to your configuration).
What endpoint are you using on the device for connecting to home? Do you test it from outside?
As indicated you have to provide much more detail on your requirements for wireguard.
identify all users and the traffic they need
Do you have public IP address?
how many wireguard interfaces are you using?
Am using for remote access … Back to home I use my smartphone… The wireguard is for my Laptop… When am away from home… I have only one Wireguard interface… Soon a I disable the Block all from LAN rule Wireguard works perfectly… But I don’t want to disable this rule
You failed to answer the important question. Do you have a public IP address on the MT router or can you port forward from an ISP modem/router that gets a public IP??
So far you are the only user and use wg on two devices when remote from home to
a. connect to home devices?
b. to connect to router for config purpose?
c. to access internet of home??
My modem is in bridged mode… I have pppoe and I can use the IP cloud domain name to access… I remote VPN to my home to access PC or devices on my network…
The “Block from LAN” rule is bottom… But still wg can’t connect when this rule in enable… Already added wg to LAN interface… Same issue…
Try enabling logging for this “Block from LAN” rule and see what is being dropped.
Your exports above don’t show this rule. Something else must be also missing since you say one thing, but the config is saying a different thing. If you block all traffic from LAN, where do you allow it? The usual approach is to allow what you need and drop everything else. I don’t see anything allowed. The firewall lists are not shown in the firewall rules either.