Config:
# jun/23/2021 00:56:54 by RouterOS 7.1beta6
# software id = 4ZPU-G4YK
#
# model = RB960PGS
# serial number = <redacted>
/interface bridge
add admin-mac=08:<redacted>:C1 auto-mac=no comment=defconf name=bridgeLocal
/interface ethernet
set [ find default-name=ether2 ] name=ipcam1 poe-out=forced-on poe-priority=1
set [ find default-name=ether1 ] name=uplink
/interface wireguard
add listen-port=13231 mtu=1420 name=localnet private-key="<redacted>"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,\
romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=uplink
add bridge=bridgeLocal comment=defconf interface=ipcam1
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=uplink list=WAN
add interface=ipcam1 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.0/24 endpoint-address=<redacted> endpoint-port=61951 interface=\
localnet persistent-keepalive=5m public-key="<redacted>"
/ip address
add address=10.0.0.0/24 interface=localnet network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.8.1 interface=uplink name="Router main"
/ip firewall filter
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.8.0/24
add action=accept chain=forward dst-address=192.168.8.0/24 src-address=10.0.0.0/24
/ip firewall nat
add action=dst-nat chain=dstnat comment=IPcam disabled=yes dst-port=8000 in-interface=localnet protocol=tcp \
to-addresses=192.168.8.109 to-ports=80
/ip route
add disabled=no dst-address=10.0.0.0/24 gateway=localnet routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=<redacted>
/system identity
set name=poe-managed
Diagram:
The Ubuntu system (10.0.0.1) as a Wireguard peer (and Wireguard "server") is unable to ping the ipcam.
Mikrotik torch shows that the ICMP ping packets indeed reach the IPCam (`192.168.8.109`) but the response packets from that IPCam back to `10.0.0.1`,
albeit also shown in torch, are not routed back, hence pings will timeout:
Screenshot 2021-06-23 013858.png
(Torch on eth `ipcam`)
You do not have the required permissions to view the files attached to this post.