Hi,
I have a raspberry pi setup with pivpn which uses wireguard.
I have pi on static ip address which is 192.168.88.5 and my router is connected to my ISP issued modem which is on 192.168.0.1,
the router is on 192.168.0.14 if this can help somehow. I used this command to setup portforwarding but I can't connect to vpn when I am outside the network.
178.148.*.* is my public ip address
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=178.148.*.* dst-port=51820 protocol=udp to-addresses=\
192.168.88.5 to-ports=51820

Please use this for code. Helps if you want to receive help faster:

I have few questions:

• Why would you need Mikrotik router for your setup in the first place?
• You are using modem, which means you don't have public IP (aka "direct access"), right?
• Why is your Mikrotik router (I assume it hosts DHCP server) on the same LAN?
• Why are you opening ports in Mikrotik router, if your internet-facing router is ISP's modem?

I suggest learning a bit more about networking before setting up such rules.

If you decide to replace ISP's modem with Mikrotik router, then It's incredibly easy to accidentally expose yourself to the internet without any firewall and get malware automatically installed within minutes/hours if you don't understand how to properly secure Mikrotik router. In such case I suggest keeping all the default configuration and add your needed rules on top of it.

Does the router itself have 178.148.x.x? If it doesn't, then dst-address=178.148.x.x in dstnat rule won't work for connections from outside. The correct one would be dst-address=192.168.0.14 (the address on router's WAN port) and you have to also forward port from modem to it (assuming that you have access to modem and it has that public IP address, which is not guaranteed).

Thanks for replying and sorry for not putting the code correctly, I have never posted something before so I didn't know how to do that. Thank you for the explanation. I managed to set it up after I had setup portforwarding on my modem. I watched couple of tutorials and no one mentioned that, that's why I was confused. Also you were right, I had to set my dst-address to 192.168.0.14. I am putting it here so if anyone else has the problem that I did can look it up here. Once again thanks for your replies.