I just updated 951G-2HnD to FW 7.1.1 at home and at work. I am using ipsec site2site vpn. Works fine. I would like to change to wireguard. I followed many instructions, videos etc.
But I stucked in situation that WG connection between home and office works, I am able to ping from home mikrotik to office mikrotik and every computer in office's lan. Vice versa, from office mikrotik I am able to ping to home mikrotik and all computers in home's lan. That's fine.
I am able to ping from home computer to office mikrotik wg inteface 192.168.100.2, but not to any computer in lan. From office computer, I am able to ping my home microtik 192.168.100.1, but nothing else.
If I tried to ping from office 192.168.1.2 to home 192.168.10.63, I saw that packets in office mikrotik in prerouting mangle, but that's all.
Of course I have created appropriate static routes. When I remove them, ping from mikrotik stop working, so I assume, routing table is ok.
At work I am using fasttrack, but even when I disabled it, ping not working.
I tried to setup some forward rules, but no luck, I saw only packets when I am pinging from mikrotiks, not when I am pinging from LAN.

Any advice would be appreciated.

Thanks.

Any advice would be appreciated.

Any useful advice can only be given if you follow the advice in my automatic signature below. There are too many things that may be the cause to list them all. Too many/too few firewall rules and/or missing subnets in peers' allowed-address are the most likely ones.

I understand, but I am dealing with specific "small part" problem. On the other hand, all my configs are very huge.
This instructions seems pretty easy to me https://help.mikrotik.com/docs/display/ROS/WireGuard
Rather than posting all my configs, I created a diagram.
Subnets are not missing in peers' allowed-address. If I deleted LAN sunbets, ping stop working from mikrotik.
I don't understand why it's working from mikrotiks and not LAN.
I am unable to catch packets, except mangle prerouting.

The problem with configs is that if the error was where you expect it, you would be able to find it. So I don't ask for config to understand the topology but to look for presumably unrelated items of the configuration that actually cause the unexpected behaviour.

As you say you previously used IPsec, would it be possible that you've got static IPsec policies and you've disabled only peers and/or identities but not the policies themselves? The thing is that enabled policies intercept packets even if their linked security associations (tunnels) are down.

UR the GOD !!!

That was exactly my problem. I don't expected that ipsec policies will be "eating" my packets, when I disabled peer and peer is not established.
Ipsec policies were the same as new added routes and allowed-address in wireguard.

This kick was exactly I hardly needed.

Many many thanks.

hi tlamik,

Do you see speed and latency improvement with Wireguard vs Ipsec?

I tesed it myself and seems maybe a little faster, I am waiting for my colleagues what they will say about speed and latency and will be report here.

edit: winscp copy of iso file over WG seems to twice faster than copy over ipsec. The same is copy of iso file over smb windows share.
edit: when I disable WG site2site and connect directly from my win laptop over WG client, the speed si a little bit faster then site2site.