I had a plan to create a setup for RB951 in workplace so I could connect server to router using ethernet and other client could locally use ethernet and wifi and remote users could use a wireguard vpn and connect to network and access the server.
I used documentations in https://help.mikrotik.com/docs/display/ ... figuration for local connections and it simply works,
and used https://help.mikrotik.com/docs/display/ROS/WireGuard to access the network over internet but I can't connect to server
here is my router config
Code: Select all
# 2024-05-10 12:04:49 by RouterOS 7.12.1
# software id = 514M-UAVZ
#
# model = RB951Ui-2HnD
# serial number = **
add name=local
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=myProfile \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=iran disabled=no distance=indoors mode=ap-bridge security-profile=\
myProfile ssid=*** wireless-protocol=802.11
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=wlan1
/interface wireguard peers
add allowed-address=192.168.100.2/24 interface=wireguard1 public-key=\
***
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP(ping)" in-interface=ether1 \
protocol=icmp
add action=accept chain=input comment="allow winbox" in-interface=ether1 port=\
8291 protocol=tcp
add action=accept chain=input comment="allow rdp connection" in-interface=\
ether1 port=3389 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp \
to-addresses=192.168.88.254
/system clock
set time-zone-name=Asia/Tehran
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no