I am facing a really weird issue after trying to move from a docker-based Wireguard container as my VPN server, to using my Mikrotik as the server.
After configuring the mikrotik, I am able to connect my test client just fine. I can ping all hosts on the lan. I can reach all ports to all hosts on the lan that are *not* in docker containers. Any ports that are hosted by a docker container on a server are inaccessible. I'm pulling my hair out trying to figure out why the docker containers aren't accessible.
Here's my setup:
192.168.1.0/24 - Local LAN
192.168.1.254 - Mikrotik router
192.168.100.0/24 - Defined Wireguard address space
192.168.100.1 - Mikrotik Wireguard server
Here's the route list for the docker container host:
Firewall export from Wireguard (port 443 is the port I am using for Wireguard. NAT rule to forward it to the docker container is disabled):Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eno1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eno1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e2ef141a8890
172.28.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-246eb5c87b8b
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
Here's my interface export:# sep/27/2022 16:46:54 by RouterOS 7.5
# software id = F3EA-NSY9
#
# model = RB750Gr3
# serial number = CC220E7CEFE7
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=443 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP INPUT invalid - "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=all-vlan
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="DROP INPUT not from LAN - "
add action=drop chain=forward in-interface=virtual-guestwifi out-interface-list=LAN
add action=drop chain=forward in-interface-list=LAN out-interface=virtual-guestwifi
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP drop invalid - "
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes \
log-prefix="DROP not DSTNATed - "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=32400 protocol=tcp to-addresses=192.168.1.110 to-ports=32400
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28967 protocol=tcp to-addresses=192.168.1.110 to-ports=28967
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28967 protocol=udp to-addresses=192.168.1.110 to-ports=28967
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28968 protocol=udp to-addresses=192.168.1.110 to-ports=28968
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28968 protocol=tcp to-addresses=192.168.1.110 to-ports=28968
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=443 protocol=tcp to-addresses=192.168.1.110 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=<public ip> dst-port=443 protocol=udp to-addresses=192.168.1.110 to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.1.110 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
[admin@MikroTik] /ip/firewall>
# sep/27/2022 16:52:25 by RouterOS 7.5
# software id = F3EA-NSY9
#
# model = RB750Gr3
# serial number = CC220E7CEFE7
/interface bridge
add admin-mac=2C:C8:1B:77:D5:B3 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=virtual-guestwifi vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.3/32 interface=wireguard1 public-key="6uUMbtqz+E3U528ou9TTEi9hjo1juw+Fo9xysvWz1jw="
Any help would be awesomely appreciated. I'm lost here!