public server -> internet -> ISP dumb router -> mikrotik HAP AX3 -> LAN -> internal computer
* The public server is 213.199.36.19 running wireguard on port 51830
* The internal computer has address 10.240.0.94/24
The router has two WAN interfaces, called ether5-wan and ether4-lte. The lte is the backup connection, and it has a default route with higher distance. For this example, I have disabled the ether4-lte interface completely. But I have to mention it here, you will see why in a moment.
* The dumb router of the ISP also does NAT, so the LAN is behind double NAT. (It is not possible to put the ISP router into passthrough mode.) The ISP's router gives 192.168.0.0/24.
* The lte modem also does NAT (actually CGNAT), and its LAN side has 10.14.100.0/24
Interface addresses:
Code: Select all
Flags: I - INVALID, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 10.240.0.1/24 10.240.0.0 BASE_VLAN
1 10.240.1.1/24 10.240.1.0 BLUE_VLAN
2 10.240.2.1/24 10.240.2.0 GREEN_VLAN
3 10.240.3.1/24 10.240.3.0 RED_VLAN
4 10.240.4.1/24 10.240.4.0 ORANGE_VLAN
5 I 10.14.100.2/24 10.14.100.0 ether4-lte
6 10.240.5.1/32 10.240.5.0 wg-vpn
7 10.240.208.2/24 10.240.208.0 wg-vpn
8 192.168.88.200/24 192.168.88.0 BASE_VLAN
9 D 192.168.0.15/24 192.168.0.0 ether5-wan
Masquerade rules:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether5-wan
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether4-lte
Code: Select all
/tool sniffer
set filter-ip-address=213.199.36.19/32 filter-ip-protocol=icmp
start
stop
packet/print
Code: Select all
# TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU
0 2.414 ether1-trunk 10.240.0.94 213.199.36.19 icmp 102 0
1 2.414 BR1 10.240.0.94 213.199.36.19 icmp 102 0
2 2.414 BASE_VLAN 10.240.0.94 213.199.36.19 icmp 98 0
3 2.414 ether5-wan 192.168.0.15 213.199.36.19 icmp 98 0
4 2.454 ether5-wan 213.199.36.19 192.168.0.15 icmp 98 0
5 2.454 BASE_VLAN 213.199.36.19 10.240.0.94 icmp 98 0
6 2.454 BR1 213.199.36.19 10.240.0.94 icmp 102 0
7 2.454 ether1-trunk 213.199.36.19 10.240.0.94 icmp 102 0
However, if I try to connect to the server with wireguard, then I see this.
Code: Select all
/tool sniffer
set filter-ip-address=213.199.36.19/32 filter-ip-protocol=udp
start
stop
packet/print detail
0 time=1.486 num=1 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD vlan=99 interface=ether1-trunk src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip
ip-protocol=udp size=194 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64
1 time=1.486 num=2 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD vlan=99 interface=BR1 src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip
ip-protocol=udp size=194 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64
2 time=1.486 num=3 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD interface=BASE_VLAN src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip
ip-protocol=udp size=190 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64
3 time=1.486 num=4 direction=tx src-mac=78:9A:18:02:60:D1 dst-mac=2C:00:AB:72:36:77 interface=ether5-wan src-address=10.14.100.2:51830 dst-address=213.199.36.19:51830 protocol=ip
ip-protocol=udp size=190 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=63
Code: Select all
Flags: X - DISABLED, R - RUNNING; S - SLAVE
Columns: NAME, MTU, MAC-ADDRESS, ARP, SWITCH
# NAME MTU MAC-ADDRESS ARP SWITCH
0 RS ether1-trunk 1500 78:9A:18:02:60:CD enabled switch1
1 S ether2-gray 1500 78:9A:18:02:60:CE enabled switch1
2 S ether3-gray 1500 78:9A:18:02:60:CF enabled switch1
3 X ether4-lte 1500 78:9A:18:02:60:D0 enabled switch1
4 R ether5-wan 1500 78:9A:18:02:60:D1 enabled switch1
Code: Select all
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
What am I doing wrong?
Thank you