Category: Mikrotik configuration

WireGuard is a modern, fast, and secure VPN protocol supported natively in MikroTik RouterOS 7 and above. In this step-by-step guide, you will learn how to configure a WireGuard server on your MikroTik router and connect a Windows computer as a client.

---

Requirements

• MikroTik router with RouterOS 7+
• Winbox or SSH access
• Public IP address or working DDNS
• WireGuard client for Windows

---

Step 1: Create WireGuard Interface on MikroTik

Open Winbox or SSH and run the following command:

/interface/wireguard add name=wg0 listen-port=51820

This creates a WireGuard interface that will act as the VPN server.

---

Step 2: Generate Server Key Pair

WireGuard uses public and private keys. Generate them on MikroTik:

/interface/wireguard generate-key-pair

You will receive output like:

private-key="YOUR_SERVER_PRIVATE_KEY"
public-key="YOUR_SERVER_PUBLIC_KEY"

Apply the private key to the interface:

/interface/wireguard set wg0 private-key="YOUR_SERVER_PRIVATE_KEY"

---

Step 3: Assign VPN IP Address to WireGuard Interface

Assign an internal VPN address to the WireGuard interface:

/ip address add address=10.10.10.1/24 interface=wg0

This will be the router’s WireGuard VPN gateway.

---

Step 4: Allow WireGuard Traffic in the Firewall

WireGuard uses UDP. Add an allow rule:

/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"

---

Step 5: Configure NAT for VPN Clients (If They Need Internet)

If you want your Windows client to access the internet through MikroTik, add NAT:

/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 out-interface-list=WAN action=masquerade

Add your actual WAN interface name to WAN Interface List.

---

Step 6: Create Windows Client Peer on MikroTik

The Windows computer will generate its own key pair. You must add its public key to MikroTik:

/interface/wireguard/peers add \
interface=wg0 \
public-key="CLIENT_PUBLIC_KEY" \
allowed-address=10.10.10.2/32

You are now ready to configure the Windows client.

---

Step 7: Configure WireGuard Client on Windows

1. Install WireGuard

Download the official client from the WireGuard website and install it.

2. Create a new tunnel

Open WireGuard → Add Tunnel → Add empty tunnel. The software will automatically generate:

• PrivateKey
• PublicKey

Copy the public key and paste it into the MikroTik peer configuration as shown above.

3. Configure the Windows client

Use the following template in WireGuard:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.10.10.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Click Activate to start the connection.

---

Step 8: Test the VPN

On Windows, open Command Prompt and run:

curl ifconfig.me

If everything is configured correctly, your IP address will match the MikroTik router’s WAN IP, meaning all traffic is routed through the VPN.

---

Troubleshooting Tips

• Ensure UDP port 51820 is open on the MikroTik firewall.
• Verify that NAT is configured if you expect internet traffic through the VPN.
• Check last-handshake on MikroTik:

/interface/wireguard/peers/print

If you see a recent handshake, the client is connected.

---

Conclusion

WireGuard is a powerful and simple VPN technology that works exceptionally well with MikroTik RouterOS 7. By following this guide, you can configure a secure VPN server on MikroTik and connect Windows clients in just a few minutes. Enjoy high-speed encrypted connectivity wherever you are!

---

У цій статті розглянемо приклад конфігурації OLT BDCOM P3310C, де клієнтський MikroTik отримує IP по DHCP у додатковому VLAN. Також розберемо типові помилки та способи їх виправлення.

Ситуація

Маємо такі налаштування:

• Порт GigaEthernet0/1 підключений до клієнтського MikroTik, VLAN 1022 як native (untagged) та VLAN 500 як додатковий тегований VLAN.
• Порт GigaEthernet0/5 — uplink до DHCP-сервера, де також піднятий VLAN 500.

Проблема: MikroTik не отримував IP через DHCP на VLAN 500, хоча IP на VLAN 1022 отримував нормально.

Діагностика

Першим кроком перевірили MAC-таблицю OLT:

show mac address-table vlan 500

Було видно тільки MAC клієнта на порту g0/1. MAC uplink порту g0/5 відсутній — DHCP DISCOVER не проходив.

Також перевірили конфігурацію VLAN:

show vlan

Спочатку VLAN 500 був прив’язаний до портів g0/1, g0/5 та epon0/x (EPON-порти).

Причина

На BDCOM P3310C, якщо VLAN одночасно присутній на EPON-портах та Ethernet-портах, але немає активної ONU на EPON, L2-трафік між Ethernet-портами не форвардиться. Тому DHCP DISCOVER від клієнта не доходив до uplink.

Також важливо зазначити: просто прописати switchport trunk vlan-allowed 500 на портах не гарантує, що VLAN буде працювати. На BDCOM VLAN потрібно додатково створити глобально і явно вказати, на яких портах він має працювати. Лише після цього трафік VLAN буде коректно комутуватися між портами.

Рішення

1. Прибрали VLAN 500 з EPON-портів. Тепер VLAN 500 присутній тільки на g0/1, g0/5, g0/6.
2. Створили VLAN 500 глобально та вказали порти:

   vlan 500
    port g0/1
    port g0/5
   exit
   

3. Перезапустили порти (shutdown/no shutdown) і очищали MAC-таблицю:

   clear mac address-table dynamic vlan 500
   

4. Перезапустили DHCP-клієнт на MikroTik для VLAN 500:

   /ip dhcp-client release [find interface=vlan.500]
   /ip dhcp-client renew [find interface=vlan.500]
   

5. Перевірили MAC-таблицю:

   show mac address-table vlan 500
   

   Тепер з’явилися два MAC — клієнт на g0/1 та uplink на g0/5.

Результат

Після цих змін MikroTik отримав IP через DHCP на VLAN 500, VLAN 1022 також працює без змін. Проблема вирішена.

Висновок

При налаштуванні додаткових VLAN на OLT BDCOM потрібно враховувати особливості L2-бріджу між Ethernet та EPON-портами. VLAN, який одночасно присутній на EPON і Ethernet без активної ONU, може блокувати трафік між портами Ethernet. Також просто прописати switchport trunk vlan-allowed недостатньо — VLAN потрібно створювати глобально та явно вказувати порти, на яких він має працювати. Це гарантує коректну роботу DHCP та іншого трафіку VLAN.

Allow everything on WLAN1 that has a signal above -87dBm (eg, signal between -86 and+120 dBm) , and allow even that signal to drop below -87 dBm for 30 sec.

The allow is authenticate (associate) and forwarding (connect to other clients).
The allow-signal-out-of-range is needed because devices are in their hands, so the signal fluctuates, but I prefer not to drop them immediately.

To stop the weak signal connections on WLAN1 the next line is needed. For everything with signal between -87 and -120 dBm there is no authentication allowed.

The allow-signal-out-of range is short here (1 sec) because this is used for roaming clients that are sticky to their first AP, but they may come back very soon to this AP, and I prefer not to deny them longer than needed.

/interface wireless access-list
add allow-signal-out-of-range=30s interface=wlan1 signal-range= -86..120 
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87

Default Cambium EMP 1000 IP: 169.254.1.1

Default user name: admin and password: admin

1. Open SSH terminal and connect to 169.254.1.1

2. Enable DHCP with command (1 – Static, 2 – DHCP):

config set networkLanIPAddressMode 2

Configure network IP, Mask and Gateway parameters:

config set networkLanIPAddr 10.20.124.10
config set networkLanNetmask 255.255.255.0
config set networkLanGatewayIP 10.20.124.1

3. Save configuration with command:

config save
config apply

4. Reboot devise for changes to take effect.

reboot 

Now you can open Web-browser and go to http://IP configuration page.

To delete OUN from OLT on EPON 2 interface go to config and use interface EPON0/2:

enable
config
interface EPON0/2

To delete ONU use command (note, that adter delete ONU will register on OLT again):

no epon bind-onu mac e067.b37d.d3d3

To add ONU to Black List use command:

epon onu-blacklist mac e067.b37d.d3d3

To remove ONU from Black List use command:

no epon onu-blacklist mac e067.b37d.d3d3

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.47.10.
Simple Mikrotik Firewall configuration:

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

For increase the speed of router fist rule should be:

add chain=forward action=fasttrack-connection connection-state=established,related

Allow Established and Related connections for forward and input chains:

add chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
add chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""

Drop invalid connections for forward and input chains only from WAN interfaces:

add chain=forward action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""
add chain=input action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""

Allow ICMP ping from WAN only width 128 bits packets:

add chain=input action=accept protocol=icmp in-interface-list=WAN packet-size=0-128 log=no log-prefix=""

Allow remote control by Winbox or SSH only from IP addresses from AccessList:

add chain=input action=accept protocol=tcp src-address-list=AccessList in-interface-list=WAN dst-port=8291,22 log=no log-prefix=""

In IP -> Firewall -> Address List create new address list width name AccessList and add there all IP addresses you want to use for remote connection to your router.

Allow OpenVPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""

Allow PPTP VPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=no log-prefix=""
add chain=input action=accept protocol=gre log=no

Allow SSTP VPN connection (443 port,
change port if yout SSTP server run on other port):

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""

Allow L2TP IPsec VPN connection:

add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp comment="allow L2TP VPN (500,4500,1701/udp)"

Drop all other connections to Mikrotik and to local network:

add chain=input action=drop in-interface-list=WAN log=no log-prefix=""
add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

In IP -> Services menu enable only SSH and Winbox services, for more security you can change default Winbox and SSH ports:

It is all you need to secure your home or office router and network.

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.48.6. For more stability use firmware from “long term” channel.

Connect to OLT and go into the configuration mode:

enable
config

Let’s look at the current configuration and find the MAC address of the ONT you want to delete:

show running-config

Choose the interface (port) on which ONT is registered:

interface EPON0/1

And delete ONT, for example with mac address 8014.a8b4.eb2c:

no epon bind-onu mac e067.b336.88e8

Done.

To build 30 km point-to-point wireless connection on speed 100 Mbit/s we used two Cambium ePMP 1000 and two 27 dBi parabolic MIMO antennas.

To create point-to-point wireless link we need to configure first antenna as Access Point and the second antenna as Station. First of all make sure there are no interference in front of the antennas:

Let’s configure access point, to log in to the configuration panel open in your web browser address: 192.168.0.1 (Access Point) or 192.168.0.2 (Station). By default enter login: admin and password: admin

We will configure our link based on this schema:

On Access Point select SSID, your country code, work frequency, channel width (20 or 40 mHz) and security password:

Also to achieve the best result select TDD wireless protocol.

On the other side on Station antenna select the same parameters, but in Radio Mode select Subscriber Module.

Don’t forget to change default administrator passwords on both antennas and change your own static or dynamic IP addresses.

On page Monitor->Wireless make sure that your Station connected to Access Point:

We have two local networks on Mikrotik router, for example:
Network1: 192.168.1.0/24 on ether1 interface
Network2: 192.168.2.0/24 on ether2 interface

Let’s prevent access between devices of this two networks.

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

And create this two rules:

add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.2.0/24

That’s all, now Mikrotik will block all traffic from computers in Network1 to computers in Network2 and from Network2 to Network1.

All other traffic to Internet will be working normally.

If You want to block traffic only from Network2 to Network1 – write only one rule:

add chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.1.0/24