Wireguard - Cant Ping from inside a network (2025)

Since you use Capsman, will not be able to comment on vlans etc............
Will focus on wireguard and anything else glaring.
Right off the top, dont care a whit about pinging, what I care about is required traffic flow is working. Until ping = person or device, its meaningless at the end......

1. Unless you are very experienced and need to set advanced settings of ip bridge firewall to ON, best to NOT and leave/turn it OFF, and rely on the available IP filter firewall rules!!! Change yets to NO in both spots.
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

2. In general once you go vlans, its best not to mix apples and oranges as the one subnet complicates the bridge setup big time if its still doing dhcp.
Recommend simply move that subnet to another vlan and then whatever bridge ports it was feeding become pvid to that port and untagged on /interface bridge vlan settings.

3. Missing vlans on interface members list....
If all vlans are members of LAN, aka need internet access, they should all be part LAN list!
If you replace the bridge with a vlan, same add this vlan and the bridge can be removed from the LAN interface list.

4. This Router is the peer SERVER for wireguard handshake (has public IP) and thus ALLOWED IPs needs to be adjusted.
- There is no need to put any external address and each client peer needs to be identified by its wireguard ip address ( sometimes exceptions but not usually)
- Allowed IPs is used to IDENTIFY USERS OR USER SUBNETS at the REMOTE site
a. that are coming into the local router
b. that local users will be visiting and thus have as dst-address.
c. exception is 0.0.0.0/0 which means one requires all incoming to be accepted or that local user are going out internet at the remote site ( plus maybe see remote subnets )
d. Remote subnets noted here are usually reflected in an additional manual routes required so that this router knows where to send traffic to (originating locally or to reply to traffic)

/interface wireguard peers
add allowed-address=10.0.0.3/32, 192.168.50.0/24 interface=wireguard public-key="=====" comment=REMOTE client Router"

add allowed-address=10.0.0.2/32 interface=wireguard public-key="++++++" comment="admin remote laptop/smartphone"

5. The input chain is for traffic to the router and forward chain is for traffic from LAN to LAN and LAN to WAN and also includes WAN to LAN (normally a single port fowarding allow rule).
SO THESE are nonsensical and must be removed.
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=192.168.7.0/24
add action=accept chain=input dst-address=192.168.77.0/24 src-address=192.168.7.0/24
and this as well
add action=accept chain=input dst-address=192.168.77.0/24 src-address=192.168.50.0/24

6. Its best to put the firewall rules in proper order and also in the same chain for easy reading and troubleshooting. I can spot an error in seconds vice minutes for example.........
Use the default rules as a guide to proper order and note they are already within the same chain.

7. Slight nuance to this firewall rule. Best to use interface here........ because then you have the option of limiting further by src-address or src-address list. Right now you have limited access to192.168.77.0/24 to ONLY remote users like yourself on laptop and the folks on the other end, the subnets WILL not.
add action=accept chain=input comment=WIREGUARD_ALLOW dst-address=\
192.168.77.0/24 src-address=10.0.0.0/24

Better:
add action=accept chain=input comment=WIREGUARD_ALLOW dst-address=\
192.168.77.0/24 in-intrerface=wireguard
{ if you need to limit access to this subnet to less use src-address-list for example )

by the way the above rule also replaces/includes the below rule, which doesnt include the wireguard interface and should for clarity and better security... (so the below rule can be also removed).
add action=accept chain=forward dst-address=192.168.77.0/24 src-address=\
192.168.50.0/24

8. In the forward chain add as a last rule in the order the below rule. In other words, all traffic without an admin added allow rule above this is AUTOMATICALLY dropped. So all your extra drop rules can be removed!!! Clean and clear. So focus on only the traffic that should occur - much easier.
add action=drop chain=forward comment="Drop all else"

THEN get rid of the associated default RULE.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Yuu will have to allow an allow LAN to WAN rule though and if any port forwarding an allow rule for that.
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
{ disable or remove if not required }

9. REMOVE this rule. It is not required.
add action=masquerade chain=srcnat dst-address=192.168.50.0/24 out-interface=\
wireguard src-address=192.168.77.0/24

10. UNSAFE type of rule allowing a public IP address , DIRECT access to the config of the router. If you want the admin while at the other router, or you as a remote user to access the config of this router, then access the router via wireguard, then access the config!!!
add action=accept chain=input in-interface-list=WAN src-address-list=my-cloud

a. I note in the input chain rule you allow all LAN traffic to access the router so anyone coming in wireguard and anyone on your subnets should be able to as well.
b. AFTER we fix all the current observations, and the config is stable, I would then clean up access on the input chain further by source address list, to only those that should be able to the admin BUT before you do that create two rules to allow all LAN users
access to the DNS services for internet ................

11. mac-server by itself is plain text,
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

12. IP Routes YOU HAVE TWO ROUTES and only one is required.
In general, If you had more than one to the same dst-address , how is the router supposed to know which one to take??
(besides theyare basiclly duplicates) good one in green

/ip route
add dst-address=192.168.50.0/24 gateway=wireguard routing-table=main
add dst-address=192.168.50.0/24 gateway=10.0.0.3 routing-table=main

Wireguard - Cant Ping from inside a network (2025)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 6164

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.