Overview
A successful WireGuard handshake does not guarantee data transfer. On MikroTik devices, this issue is almost always caused by routing, firewall, or AllowedIPs misconfiguration. This runbook provides a safe, production-tested fix path.
Symptoms
-
WireGuard peer shows recent handshake
-
RX/TX counters remain at zero
-
Tunnel IPs are reachable from the router, but not from LAN clients
-
DNS may resolve, but traffic does not pass
Environment
-
MikroTik RouterOS v7.x
-
WireGuard site-to-site or remote access
-
Tested on RouterOS 7.x (RB5009 class devices)
Common Root Causes
-
AllowedIPs not covering the remote subnet
-
Missing or incorrect forward firewall rules
-
NAT applied on the wrong interface or missing entirely
-
Routes not installed in the correct routing table
-
Policy routing interfering with WireGuard traffic
Fix Path (SAFE)
Step 1: Validate AllowedIPs
AllowedIPs act as both a routing selector and a traffic filter.
Ensure that all remote networks are present:
Step 2: Verify Routes
If missing:
Step 3: Firewall Forward Rules
Traffic must be explicitly allowed.
Place this rule above any drop rules.
Step 4: NAT (Only if Required)
Use NAT for remote-access scenarios or non-routed networks.
Verification
RX/TX counters should increment.
Leave a Reply