Hi Karl, Why not a "Wireguard" address list - with the source addresses of the far-end networks, and then on the src-nat rule, use the 'Source Address List' with the NOT option? - ie. Sourcenat everything NOT on this list. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer via Public Sent: Tuesday, November 7, 2023 11:56 AM To: MikroTik Public <public@talk.mikrotik.com.au> Cc: Karl Auer <kauer@nullarbor.com.au> Subject: [MT-AU Public] Puzzled why forwarding no work Some may recall I now have a Wireguard VPN between a Starlink-connected site and another site. The other site has a static IP address, the Starlink site does not. Inevitably, someone now wants to connect from outside to a server in TCP/85 in the Starlink site. No problem, thinks I. They can connect to the static IP and I will ship their connection over the VPN to the other network. Just dstnat plus srcnat. In the following, xxx is the static IP address, and 192.168.103.184 is the address they want to reach in the Starlink-connected network. /ip filter nat add chain=dstnat action=dst-nat \ dst-address=xxx dst-port=85 protocol=tcp \ to-addresses=192.168.103.184 to-ports=85 \ in-interface=e1-uplink log=yes log-prefix="A" add chain=srcnat action=masquerade \ ???? out-interface=wg0 log=yes log-prefix="B" I can't figure out what I should put in the srcnat rule that will limit it so it only src-nats packets coming from the public internet. The obvious one, filtering on "in-interface=e1-uplink", isn't possible with srcnat. What am I missing? Or do I have to add "accept" rules for all the networks I don't want NATted by wg0? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au