Hi, Don't masquerade at the remote end Just make sure at the starkink end the traffic that come down the WG tunnel, also goes back out the WG tunnel /routing table add fib name=wireguard1_Traffic # If you have port forwards you need to ensure they stick to the correct interfaces for the return traffic # port forwards from wireguard1, goes back out from wireguard1 /ip firewall mangle add action=mark-connection chain=forward in-interface= wireguard1 connection-state=new new-connection-mark=wireguard1_pfw passthrough=no disabled=no comment="pfw wireguard1, out wireguard1" /ip firewall mangle add action=mark-routing chain=prerouting in-interface=bridge-local connection-mark=wireguard1_pfw new-routing-mark= wireguard1_Traffic passthrough=no disabled=no Andy -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer via Public Sent: Tuesday, November 7, 2023 8:56 AM To: MikroTik Public <public@talk.mikrotik.com.au> Cc: Karl Auer <kauer@nullarbor.com.au> Subject: [MT-AU Public] Puzzled why forwarding no work Some may recall I now have a Wireguard VPN between a Starlink-connected site and another site. The other site has a static IP address, the Starlink site does not. Inevitably, someone now wants to connect from outside to a server in TCP/85 in the Starlink site. No problem, thinks I. They can connect to the static IP and I will ship their connection over the VPN to the other network. Just dstnat plus srcnat. In the following, xxx is the static IP address, and 192.168.103.184 is the address they want to reach in the Starlink-connected network. /ip filter nat add chain=dstnat action=dst-nat \ dst-address=xxx dst-port=85 protocol=tcp \ to-addresses=192.168.103.184 to-ports=85 \ in-interface=e1-uplink log=yes log-prefix="A" add chain=srcnat action=masquerade \ ???? out-interface=wg0 log=yes log-prefix="B" I can't figure out what I should put in the srcnat rule that will limit it so it only src-nats packets coming from the public internet. The obvious one, filtering on "in-interface=e1-uplink", isn't possible with srcnat. What am I missing? Or do I have to add "accept" rules for all the networks I don't want NATted by wg0? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au