Hi,
I have my MT configured as Wireguard client which works fine. Now I’d like to route specific device (FireTV Stick) in my home network to use this VPN connection. I found this how-to: https://superuser.com/a/999549
but the problem is that routing-mark is broken or no longer supported in ROS 7.1.3:
[admin@MikroTik] > /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-mark=vpn
expected end of command (line 1 column 70)
Other tutorials in the internet are based on the same routing-mark method, any idea how can I do this now?
You need to define routing table first (in /routing/table) and route’s parameter is now named routing-table. And instead of using mangle rule, you can use routing rule:
> /routing/table/add name=pve-vpn
> /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-table=pve-vpn
> /ip firewall nat add chain=srcnat out-interface=wireguard-client-pve action=masquerade
> /routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
input does not match any value of table
> /routing/table/print
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
1 name="pve-vpn"
EDIT:
Adding route table with FIB enabled made it available in the last command however the IP (192.168.1.105) lost access to the internet so it doesn’t work in this way.
There’s nothing clearly wrong here. You added new routing table with default gateway and told router that 192.168.1.105 should use it. So if 192.168.102.1 is reachable (you have some address/mask on WG interface where the subnet contains 192.168.102.1), if it’s not blocked by local or remote firewall, tunnel works, etc… it should work.
I can’t ping anything except 192.168.1.x hosts from .105
❯ ping 192.168.102.1
PING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=3 Destination Net Unreachable
❯ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Net Unreachable
From 192.168.1.1 icmp_seq=2 Destination Net Unreachable
so it looks like routing is missing somewhere.
also there is nothing in Torch for this interface.
ok, so I am lost now. How can I display then add it? What I am looking at here:
[admin@MikroTik] > ip/route/print where routing-table
Flags: D - DYNAMIC; A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 pppoe-out1 0
DAc 38.242.191.252/32 pppoe-out1 0
DAc 192.168.1.0/24 bridge1 0
DAc 192.168.102.0/24 wireguard-client-pve 0
0 As 0.0.0.0/0 192.168.102.1 1
[admin@MikroTik] > routing/route/print
Flags: A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
Av 0.0.0.0/0 pppoe-out1 ip4 0 30 10 pppoe-out1
Ac 38.242.191.252/32 pppoe-out1 ip4 0 10 pppoe-out1
Ac 192.168.1.0/24 bridge1 ip4 0 10 bridge1
Ac 192.168.102.0/24 wireguard-client-pve ip4 0 10 wireguard-client-pve
As 0.0.0.0/0 192.168.102.1 ip4 1 30 10 wireguard-client-pve
Ac fe80::%ether1/64 ether1 ip6 0 10 ether1
Ac fe80::%bridge1/64 bridge1 ip6 0 10 bridge1
A H ether1 link 0
A H ether2-master link 0
A H ether3 link 0
A H pppoe-out1 link 0
A H bridge1 link 0
A H wireguard-client-pve link 0
is there equivalent of Linux “ip r s” command in MikroTik?
“/ip/route/print detail” shows more info, including routing table. But since in /routing/route/print it points to wireguard-client-pve, it looks like you have the right one. But then you posted older config (routing rule is missing there too).
It is Wireguard installed on Debian. There are two clients configured on it. My MT router at home and my mobile phone for test purposes. With my mobile connected to it I can access anything I want routed via the VPN. From MT (client) I can ping Wireguard server IP (192.168.102.1), I don’t know though how can I run traceroute from MT using other than default gw. for example 192.168.102.1
EDIT:
[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 1.1.1.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV, STATUS
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 192.168.102.2 0% 3 0.4ms 0.4 0.3 0.5 0.1 host unreachable from 192.168.102.2
2 0% 0 0ms
[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 192.168.102.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 192.168.102.1 0% 6 36.4ms 44.7 36.4 84.2 17.7
Not sure if I understand, but it is installed on bare metal Dell server in Poland in my dad’s company if that make sense.
B. YOu have two wireguard clients that connect to the Debian Device, a MT device at home, and a smart phone (mobile)
correct
The smart phone connects to the debian only for internet and anything else?
internet only, I don’t need to access remote LAN network.
The smart phone connects to the debian and then enters another tunnel and connects to the MT for internet? or anything else?
No, it just connects to Wireguard on Debian and then access the internet routed through it. This is for test purposes to verify if VPN itself works as expected.
the MT (user(s) connects to the debian for internet ?
No, MT has just a tunnel to Debian, the purpose is to configure single client/IP in MT local network to go through that tunnel. Rest clients should access Internet as normal via the MT pppoe.
The MT (user(s) connects to the debian for accessing a subnet or server?
Internet only routed via Debian for single IP behind the MT. Don’t need to access remote (Debian) LAN.
