As title suggests, I am having an issue where, when trying to ping / connect to a subnet on a vlan, the connection tries to go out the WAN, in this case, WG2 connection.
Setup as follows
2 WANS
2 Wireguard VPN's
Routing tables setup to route specific traffic out wans, generally WG1/2 are the primary route out
10.20.20.0/24 is Primary Lan
10.21.21.0/24 is Docker network on Vlan50
I have setup mangle rules to mark connections so it's easier to track via logging.
I know I am missing something, possible a firewall rule but I just can't get my head around what, would appreciate some other eyes over my config to check it out
Code: Select all
# 2024-03-07 08:40:39 by RouterOS 7.14
# software id = #########
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = #########
/interface bridge
add ingress-filtering=no name=BR1 port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Lan_Out poe-out=off
set [ find default-name=ether2 ] disabled=yes name=ether2-Spare
set [ find default-name=ether3 ] name=ether3-WAN-Spark
set [ find default-name=ether4 ] name=ether4-TRUNK
set [ find default-name=ether5 ] name=ether5-Spare
/interface wireguard
add listen-port=13827 mtu=1420 name=WG-1
add listen-port=13820 mtu=1420 name=WG-2
/interface vlan
add interface=ether4-TRUNK name=v30.wifi vlan-id=30
add interface=ether4-TRUNK name=v40.guest vlan-id=40
add interface=ether4-TRUNK name=v50.docker vlan-id=50
add interface=ether4-TRUNK name=v66.unit vlan-id=66
add interface=ether4-TRUNK name=v99.lan vlan-id=99
/interface list
add name=wan
add name=lan
/ip pool
add name=guest_pool ranges=192.168.40.2-192.168.40.254
add name=docker_pool ranges=10.21.21.2-10.21.21.127
/ip dhcp-server
add address-pool=guest_pool interface=v40.guest name=guest_dhcp
add address-pool=docker_pool interface=v50.docker name=docker_dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add disabled=no fib name=spark
add disabled=no fib name=WG
add disabled=no fib name=WG-2
add disabled=no fib name=unit
/interface bridge port
add bridge=BR1 interface=ether5-Spare internal-path-cost=10 path-cost=10
add bridge=BR1 interface=AC_2.4 internal-path-cost=10 path-cost=10
add bridge=BR1 interface=AX_5 internal-path-cost=10 path-cost=10
add bridge=BR1 disabled=yes interface=temp
add bridge=BR1 interface=ether1-Lan_Out
add bridge=BR1 interface=v30.wifi
add bridge=BR1 interface=v99.lan
/ip firewall connection tracking
set tcp-established-timeout=1h tcp-syn-received-timeout=10s \
tcp-syn-sent-timeout=10s udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=lan
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add interface=BR1 list=lan
add interface=WG-1 list=wan
add interface=WG-2 list=wan
add interface=ether3-WAN-Spark list=wan
add interface=v66.unit list=wan
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-listen-port=51621 comment=150 \
endpoint-address=123.123.123.123 endpoint-port=51820 interface=WG-1 \
persistent-keepalive=26s public-key=\
"%%%%%%%%%%%%%%%%%%%%%%%%%%"
add allowed-address=0.0.0.0/0 client-listen-port=51825 comment=225 \
endpoint-address=123.123.123.123 endpoint-port=51820 interface=WG-2 \
persistent-keepalive=25s public-key=\
"%%%%%%%%%%%%%%%%%%%%%%%"
/ip address
add address=10.20.20.1/24 interface=BR1 network=10.20.20.0
add address=192.168.10.10/24 comment=WAN1 interface=ether3-WAN-Spark network=\
192.168.10.0
add address=10.2.0.2/30 interface=WG-1 network=10.2.0.0
add address=10.3.0.2/30 interface=WG-2 network=10.3.0.0
add address=192.168.88.100/24 interface=v66.unit network=192.168.88.0
add address=192.168.40.1/24 interface=v40.guest network=192.168.40.0
add address=10.21.21.1/24 interface=v50.docker network=10.21.21.0
/ip dhcp-server
add address-pool=primary_pool interface=BR1 lease-time=1d name=primary_dhcp
/ip dhcp-server network
add address=10.20.20.0/24 comment=Main_DHCP dns-server=10.20.20.6,10.20.20.7 \
gateway=10.20.20.1
add address=10.21.21.0/24 comment="Docker DHCP" dns-server=10.21.21.1 \
gateway=10.21.21.1
add address=192.168.40.0/24 dns-server=192.168.40.1,1.0.0.1 gateway=\
192.168.40.1
/ip dns
set allow-remote-requests=yes doh-timeout=10s max-udp-packet-size=512 \
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=cloudflare-dns.com
/ip firewall address-list
add address=10.20.20.0/24 list=trusted_admin
add address=10.20.20.161 comment=Book list=my_devices
add address=10.20.20.162 comment=Max list=my_devices
add address=10.20.20.7 comment="PiHole Wireguard" list=my_devices
add address=10.20.20.69 comment=nvr list=blocked_wan
add address=10.20.20.136 comment=reolink list=blocked_wan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=FI_D_Invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \
src-address-list=trusted_admin
add action=accept chain=input comment="defconf: allow admin to router" \
in-interface-list=lan log=yes log-prefix=FI_A_Lan
add action=accept chain=input comment="defconf: allow admin to router" \
in-interface=v50.docker log=yes log-prefix=FI_A_Docker
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"Allow lan DNS queries-UDP and NTP services" dst-port=53,123 \
in-interface-list=lan log-prefix=DNS>> protocol=udp
add action=accept chain=input comment="Allow lan DNS queries - TCP" dst-port=\
53 in-interface-list=lan log-prefix=TCPDNS>> protocol=tcp
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
FI_D_Other
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=FF_D_Invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=lan out-interface-list=wan
add action=accept chain=forward comment="Docker Accept" in-interface=\
v50.docker log=yes log-prefix=FF_A_BR1-DOCKER src-address-list=\
my_devices
add action=accept chain=forward comment="Guest Out" in-interface=v40.guest \
out-interface=v66.unit
add action=accept chain=forward comment="allow WG traffic" in-interface-list=\
lan log=yes log-prefix=FF_A_145 out-interface=WG-1
add action=accept chain=forward comment="allow WG traffic" in-interface-list=\
lan log=yes log-prefix=FF_A_221 out-interface=WG-2
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat log=yes log-prefix=FF_A_PortFwd
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
FF_D_Other
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Spark Mark" \
connection-mark=no-mark in-interface=ether3-WAN-Spark \
new-connection-mark=spark_conn passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark \
new-connection-mark=spark_conn out-interface=ether3-WAN-Spark \
passthrough=yes
add action=mark-connection chain=prerouting comment="1WG Mark" \
connection-mark=no-mark in-interface=WG-1 new-connection-mark=1_WG_conn \
passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark \
new-connection-mark=1_WG_conn out-interface=WG-1 passthrough=yes
add action=mark-connection chain=prerouting comment="2WG Mark" \
connection-mark=no-mark in-interface=WG-2 new-connection-mark=2_WG_conn \
passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark \
new-connection-mark=2_WG_conn out-interface=WG-2 passthrough=yes
add action=mark-connection chain=prerouting comment="2D Mark" \
connection-mark=no-mark in-interface=ether2-Spare new-connection-mark=\
2d_conn passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark \
new-connection-mark=2d_conn out-interface=ether2-Spare passthrough=yes
add action=mark-connection chain=prerouting comment="wg Mark" \
connection-mark=no-mark in-interface=v66.unit new-connection-mark=\
unit_conn passthrough=yes
add action=mark-connection chain=postrouting comment="wg Mark" \
connection-mark=no-mark new-connection-mark=unit_conn out-interface=\
v66.unit passthrough=yes
add action=mark-routing chain=prerouting comment="Spark Return Mark" \
connection-mark=spark_conn disabled=yes in-interface-list=lan log-prefix=\
ServReturn>> new-routing-mark=spark passthrough=yes
add action=mark-routing chain=prerouting comment="2D Return Mark" \
connection-mark=2d_conn disabled=yes in-interface-list=lan log-prefix=\
ServReturn>> new-routing-mark=main passthrough=yes
add action=mark-routing chain=prerouting comment="WG Return Mark" \
connection-mark=wg_conn disabled=yes in-interface=*C log-prefix=\
WGReturn>> new-routing-mark=WG passthrough=yes
add action=mark-routing chain=output comment="Spark Return Traffic" \
connection-mark=spark_conn disabled=yes log-prefix=Spark-R>> \
new-routing-mark=spark passthrough=no
add action=mark-routing chain=output comment="2D Return Traffic" \
connection-mark=2d_conn disabled=yes log-prefix=2DReturn>> \
new-routing-mark=*401 passthrough=no
add action=mark-routing chain=output comment="WG Return Traffic" \
connection-mark=wg_conn disabled=yes log-prefix=WGReturn>> \
new-routing-mark=WG passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="MASQ Unit" log=yes log-prefix=\
NS_M_Unit out-interface=v66.unit
add action=masquerade chain=srcnat comment="MASQ Spark" connection-mark=\
spark_conn log=yes log-prefix=NS_M_Spark out-interface=ether3-WAN-Spark
add action=masquerade chain=srcnat comment="MASQ WG45" log=yes log-prefix=\
NS_M_WG1 out-interface=WG-1
add action=masquerade chain=srcnat comment="MASQ WG21" log=yes log-prefix=\
NS_M_WG2 out-interface=WG-2
/ip pool
add name=primary_pool next-pool=primary_pool ranges=10.20.20.224/28
/ip route
add comment=WAN1 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
192.168.10.254 pref-src="" routing-table=spark scope=30 \
suppress-hw-offload=no target-scope=10
add comment=PrimaryRoute disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.10.254 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="WG 145" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
10.2.0.1 pref-src="" routing-table=WG scope=30 suppress-hw-offload=no \
target-scope=10
add comment="WG 221" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
10.3.0.1 pref-src="" routing-table=WG-2 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=UNIT_WAN disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
192.168.88.1 pref-src="" routing-table=unit scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=\
192.168.10.254 pref-src="" routing-table=WG-2 scope=30 \
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table comment="Unit WG2" disabled=no dst-address=\
123.123.123.123/32 table=unit
add action=lookup-only-in-table comment="Unit WG1" disabled=no dst-address=\
123.123.123.123/32 table=unit
add action=lookup comment=IoT disabled=no src-address=10.20.20.128/27 table=\
WG-2
add action=lookup comment=Personal disabled=no src-address=10.20.20.160/27 \
table=WG-2
add action=lookup comment=TurtGamer disabled=no src-address=10.20.20.220/32 \
table=unit
add action=lookup comment="Gaming " disabled=no src-address=10.20.20.192/27 \
table=WG
add action=lookup comment=DHCP disabled=no src-address=10.20.20.224/28 table=\
unit
add action=lookup comment=SPare disabled=no src-address=10.20.20.240/28 \
table=WG
add action=lookup comment=GUEST_DHCP disabled=no src-address=192.168.40.0/24 \
table=unit
add action=lookup comment=Docker disabled=no src-address=10.21.21.0/24 table=\
WG-2
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=AtlasV2
/system logging
set 0 topics=info,!firewall
add action=Splunk prefix=MikroTik topics=!packet,!debug,!snmp
add topics=script
add action=MinervaSyslog disabled=yes prefix=MikroTik topics=\
!packet,!debug,!snmp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=101.100.146.146
add address=202.68.92.244
add address=43.252.70.34
add address=162.159.200.123
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=lan
/tool mac-server mac-winbox
set allowed-interface-list=lan
/tool sniffer
set filter-interface=v66.unit streaming-enabled=yes streaming-server=\
10.20.20.10:5555
When pinging from 10.20.20.0/24 I get nothing, firewall rules show it trying to get masqueraded by WG2, and traceroute confirms this.
From 10.21.21.100/24 I can get to the gateway fine, but not into 10.20.20.0/24
