I guess I dont understand your point then, wish I could help but its beyond my knowledge scope.
Never throught about this. Same problem in ZeroTier (and IPSec) — the tunnel establishment part get's tricky through the packet flow diagram. So kinda make sense that WG handshakes are "before new".In order to facilitate the handshake to complete in a multi-WAN environment (when the inbound interface is not the default gateway) you MUST use policy routing; otherwise the response packet is handed out through the default gateway which makes the handshake fail it the. Okay?
And on top of that, you have to cope with dynamic IP addresses on the WAN interfaces. I'm intrigued by what your "easily fixed" solution will look like.
It's not me you'd have to convince , but likely Mikrotik in a bug report. And they won't believe anything without supout.rif and ideally some traces.I'll try to create a simple diagram and some packet traces that illustrate the whole thing, but considering your previous response you seem to have understood the basic idea.
Both?A purely philosophical question then arises: is this a bug or just a very flexible router?
These built-ins do start/end from userland. WG is mainly in kernel.Assume that connection tracking wouldn't work for any of ROS's built-in services like WinBox, OSPF, BGP, etc. In a multi-WAN environment, you would then need to set up policy routes for each WAN interface and individual service that doesn't arrive through the default gateway.
I just believe in Santa Claus.@ AMMO, I did not know you were a fiction writer. ;-P
Or, just use IPSec with IKEv2 in tunnel mode – I believe – that would let you do this "script-less" using IPSec. But WG was invented since configuring IPSec is hard... but that likely be "script-less", perhaps even faster depending on router.My conclusion, is that you will be happier to sticking to open source linux based routers!
@anav: RoS is acrtually following correctly its Operating System code on how to route traffic.
And that's the rub here... They're public IP, but may change since via DHCP. So some static Linux route rules need to get updated when that public changes (where in VyOS or RSC). The solution (on RouterOS) is to use a script from within DHCP client to update the /routing/rule if those public changes. @Larsa AFAIK is trying to avoid using a DHCP script.If using public ip's wouldn't this work?
ROS route control is purely based on static IP addresses rather than the logical interface names that are available in the kernel (e.g. "ip rule add from DEVICE table table-name").
Of course. BUT again you need use a static route to set. e.g. the check-gateway=ping cannot be added to dynamic default route from DHCP client, without using a script. And, since this a common task... cut-and-paste some script and carefully commenting routing is a PITA. The script+comment approach makes multi-wan just a few more steps difficult – and dealing with multiple WAN is already hard.I don't known what version your running but keep an eye out for check gateway options. It has one for ping.
We're talking about one option in a dropdown box.... So I don't think WG heartbeats in kernel is changing anytime soonWe will consider implementing such a feature.
Unfortunately, giving any ETA for when the feature will be implemented is impossible.
Geez, a little harsh... @Larsa has something working — his problem is clear: "we want to minimize script use in production environments whenever possible".Can we implement working configs now, yes!
....
The main route table can deal with interface as gateway... Perhaps add'l IPs in-between WG and WAN that use recursive routes and masquerade rules... e.g re-route WG through the main routing table (which interface-based gateways are supported) using a "fake WAN" address?@wfburton/Amm0, I have a similar idea that doesn't involve separate routing tables.
/interface bridge
add name=brwg
/ip address
add address=192.168.44.1 interface=brwg network=192.168.44.1
/routing rule
add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main
add action=lookup comment="return path for wg/openvpn into .44.1" disabled=no src-address=192.168.44.1/32 table=Rvia93
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=wan1 dst-port=20131 protocol=udp to-addresses=192.168.44.1 to-ports=13534
/routing rule
add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main
I didn't mean to attack-the-attacker either. @anav you do good work here. Just solving some of these "non-problems" is what sometimes eventually yields to simpler "pathways to success". But always a lot of complaining and arguing before that.I'm blushing!!
My uglier approach is:
I have also recently found (as used above) the following rule is very handy before other routing rules.
Any route that we have in route table except 0.0.0.0/0 gets routed via main.Code: Select all/routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main
Then 0.0.0.0/0 can be handled specially.
Saves having to list all the local subnets in your routing rules, yay.
/routing rule {
add action=lookup disabled=$norules dst-address=10.0.0.0/8 table=main
add action=lookup disabled=$norules dst-address=172.16.0.0/12 table=main
add action=lookup disabled=$norules dst-address=192.168.0.0/16 table=main
}
Yeah I'm not sure exactly HOW... but somehow "lying" to WG may be the solution to avoid a script.@Amm0: You read my mind! I was thinking of testing that along with some variations of nat/masq if I get some spare time this weekend.
@rplant: yeah, that's about what I had in mind. We'll see what I manage to do over the weekend.
dynamic-in - predefined filter chain for all other dynamic routes, i.e. all dynamic routes except (1) those added by routing protocols and (2) connected routes. In this category falls routes added by some external program, for example PPP daemon.
Nothing to do with WG. It's about how to keep the routing rules "readable" for multiwan.Hi Ammo, you know I am a little slow, what are the practical effect of using $norules or "min-prefix=0.
What is it that they do in simple terms........
/routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main
I would guess that it would be a (global) variable that is set to either yes or no to enable or disable all the routing rules in a single quick, swift, move.You didnt comment on $norules ??
Please describe what this does and it was not in the MT docs by the way, so its more interesting to me
That was just a typo. I just cut-and-paste from default configuration files, with a bunch of variables at top. My bad. e.g. If there is no multiwan, I don't want any rules enabled. So imagine some variable at top of config:You didnt comment on $norules ??
Please describe what this does and it was not in the MT docs by the way, so its more interesting to me
Only place I'd worry a bit is with recursive routes — there is the canary 8.8.8.8/32 (or similar) in between. Should work since that's internal to routing... but testing always good.However I like this seemingly elegant approach with apparently no downsides!
/routing rule add action=lookup-only-in-table min-prefix=0 table=main
/routing rule
add action=lookup dst-address=10.0.0.0/8 table=main
add action=lookup dst-address=172.16.0.0/12 table=main
add action=lookup dst-address=192.168.0.0/16 table=main
[...]
I think that's what they're working on... There are a few moving parts in re-mapping . The where/how take some testing I think.This is what I was asking before. Couldn't you use network address other than 0.0.0.0/0.
Correct. It just a scripting variable that get REPLACED in a customized :import script – all config is scripting after all. If you did an :export after it just be "disabled=no". Please ignore it.Okay just to be clear there is no such thing as $norules ???
:global pcvlan do={
/interface vlan add interface=$bridge name="$name_VLAN" vlan-id=[:tonum $pvid]
/ip address add interface="$name_VLAN" address="10.0.$pvid.1/24"
/ip pool add name="$name_POOL" ranges="10.0.$pvid.2-10.0.$pvid.254"
/ip dhcp-server add address-pool="$name_POOL" interface="$name_VLAN" name="$name_DHCP" disabled=no
/ip dhcp-server network add address="10.0.$pvid.0/24" dns-server="$dns" gateway="10.0.$pvid.1"
}
$pcvlan name=BLUE pvid=10 bridge=BR1 dns=192.168.0.1
$pcvlan name=GREEN pvid=20 bridge=BR1 dns=192.168.0.1
$pcvlan name=RED pvid=30 bridge=BR1 dns=192.168.0.1
Clearly it's confusing. But at least min-prefix= is documented, so there's that. And not sure "suppress-prefix" make a difference, once you understand what it does (e.g. it's a matcher after all in /routing/rule, so "suppress" is kinda odd to use in an == equality check too).Isn't the parameter name 'min-prefix' confusing?
[...]
The only mentioning in the documentation of this is on https://help.mikrotik.com/docs/display/ ... cy+Routing where it clearly states that "Equivalent to Linux IP rule suppress_prefixlength . For example to suppress the default route in the routing decision set the value to 0."
What's new in 7.15beta8 (2024-Mar-21 09:12):
*) wireguard - added option to mark peer as responder only (CLI only);
*) route - rework of route attributes;