2 WAN connections, mangle rules and wireguard

mariotsvetanov92 · April 5, 2023, 12:20pm

Hello!
I have configuration for 2 WAN connections configured for load balance and fail over. There is no firewall filter rules on purpose.|
I have DMZ from my internet providers to the mikrotik.
I want to add wireguard configuration and i want to be able to access my lan network ( 192.168.100.0/24).

# apr/05/2023 14:53:07 by RouterOS 7.8
# software id = MSE5-ZZKY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HE708M3K3P1
/interface bridge
add name=lan
/interface ethernet
set [ find default-name=ether1 ] comment="A1" name=WAN1 \
    poe-out=off
set [ find default-name=ether2 ] comment="EASYTV" name=WAN2
set [ find default-name=ether3 ] comment=stefan
set [ find default-name=ether4 ] comment="3rd floor"
set [ find default-name=ether5 ] comment=stefan
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=Mikrotik5 \
    disabled=no
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=Mikrotik \
    disabled=no
/interface wireguard
add listen-port=53231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.100.101-192.168.100.250
/ip dhcp-server
add address-pool=dhcp interface=lan lease-time=1d name=dhcp1
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=lan interface=ether3
add bridge=lan interface=ether4
add bridge=lan interface=ether5
add bridge=lan interface=wifi1
add bridge=lan interface=wifi2
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=lan list=LAN
/interface wireguard peers
add allowed-address=192.168.99.2/32 interface=wireguard1 public-key=\
    "H4APrAYA7deOVfm2fETQybTL0aOEY23eo9s3kHSBCiE="
/ip address
add address=192.168.1.20/24 interface=WAN1 network=192.168.1.0
add address=192.168.100.1/24 interface=lan network=192.168.100.0
add address=192.168.101.20/24 interface=WAN2 network=192.168.101.0
add address=192.168.99.1 interface=wireguard1 network=192.168.99.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1 \
    netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=192.168.1.0/24 \
    in-interface=lan
add action=accept chain=prerouting dst-address-list=192.168.101.0/24 \
    in-interface=lan
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=lan new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=lan new-connection-mark=WAN2_conn \
    passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=lan new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=lan new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 pref-src="" routing-table=to_WAN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.101.1 pref-src="" routing-table=to_WAN2 scope=30 \
    suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Sofia
/system routerboard settings
set auto-upgrade=yes

Wireguard Client config
https://imgur.com/Mi66ZWs

Currently I cannot establish wireguard connection, but I could earlier today, BUT without access to my home network, only ping to router. I was going back and forth with the configuration for long time and at the moment I can’t even establish connection with the wireguard interface.

Please help I am desperate.

anav · April 6, 2023, 12:55pm

Dont understand the rationale for no firewall, why is it not needed??

mariotsvetanov92 · April 6, 2023, 4:15pm

No reason. I am using the default firewall, but for the testing purposes i removed it.
I thought it might interfere in some way.
This is what I use.

# apr/06/2023 16:09:56 by RouterOS 7.8
# software id = MSE5-ZZKY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HE708M3K3P1
/interface bridge
add name=lan
/interface ethernet
set [ find default-name=ether1 ] comment="A1 " name=WAN1 \
    poe-out=off
set [ find default-name=ether2 ] comment="EASYTV" name=WAN2
set [ find default-name=ether3 ] comment=stefan
set [ find default-name=ether4 ] comment="3rd floor"
set [ find default-name=ether5 ] comment=stefan
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=Mikrotik5 \
    disabled=no
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=Mikrotik \
    disabled=no
/interface wireguard
add listen-port=53231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.100.101-192.168.100.250
/ip dhcp-server
add address-pool=dhcp interface=lan lease-time=1d name=dhcp1
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=lan interface=ether3
add bridge=lan interface=ether4
add bridge=lan interface=ether5
add bridge=lan interface=wifi1
add bridge=lan interface=wifi2
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=lan list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.99.2/32 comment=a1 interface=wireguard1 \
    public-key="H4APrAYA7deOVfm2fETQybTL0aOEY23eo9s3kHSBCiE="
add allowed-address=192.168.99.3/32 comment=easytv interface=wireguard1 \
    public-key="iowZhns7OHIH8Di+lZ4zpJMzM8Ts+GExi9dOb8CCPGk="
add allowed-address=192.168.99.4/32 comment=phone interface=wireguard1 \
    public-key="RF/lwraS3xUzJUYA7De8PUFlMIDHxPH8OQat5LHTjVI="
/ip address
add address=192.168.1.20/24 interface=WAN1 network=192.168.1.0
add address=192.168.100.1/24 interface=lan network=192.168.100.0
add address=192.168.101.20/24 interface=WAN2 network=192.168.101.0
add address=192.168.99.1 interface=wireguard1 network=192.168.99.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1 \
    netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.99.0
add action=accept chain=input comment="Wireguard Allow" dst-port=53231 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input in-interface=wireguard1
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=192.168.1.0/24 \
    in-interface=lan
add action=accept chain=prerouting dst-address-list=192.168.101.0/24 \
    in-interface=lan
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=lan new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=lan new-connection-mark=WAN2_conn \
    passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=lan new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=lan new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 pref-src="" routing-table=to_WAN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.101.1 pref-src="" routing-table=to_WAN2 scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

anav · April 6, 2023, 4:25pm

What makes you think firewall rules are not an integral part of the config…
All parts touch each other in some way so leaving them out is fruitless.
Also, the default config becomes quickly useless when adding anything to or modifying the default setup.

Finally using the work lan to name the bridge is just stewpidly confusing since its a term already used in the configs for other reasons.

(1) From
/ip firewall filter
add action=accept chain=input comment=“allow WireGuard traffic” src-address=
192.168.99.0
TO:
/ip firewall filter
add action=accept chain=input comment=“allow WireGuard traffic” src-address=
192.168.99**.0/24** in-interface=wireguard1

(2) Remove duplicate…
add action=accept chain=input in-interface=wireguard1

Also all these rules should, in order, be after the default rules aka after the default 127.00 rule.
Lets just say your input chain is a mess… as is your forward chain…

Suggest reading.
https://forum.mikrotik.com/viewtopic.php?t=180838

++++++++++++++++++++++++++++++

(3) For my own learning do you know what the purpose of the first two mangle ACCEPT rules is??
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=192.168.1.0/24
in-interface=lan
add action=accept chain=prerouting dst-address-list=192.168.101.0/24
in-interface=lan

I mean all the other rules I understand their purpose etc.. Just dont see why the above ones are needed??

(4) I dont see the other routes for the WANs, are they done by add default route in IP dhcp client?
If not you should really have. I prefer 5 & 10 so there is room before and in between routes always…
/ip route
add distance**=5** dst-address=0.0.0.0/0 gw=192.168.1.1 check-gateway=ping routing-table=main
add distance**=10** dst-address=0.0.0.0/0 gw=192.168.101.1 routing-table=main
add dst-address=0.0.0.0/0 gw=192.168.1.1 routing-table=to_WAN1 { dist=1 default and makes no diff here }
add dst-address=0.0.0.0/0 gw=192.168.101.1 routing-table=to_WAN2 { dist=1 default and makes no diff here }

anav · April 6, 2023, 5:06pm

Now as for wireguard, the DAC route is created so no extra routes are required NORMALLY.
The mangle traffic hits LAN traffic but we have dst-address-type=!local so that should exempt local wg traffic from getting marked and going out WAN1,2.

Not sure why its not working…
Disable bogon forward chain rule for testing.

mariotsvetanov92 · April 7, 2023, 8:17am

(3) For my own learning do you know what the purpose of the first two mangle ACCEPT rules is??
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=192.168.1.0/24
in-interface=lan
add action=accept chain=prerouting dst-address-list=192.168.101.0/24
in-interface=lan

I was using this video tutorial https://youtu.be/GeuuNE3EPBA?t=179 .
There is no traffic going for this 2 rules. So I guess they are pointless.

add distance=10 dst-address=0.0.0.0/0 gw=192.168.101.1 routing-table=main

Is there any reason behind removing the check-gateway=ping?

# apr/07/2023 08:02:45 by RouterOS 7.8
# software id = MSE5-ZZKY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HE708M3K3P1
/interface bridge
add name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment="A1" name=WAN1 \
    poe-out=off
set [ find default-name=ether2 ] comment="EASYTV" name=WAN2
set [ find default-name=ether3 ] comment=stefan
set [ find default-name=ether4 ] comment="3rd floor"
set [ find default-name=ether5 ] comment=stefan
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=Mikrotik5 \
    disabled=no
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=Mikrotik \
    disabled=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.100.101-192.168.100.250
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=1d name=dhcp1
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=wifi1
add bridge=BridgeLAN interface=wifi2
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=BridgeLAN list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.99.2/32 comment=a1 interface=wireguard1 \
    public-key="H4APrAYA7deOVfm2fETQybTL0aOEY23eo9s3kHSBCiE="
add allowed-address=192.168.99.3/32 comment=easytv interface=wireguard1 \
    public-key="iowZhns7OHIH8Di+lZ4zpJMzM8Ts+GExi9dOb8CCPGk="
add allowed-address=192.168.99.4/32 comment=phone interface=wireguard1 \
    public-key="RF/lwraS3xUzJUYA7De8PUFlMIDHxPH8OQat5LHTjVI="
/ip address
add address=192.168.1.20/24 interface=WAN1 network=192.168.1.0
add address=192.168.100.1/24 interface=BridgeLAN network=192.168.100.0
add address=192.168.101.20/24 interface=WAN2 network=192.168.101.0
add address=192.168.99.1 interface=wireguard1 network=192.168.99.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1 \
    netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BridgeLAN new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BridgeLAN new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=BridgeLAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=BridgeLAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment="RDP Stefan PC A1" dst-port=3389 \
    protocol=tcp to-addresses=192.168.100.249 to-ports=3389
/ip route
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 pref-src="" routing-table=to_WAN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
    192.168.101.1 pref-src="" routing-table=to_WAN2 scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

I am able to connect to public IP to home network computer from outside network(dmz is working) But I am still unable to connect to wireguard.
When I generate some traffic with wireguard client started, I can see only traffic going from client to router, but no traffic from router to client.
Client config: https://imgur.com/FFsbxoY

anav · April 7, 2023, 12:16pm

There is no logic for ping gateway on secondary.
If the primary is down the router keeps checking to see when it comes back and and switches traffic back to primary when it does.
In the meantime router uses WAN2. If WAN2 goes down, no need to check when it comes back up if WAN1 is down. The router will keep attempting WAN2 as it has no other direction to do otherwise.
Until WAN1 comes back up the router will keep checking WAN2. If WAN2 comes back great… If WAN1 comes back up great.

anav · April 7, 2023, 12:18pm

You have to decide which WAN network the wireguard is going to go out and back on, as its critical to ensure the same pathway.
Also important is ensuring that the first router does not see anything but second router IP addresses leaving second router…

anav · April 7, 2023, 12:29pm

Firewall Filter Rules need work.
The input chain is very insecure and unsafe. You miss the point. The default rule is
add action=drop chain=input in-interface-list=!LAN
This means drop all traffic not coming from the LAN.

You have changed this to let all LAN traffic access the router which is only 1/2 of the rule above. You forgot its also blocking.
add action=accept chain=input in-interface-list=LAN

Therefore you need
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”

forward chain rules are disorganized and done allow wireguard to LAN traffic!!
Where is the wireguard rule for input chain,stuck below within forward chain ruleset.
Fixed

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“allow WireGuard” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.100.0/24
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

Note: by including wireguard1 in LAN interface list, its included in LAN to WAN traffic rule so remote users can access internet out the main router. Also remote users can reach the router itself if required.

anav · April 7, 2023, 12:35pm

add action=dst-nat chain=dstnat comment=“RDP Stefan PC A1” dst-port=3389
protocol=tcp to-addresses=192.168.100.249 to-ports=3389

Wont work, you dont delineate which interface is involved.

anav · April 7, 2023, 12:38pm

Okay I see allowed IPs is the subnet on the MT, but it looks like what you are saying is that both ISP routers you have get fixed/Static WANIPs?
That needs to be known, and speaks to an earlier comment of how users know which WAN to come in on for WIREGUARD…

You didnt make the route changes yet??

mariotsvetanov92 · April 8, 2023, 10:47am

add action=dst-nat chain=dstnat comment=“RDP Stefan PC A1” dst-port=3389
protocol=tcp to-addresses=192.168.100.249 to-ports=3389
Wont work, you dont delineate which interface is involved.

-fixed and works now.

Okay I see allowed IPs is the subnet on the MT, but it looks like what you are saying is that both ISP routers you have get fixed/Static WANIPs?

Both ISP routers have fixed IP. And I used DMZ on both of them pointing to the MT router.

You didnt make the route changes yet??

No, I tried several times with different setups, but I didn’t make it work.

From what I understand I should make out pathway with a route to dst addr 192.168.99.0/24 and gateway 192.168.1.1 (For wan1).
And if that’s correct, I am not sure what firewall rule I would need to make it work.

If WAN1 is down.I wont be able to connect to wireguard. Should I create second Wireguard interface for the WAN2?

anav · April 8, 2023, 1:24pm

Good question!
Best to have two WG interfaces (one for each WAN) for optimal performance.
Best if your equipment can do that automagically but even manually its better as different dyndns systems can take some time to switch.

Easy to have multiple client setups on my iphone so that would work for me as well.

Post your latest config and will have a look.

mariotsvetanov92 · April 8, 2023, 2:10pm

Yes, It is really easy to switch connections with wireguard, however there seems to be a problem with running 2 WG interfaces on the MT.
When I created the second interface it wasn’t running. When I disabled both WG interfaces and then enabled only the newly created interface, it was running!
Maybe there is some limitation?

# apr/08/2023 17:07:06 by RouterOS 7.8
# software id = MSE5-ZZKY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HE708M3K3P1
/interface bridge
add name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment="A1 IP 123.123.123.123" name=WAN1 \
    poe-out=off
set [ find default-name=ether2 ] comment="EASYTV IP 12.12.12.12" name=WAN2
set [ find default-name=ether3 ] comment=stefan
set [ find default-name=ether4 ] comment="3rd floor"
set [ find default-name=ether5 ] comment=stefan
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=Mikrotik5 \
    disabled=no
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=Mikrotik \
    disabled=no
/interface wireguard
add comment="WG Interface For A1/WAN1" listen-port=13231 mtu=1420 name=\
    wireguard1
add comment="WG Interface for EASYTV/WAN2" disabled=yes listen-port=13231 \
    mtu=1420 name=wireguard2
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.100.101-192.168.100.250
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=1d name=dhcp1
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/interface bridge port
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=wifi1
add bridge=BridgeLAN interface=wifi2
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=BridgeLAN list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard2 list=LAN
/interface wireguard peers
add allowed-address=192.168.99.2/32 comment="PC WG WAN1" interface=wireguard1 \
    public-key="H4APrAYA7deOVfm2fETQybTL0aOEY23eo9s3kHSBCiE="
add allowed-address=192.168.98.2/32 comment="PC WG WAN2" disabled=yes \
    interface=wireguard2 public-key=\
    "iowZhns7OHIH8Di+lZ4zpJMzM8Ts+GExi9dOb8CCPGk="
add allowed-address=192.168.99.4/32 comment="Phone WG WAN1" interface=\
    wireguard1 public-key="RF/lwraS3xUzJUYA7De8PUFlMIDHxPH8OQat5LHTjVI="
add allowed-address=192.168.98.4/24 comment="Phone WG WAN2" disabled=yes \
    interface=wireguard2 public-key=\
    "NyjZt96W9I79h5cTct6rEpWk5nYhhgDp7DaQIu9Kw0A="
/ip address
add address=192.168.1.20/24 interface=WAN1 network=192.168.1.0
add address=192.168.100.1/24 interface=BridgeLAN network=192.168.100.0
add address=192.168.101.20/24 interface=WAN2 network=192.168.101.0
add address=192.168.99.1 interface=wireguard1 network=192.168.99.0
add address=192.168.98.0 disabled=yes interface=wireguard2 network=\
    192.168.98.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1 \
    netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=\
    wireguard1
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BridgeLAN new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BridgeLAN new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=BridgeLAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=BridgeLAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment="Mario ASUS RDP A1" dst-port=2323 \
    in-interface=WAN1 protocol=tcp to-addresses=192.168.100.236 to-ports=3389
add action=dst-nat chain=dstnat comment="Mario ASUS RDP EASYTV" dst-port=2323 \
    in-interface=WAN2 protocol=tcp to-addresses=192.168.100.236 to-ports=3389
add action=dst-nat chain=dstnat comment="StefanPC RDP EASYTV" in-interface=\
    WAN2 protocol=tcp to-addresses=192.168.100.249 to-ports=3389
add action=dst-nat chain=dstnat comment="StefanPC RDP A1" in-interface=WAN1 \
    protocol=tcp to-addresses=192.168.100.249 to-ports=3389
/ip route
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 pref-src="" routing-table=to_WAN1 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.101.1 \
    pref-src="" routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="TEST wireguard route! " disabled=yes distance=1 dst-address=\
    192.168.99.0/24 gateway=192.168.1.1 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Sofia

anav · April 8, 2023, 2:18pm

I would say that you cannot have two identical IP addresses for two different wg interfaces.
Also your format is wrong.
add address=192.168.99**.1** interface=wireguard1 network=192.168.99.0

TO:
add address=192.168.99**.1/24** interface=wireguard1 network=192.168.99.0

mariotsvetanov92 · April 8, 2023, 3:21pm

My bad, i corrected it the address to 192.168.99.1/24, however i put 192.168.98.1/24 to WG2, not 99 and still cant have both interfaces on running.

What route I need to make for the WG1 interface to work? Also do I need firewall filter rule for the outgoing WG traffic?

anav · April 8, 2023, 3:25pm

Since I look at so many configs, and not in your head, and things here even seem to be in flux.
Please provided an updated network diagram so I can wrap my head around the plan.

mariotsvetanov92 · April 8, 2023, 4:43pm

My apologies!

https://imgur.com/FZPgzsq

anav · April 8, 2023, 5:45pm

Okay here ya go!!

(1) wireguard settings
/interface wireguard
add comment=“WG Interface For A1/WAN1” listen-port=13231 mtu=1420 name=
wireguard1
add comment=“WG Interface for EASYTV/WAN2” disabled=yes listen-port=14232
mtu=1420 name=wireguard2

(2) /interface wireguard peers
add allowed-address=192.168.99.3/32 comment=“PC WG WAN1” interface=wireguard1
public-key=“H4APrAYA7deOVfm2fETQybTL0aOEY23eo9s3kHSBCiE=”
add allowed-address=192.168.98.2/32 comment=“PC WG WAN2” interface=wireguard2
public-key=“iowZhns7OHIH8Di+lZ4zpJMzM8Ts+GExi9dOb8CCPGk=”
add allowed-address=192.168.99.5/32 comment=“Phone WG WAN1” interface=
wireguard1 public-key=“RF/lwraS3xUzJUYA7De8PUFlMIDHxPH8OQat5LHTjVI=”
add allowed-address=192.168.98.4/24 comment=“Phone WG WAN2” interface=wireguard2
public-key=“NyjZt96W9I79h5cTct6rEpWk5nYhhgDp7DaQIu9Kw0A=”

NOTE: WIREGUARD1 is odd .99 and WIREGUARD2 is even .98, so I made clients the same .3 and .5 for 99 and .2 and .4 for 98, I like patterns… Same with
listening ports wan1 - 13231, wan2 - 14232

(3) /ip address
add address=192.168.1.20/24 interface=WAN1 network=192.168.1.0
add address=192.168.100.1/24 interface=BridgeLAN network=192.168.100.0
add address=192.168.101.20/24 interface=WAN2 network=192.168.101.0
add address=192.168.99.1/24 interface=wireguard1 network=192.168.99.0
add address=192.168.**98.**1/24 interface=wireguard2 network=
192.168.98.0

(4) /ip dns
allow-remote-servers=yes**** set servers=1.1.1.1,8.8.8.8

(5) /ip firewall filter
…
add action=accept chain=input comment=“allow WireGuard” dst-port=13231
protocol=udp
add action=accept chain=input comment=“allow WireGuard” dst-port=14232
protocol=udp
…

(6) ADD to both entries…
/interface list
add name=WAN
add name=LAN
add name=WG
/interface list member
…
add interface=wireguard1 list=WG
add interface=wireguard2 list=WG
…

(7) Modify from:
/ip firewall filter
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=wireguard1
TO:
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface**-list**=WG

(8) The fun part is the IP NAT and mangling.
We want to ensure a couple of things here.
A. That incoming traffic to wireguard is not caught in the mangling.
B. That reply traffic from LAN subnet to remote WG user is not caught in PCC mangling.
C. Fixed your IP routes setup.

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes dst-port=!13231 { excludes handshake from marking } ***
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes dst-port=!14232 {excludes handshake from marking } ***
add action=accept chain=prerouting connection-mark=no-mark in-interface=BridgeLAN
dst-address-list=Wg-subnets { traffic heading back to WG remote users is not marked }
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BridgeLAN new-connection-mark=
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BridgeLAN new-connection-mark=
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn
in-interface=BridgeLAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn
in-interface=BridgeLAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn
new-routing-mark=to_WAN2 passthrough=yes

/ip firewall address
add address=192.168.99.0/24 list=WG-subnets
add address=192.168.98.0/24 list=WG-subnets

/routing table
add name=To-WAN1 fib
add name=To-WAN2 fib

/ip route
add distance=5 dst-address=0.0.0.0/0 gwy=ISP1 routing-table=main check-gateway=ping
add distance=10 dst-address=0.0.0.0/0 gwy=ISP2 routing-table=main
add dst-address=0.0.0.0/0 gwy=ISP1 routing-table=To-WAN1
add dst-address=0.0.0.0/0 gwy=ISP2 routing-table=To-WAN2

/routing rule add action=lookup-only-in-table src-address=IP-of-WAN-2 table=To-WAN2 { ensures if both WANs are up, that a handshake on WG2 will go back out WAN2 }

*** The reason for these two rules is to ensure the port forwarding coming on WAN1 and WAN2 go out WAN1 and WAN2 respectively during PCC. IF you had no port forwarding they could be removed. I simply added the fact to not mark the wg incoming handshake connections so that they could follow routing separately and thus allow you to have both up at the same time if both WANs were available ( WAN1 on table main because its PRIMARY and WAN2 on routing rule because its secondary )

mariotsvetanov92 · April 10, 2023, 5:09am

It is a good morning! Everything seems to work fine!

I am really glad that we(YOU) resolved my issues. I really appreciate it and I am very thankful.
Big thumbs up for you patience!