Hi All,
I’ve got a wireguard setup working. Standard interface config eth1 (as WAN) and the other ports 2 > 4 on the LAN.
I’d like to make a new WAN to eth4 direct passthrough (so eth4 bypasses the Wireguard altogether and just acts as a ummanaged switch).
Could anyone advise how best to do that setup?
What you’re describing is “bridging” eth1 and eth4 … which obviously involves a bridge. A straight-forward way would be to create a new bridge, move eth4 to it and add eth1 to it. Which would imediately invalidate all WAN IP setup … you’d have to move everything, which refers to eth1, to the new vridge. And that includes IP setup (e.g. DHCP client) and firewall. Not a trivial task, but not impossible either.
Mind that the second bridge will not be offloaded to switch chip so traffic between eth1 and eth4 would hit CPU (depending on traffic throughput it might cause considerable CPU load). You could go with single bridge and VLANs (configured on switch chip) to keep ports isolated.
Hiya, so yes I was reading up on and playing with a new bridge earlier. I was able to bridge eth2 and eth3 as a test but struggled with bridging eth1 and eth4 together (as eth1 is WAN).
If VLAN is the way to go, I’d appreciate some tips how to do that please:)
Not a clue what you wish to accomplish.
Do you have a second WAN connection from a different ISP or perhaps from same ISP that you want to attach to eth4?
Hiya, Ok let me try explain another way.
On the Mikrotik device:
My aim is to make one of the ports Eth4 unencrypted (i.e.it does not pass through Wireguard). Eth4 can be on the same network as the cable modem or it can its own subnet. Whichever is easier.
I hope that makes sense 
Sure…
Eth1 local WAN
Eth 2-4 on bridge and ONE single subnet.
The Bridge ether2-4 go out to a some unknown wireguard for internet.
For some reason you want to use ether4 for Regular WAN local usage.
Problem, how are you going to identify the users on ether4 separate from ether2, ether3 ???
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Option1
Take ether4 off the bridge, assign its own address and almost there.
Option2
Make two vlans associated to the bridge, one goes to ports 2,3 and the other goes to port 4 and almost there…
What you fail to do is
a. provide a config
b. provide any sense of the failover, what happens on ports 2,3 if wireguard connectivity fails… should they be able to access internet locally…
c. what type of wireguard server you are connecting to…
Hiya, option 2 looks the way to go, but unsure how to do that.
For your a,b,c
a. Config below
b. I’ve not considered any failover (black hole) protection as of yet. That’s the next thing on the list to consider.
c. Nordlynx.
****Config
Required Dependencies:
1.Nordlynx PRIVATE AND PUBLIC KEY.
2. NORD connection address (Endpoint) converted into x.x.x.x format.
/interface wireguard add listen-port=38914 mtu=1420 name=wireguard-inet private-key=“ADD YOUR PRIVATE KEY HERE”
/ip address add address=10.5.0.2/30 interface=wireguard-inet network=10.5.0.0
#Add the endpoint address, endpoint port, and public key from the WireGuard config file. Look for the lines starting PublicKey= and Endpoint=.
#For example, if the config says Endpoint=x.x.x.x:51820, enter endpoint-address=x.x.x.2 and endpoint-port=51820
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=“ADD YOUR PUBLIC KEY HERE”
/ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
#Redirect all internet traffic through WireGuard
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip dns set servers=10.5.0.1
/ip dhcp-client set 0 use-peer-dns=no
#Redirect the WireGuard IP address through main provider’s gateway. Replace x.x.x.x with the endpoint address from the config file (Endpoint=).
/ip route add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
The eth4 will connect to one laptop client only.
Hope that provides enough info
No idea what you are doing here.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
But what you need should be
add dst-address=0.0.0.0/0 gatewayIP=LOCALWAN-gatewayIP routing-table=main ( either you create manually or already exists due to adding default elsewhere in wan related config )
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=useWG
/routing table add fib name=useWG
Not knowing what kind of subnet situation you have since you failed to provide a config…… will assume you have only one subnet.
Suggest…
/ip dhcp-server network
add address=192.168.88.0 dns-server=10.5.0.1 gateway=192.168.88.1and for all other router needs change your your router dns back to something standard
/ip dns
set allow-remote-requests=yes servers=1.1.1.1**
/routing rule add src-address=192.168.88.0 action=lookup table=useWG**
Finally recommend this mangle rule…to get ahead of any mtu issues.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=yes protocol=tcp tcp-flags=syn