Hi everyone,
I have a specific challenge on a MikroTik CHR (v7). I have two WireGuard interfaces (wg1 and wg2) that are connecting to the exact same remote Endpoint IP address.
I need to force each interface to reach that same IP through different WAN gateways:
wg1 must reach the Endpoint via Gateway 172.16.0.1
wg2 must reach the Endpoint via Gateway 172.16.1.1
Since the destination IP is identical for both, standard destination-based routing won't work. I need to differentiate the traffic originating from the router itself.
My questions for the community:
Is it possible to bind a specific Local Address or a different Listen Port to each outbound tunnel so I can use Mangle rules to mark and route them separately?
How can I reliably use /ip firewall mangle in the output chain to distinguish between the two WireGuard instances if they are targeting the same remote IP and port?
Would setting different listen-port values on my side allow me to capture that traffic in Mangle and apply different routing-marks?
Current environment: MikroTik RouterOS v7 (CHR).
I am trying to achieve this to balance the load or have redundancy between two ISPs for the same remote server. Any help with the Mangle/Routing Rule logic would be great.
Thanks!
Isn’t “mangle” the old way and for v7 you should simply use policy-based-routing ??
Go to “routing” , then “rules” and then create at least 1 rule to “intercept” traffic from a certain wgX interface and throw it out whatever WAN-port you want ?
Make sure your NAT config is also correct.
I would want to see a network diagram first as its not clear to me what devices are involved and what subnets are involved etc.. In both cases is the CHR acting as server for handshake for both WGs?
Are you attempting to different tunnels to CHR from same MT router??? If so how many WANS does this router have etc etc
IN addition to network diagram, a complete config of all connected MT devices required for analysis
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, dhcp lease lists and any ipv6 config if not used )
If I understand the situation correctly, the proper solution for you is to simply assign different listen ports to the two interfaces, and point one of the wg tunnels to your appropriate vrf.
The vrf feature for underlay traffic is a relatively new feature. If you don't have a vrf, create one. Vrfs have their own routing tables.
As far as I have understood, “Mangle” is the more advanced/complex way of doing PBR. Routing-Rules are the easy, fast way to do things - but with a lot less options.
But I think it is by design difficult to PBR WireGuard.
Is it not possible to say WG0 hat the IP 172.16.0.1, WG1 has 172.16.1.1 (all done via IP>Addresses).
If this doesnt work, the double-NAT-Workaround maybe helps?
I think this would be the easiest solution for your needs. Your two wg1 and wg2 interfaces are probably already listening on two different ports. Two mangle mark-routing rules on chain=output with src-port as condition should do the job.
Also, if your two gateways expect two different source IP addresses then you'll also need SRCNAT rules to correct the source addresses of the outgoing UDP packets.
Alternative solutions with VRFs might be too disruptive and do not suit all situations. More and more of RouterOS became VRF-aware and if your WANs are in different VRFs then those services might lose the ability to benefit from failover/load-balancing!
Routing rules are unfortunately not applicable in this case, I think. Neither interface, src-address nor dst-address can be used as differentiators. wg1 and wg2 are not what we can use as parameter for interface in your intended rules (you can use them if you want to policy-route the traffic inside the tunnels).