Default route to WG using routing marks

Dreada · February 28, 2022, 9:13am

Hi! I got a vpn connection via wireguard. My goal is to default route SOME clients via wg: it works perfectly using routing rules, but i cant make it work using routing marks (for dynamic operations via address-lists). Is it real, and\or what i am doing wrong?

Shared setup:

/routing table
add disabled=no fib name=WGUPLINK

/interface wireguard
add listen-port=80 mtu=1420 name=WGUPLINK

/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=WGUPLINK ... etc

/ip address
add address=10.0.0.2 interface=WGUPLINK network=10.0.0.2

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WGUPLINK routing-table=WGUPLINK scope=30 suppress-hw-offload=\
    no target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WGUPLINK

Now i want my internal client 192.168.0.2 to use my wg tunnel for internet access.

Case 1: It works fine if:

/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.0.2/32 table=WGUPLINK

Case 2: But i cant manage to make it work via routing marks:

/ip firewall address-list
add address=192.168.0.2 disabled=no list=WGUPLINK

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=WGUPLINK table=WGUPLINK

/ip firewall mangle
add action=mark-packet chain=prerouting dst-address-list=!BOGONS new-packet-mark=WGUPLINK\
	 passthrough=yes src-address-list=WGUPLINK
add action=mark-connection chain=prerouting  new-connection-mark=WGUPLINK packet-mark=WGUPLINK passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WGUPLINK new-routing-mark=WGUPLINK passthrough=no

In both cases i can see in torch, that client pings to external ips are going through wg interface and where are replies recieved. But in case 2 that reply traffic are not sent to back to client.

own3r1138 · February 28, 2022, 12:22pm

I hope this will help you.
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1

anav · March 1, 2022, 11:56am

You didnt show IP routes, or any firewall rules…
You didnt indicate where the user was going to get their internet, what is the wireguard tunnel connecting too??
Better to use different name for marking as its confusing otherwise!!!

Did you DISABLE FAST TRACK on the forward chain for example??

Not sure if packet to mark to route mark is necessary ( did you try skipping the whole packet part and bogon part )

ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=wg-MARK passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wg-MARK new-routing-mark=WGUPLINK passthrough=no

anav · March 1, 2022, 12:10pm

No it does not, not even close. That example is for DNS queries routing and mixed in with a bunch of source address natting making it way too complicated to suss out for this particular very specific question..

THe Ops question is very clear and valid, how to make use of firewall address list in routing rules and specifically when it applies to Wireguard config.
The problem is clear, one cannot use firewall address lists FOR:
a. the destination address in an IP Route dst-address=???
b. source in the Routing Rule (options are src-address, dst-address, interface, routing mark - and NOT firewall address list)

The correct solution IMHO, that the OP is attempting is to mangle traffic from one IP, as a representative sample for a group of IPs (hence firewall address list approach), in order to identify that traffic in an associated wireguard Routing Rule (and an associated IP Route).

own3r1138 · March 1, 2022, 2:37pm

but I cant make it work using routing marks (for dynamic operations via address-lists)

That is exactly what I have done and that post is not about DNS marking I think you read the last replay only. cuz I already moved from the main object and then added the DNS marking after that.

sohaibkhanlodhi · September 3, 2023, 3:35am

Try this:

add action=mark-connection chain=prerouting src-address-list="LAN_Subnet" \
    dst-address-list=!"LAN_Subnet" new-connection-mark=WGUPLINK \
    packet-mark=WGUPLINK passthrough=yes
add action=mark-routing chain=prerouting src-address-list="LAN_Subnet" \
    dst-address-list=!"LAN_Subnet" connection-mark=WGUPLINK \
    new-routing-mark=WGUPLINK passthrough=no