Hi,

I somehow couldn't find such specific scenario in the forum, hence the new topic. Apologies if this was already discussed.

I have a hEX PoE (7.15.2) with public static IP and one mAP light (7.15.3) with dynamic address.
The idea is when the mAP turns on and connects (via its ether1) to a DHCP enabled LAN, to:

• get gateway, DNS, etc... from the DHCP server
• automatically activate a WireGuard tunnel to the hEX
• route all self originated and forwarded traffic via the tunnel interface, and not allow anything to pass directly via ether1 (apart from the tunnel itself obviously)

So, my problem is with the routing on mAP side.
If I keep the DHCP default route and simply add a second default one via the WireGuard interface, I get 2 default routes in ECMP, which behaves strange.

DST-ADDRESS GATEWAY DISTANCE

DAd+ 0.0.0.0/0 10.0.11.101 1
0 As+ 0.0.0.0/0 10.234.234.1 1
DAc 10.0.11.0/24 ether1 0
DAc 10.234.234.0/24 czjinpra 0
DAc 192.168.88.0/24 bridge 0

With the routes above, it seems to be "balancing" and forwarding consecutively one packet via ether1, one via the tunnel (czjinpra), which of course is far from ideal.
I tried setting bigger distance to the DHCP route, but then the tunnel never activates.
Not sure if there in a way here to set a "priority" for the ECMP routes, so when both interfaces are up, both routes are active, but the tunnel is preferred?

If I remove the DHCP route and manually replace it with a host route for the hEX public IP, then everything works as I want it to:

DST-ADDRESS GATEWAY DISTANCE

0 As 0.0.0.0/0 10.234.234.1 1
DAc 10.0.11.0/24 ether1 0
DAc 10.234.234.0/24 czjinpra 0
1 As 185.<hEX.pub.IP>/32 10.0.11.101 1
DAc 192.168.88.0/24 bridge 0

Except that I have to manually change the gateway of the host route every time I move the mAP to a new network.

What is the proper way for configuring such scenario in RouterOS

Thanks in advance, and please have in mind that I first touched RouterOS about 2 weeks ago

How is the LITE connected to the HEX ???

What is LITE connected to for internet
What is HEX connected to for internet

( public/private IP ?? ) ( static/dynamic IP ?? )

This is more of a conceptual question, but okay, here is what my current underlay looks like:

mAP_Lite <--------DHCP---------> any_random_router-with-LAN-port <---------ISP-X---------> {INTERNET} <----------ISP-Y---------> [static-public-IP-on-ether1] hEX

There’s a WireGuard overlay on top of that, which is working fine when the routes are set as in the 2nd example above.
I’m actually connected through that setup right now, and getting out of the hEX’s public IP, while being miles away and behind the mAP Lite.

To put it simply, I’m looking for a way to have the default route via the VPN preferred if the VPN is up, but keep the DHCP route in the table, so that the tunnel can come up.
The end goal is to hand that mAP Lite to 0-clue user, who would have it connected to power and LAN, in say a hotel room, connect to the mAP’s SSID when it boots up, and exit to the Internet from the hEX’s public IP.

I hope that makes sense.

Yes, so the maplite is a preconfigured Wireguard client Peer.
Just saw that one recently will see if I can find it, and this assumes connecting to the internet via the ISP wifi in the hotel or the wired connetion in a hotel…
Agreed, that the maplite will need two wifi connections, probaby 2ghz to the hotel and 5ghz to the customer laptop for example.

Even simpler actually. The mAP Lite doesn’t need a wifi client. It connects only via LAN to the hotel network.

Small problem: there is no 5GHz on mAP Lite.
You need 2 wireless connections then, one slave of the other.
First one to connect to whatever network you want to connect to.
Second one as a private network for your PC, … where all traffic will be routed through WG tunnel.

But: if WAN for mAP Lite is ethernet, it becomes a bit different but concept remains the same.

A classic road warrior config.

Yes, the WAN of the mAP Lite is always going to be the ether1 (cable). WWAN will require the user to login to the mAP Lite every time they change location, which is not an option. So, there is no need for a second wireless connection.

It is indeed a classic road warrior config, but the client is the mAP Lite, not a wireguard app.
The only difference is that with allowed 0.0.0.0/0, the wireguard app updates the routes on the host automagically, while in the ROS implementation that doesn’t seem to happen.

Your mAP Lite connects to wireguard using ether1.
Your PC connects to your mAP Lite using local DHCP/network/…, yes ?

Treat that wireguard connection as any other ISP connection for everything coming from bridge.

PC, phone, etc.. wifi clients connects to the wifi bridge of the mAP Lite ---
--- then the mAP Lite "ether1" connects to the LAN with DHCP of the ISP router ---
--- the wireguard connection on top of all this is from the mAP's "ether1", via the LAN of the ISP router, then over the Internet, and lands on the public IP on "ether1" of the hEX

No route for the wireguard interface is crated automatically, so I need to create it manually, and the following routes are in the mAP Lite table:

DST-ADDRESS GATEWAY DISTANCE

DAd+ 0.0.0.0/0 10.0.11.101 1 <--------------------------- auto created from the DHCP of the ISP router LAN
0 As+ 0.0.0.0/0 10.234.234.1 1 <---------------------------- manually created to route all traffic via the hEX's wireguard interface IP as gateway
DAc 10.0.11.0/24 ether1 0 <--------------------------- ISP router LAN subnet
DAc 10.234.234.0/24 czjinpra 0 <------------------------------ network of the VPN interfaces
DAc 192.168.88.0/24 bridge 0 <------------------------------ mAP Lite default wifi bridge network

But this can't work properly, because the ECM routes are ... well ... equal, and half the packets go via the tunnel, the other half via the physical "ether1", as I described in the first message.

On DHCP client for ether1 set default distance to something higher. I usually set at least 5 or 10 so my manual routes can be set to a lower distance.
For equal destinations, lower distances get preference if they are reachable.

You also should add IP address of your WG entry point with ether1 as exit. Just to be sure you don’t kill your WG connection (it can not go over itself, you see …).

Better approach:
Just tested it using mAP Lite, this works better.

Start from default.
Add wireguard interface
Once it’s working

/routing table add name=useWG fib
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet table=useWG
/routing rule add src-address=LANsubnet action=lookup table=useWG

(elegantly copied from our friend Anav)

Road warrior setup. Basically we have the maplite acting as a router getting :private internet from the hotel LAN
Behind the maplite is your private network 192.168.33.0/24, and the wifi users getting their IP from that subnet, get forced out the vpn tunnel to home.

/interface bridge
add name=bridge

/wireguard
add name=wireguardHome mtu=1420 listening-port=XXXXX does not have to be same as home setting.

/interface ethernet
set [ find default-name=ether1 ] name=ether1WAN comment=“connect to hotel LAN”

/interface list
add name=WAN
add name=LAN

/ip wireless
2GHZ LAN for users, name=wlan2GHz

/ip pool
add name=dhcp_pool33 ranges=192.168.33.55-192.168.33.65

/ip dhcp-server
add address-pool=dhcp_pool33 interface=bridge name=dhcp33

/routing table
add disabled=no fib name=via-home

/interface bridge port
add bridge=bridge interface=wlan2GHz

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1WAN list=WAN
add interface=bridge list=LAN
add interface=wireguardHome list=WAN

/ip address
add address=198.168.33.1/24 interface=bridge network=198.168.33.0
add address=10.234.234.2/24 interface=wireguardHome network=10.234.234.0

/interface wireguard peers
add allowed-address=10.234.234.0/24 interface=wireguardHome endpoint-address=mynetnameHomeMT.net
endpoint-port=ABCDE public-key=“…” persistant-keep-alive=35s

NOTE: if your intent is to also go out internet from home, not just visit subnets at home then the following applies instead:

/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguardHome endpoint-address=mynetnameHomeMT.net
endpoint-port=ABCDE public-key=“…” persistant-keep-alive=35s


/ip dhcp-server network
add address=192.168.33.0/24 dns-server=192.168.33.1 gateway=192.168.33.1

/ip dns
add set allow remote servers, servers=1.1.1.1,8.8.8.8

/ip dhcp-client
add interface=ether1WAN use-peer-dns=no use-default-route=yes

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { put this rule in last }
+++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment= in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“drop all else”

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dstnat chain=dstnat src-address=192.168.33.0/24 dst-port=53 protocol=udp to-address=10.234.234.1
add action=dstnat chain=dstnat src-address=192.168.33.0/24 dst-port=53 protocol=tcp to-address=10.234.234.1

Note: We ensure all LAN traffic DNS goes to tunnel and home to retrieve DNS information. Otherwise DNS requests go out local WAN.

/ip route
add dst-address=0.0.0.0/0 gateway=wireguardHome routing-table=via-home

/routing rule
add action=lookup-only-in-table src-address=192.168.33.0/24 table=via-home
{ if you want local access if tunnel is not working, aka through hotel WAN, change action to simply: lookup )

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks holvoetn,

Changing the distance doesn’t work because then the DHCP route is never used for some reason.

Adding a second FIB and routing rule works great, but the caveat is that literally all traffic from LAN is routed via WG. So, I lost the mAP management access
I expected the connected route to take precedence, but apparently no. Anyway, I’ll deal with that on the next reset. And I’ll need to read some more about the routing decisions in ROS.

One more issue though. With such setup, how do I route the self-generated syslog traffic via the WG tunnel? Is there a way to set the source IP for the remote logging to be the LAN/bridge IP, so it can be routed via the tunnel?