Different gateway (on the other side of Site2Site WG tunnel) for specific host

monster · September 1, 2023, 11:06am

Hi,
my scenario.
Site A.
hap ac2 ROS 7.11
LAN A: 192.168.20.0/24
wg1 - 172.20.0.1

Site B
hap ac2 ROS 7.11
LAN B: 192.168.50.0/24
wg1 - 172.20.0.2

Sites are connected with Wireguard tunnel, which is working perfectly for traffic between hosts on one and other side of tunnel.

I would like to set gateway for specific host on Site B (192.168.50.21) to 0.0.0.0/0 to on Site A.

I follow instructions on this site https://help.mikrotik.com/docs/display/ROS/Policy+Routing
but unfortunetely dont succed

So.

I’ve created new routing table on Site B

/routing table
add disabled=no fib name=gle

Added new route to 0.0.0.0/0 for this table

/ip route
add dst-address=0.0.0.0/0 gateway=172.20.0.1 routing-table=gle

Added new routing rule

/routing rule
add action=lookup-only-in-table dst-address=0.0.0.0/0 src-address=192.168.50.21/32 table=gle

Exempt traffic from 192.168.50.21 to 0.0.0.0/0 from beigned NATted on site B

/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.50.21

Unfortunetely after making this settings 192.168.50.21(SiteB) loses access to Internet.
It still has access to hosts on Site A.

I tried making alternative gateway to specific hosts in Internet (i.e 8.8.8. on the side of Wireguard tunnel
by adding simple route rule on main routing table and forwarding traffic on firewall
but still with no success

/ip route
add dst-address=8.8.8.8 gateway=172.20.0.1
/ip firewall nat
add action=accept chain=srcnat dst-address=8.8.8.8

After this there is no ping response from 8.8.8.8

What setting did I forget?

Thanks in advance,
Pawel

anav · September 1, 2023, 11:37am

So basically you have a situation currently that both subnets can visit each other…
assuming allowed ips looks like:

RA
allowedIPs -170.20.0.2/32,192.168.50.0/24
/ip route
add dst-address=192.168.50.0/24 gateway=wireguardA routing-table=main

RB
allowedIPs -170.20.0.0/24,192.168.20.0/24
/ip route
add dst-address=192.168.20.0/24 gateway=wireguardBrouting-table=main

Now you want to take a specific user on RB to go out internet on RA…
In terms of wireguard the easiest course of action is

RB
allowedIPs =0.0.0.0/0
/ip route
add dst-address=192.168.20.0/24 gateway=wireguardBrouting-table=main

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now in terms of Router B and forcing the one IP address out a table, you are almost there…
Table looks good!
/ip route looks good except for one small change
add dst-address=0.0.0.0/0 gateway**=wireguardB** routing-table=gle

(1) Routing rule CHANGE! ( remove dst-address)
add action=lookup-only-in-table src-address=192.168.50.21/32 table=gle

Note: Are you sure you never want that device to use the local WAN even if wireguard tunnel is down? If so keep the action as is, if not the local wan should be a backup then change action just to “lookup”.

(2) Get rid of sourcenat rule nonsense. There is no purpose or need to do this.
The device will reach Router A, and then go out the sourcenatting of Router A to the internet.
Since you have define the necessary IP route on RA, the router is aware of the .50 subnet and knows where to send any return traffic from the net.
Assumes you have the wireguardA interface as part of the LAN interface list of course.

https://forum.mikrotik.com/viewtopic.php?t=182340

monster · September 1, 2023, 4:37pm

Thanks,
still not working, but.. for testing purpose I’ve changed my desired configuration.

Lets say we want all trafic from Site B to 8.8.8.8 to go through Site A.

on Site B I add route

/ip route
add dst-address=8.8.8.8 gateway=wg1 routing-table=main

I got rid of all sourcenat rules.

On Router A
I already have had route to SiteB
/ip route
add dst-address=192.168.50.0/24 gateway=wg1

But when i try to ping still got nothing

[nawrocki@RouterB] > ping 8.8.8.8 src-address=192.168.50.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                              
    0 8.8.8.8                                                      timeout                                                                                                                             
    1 8.8.8.8                                                      timeout                                                                                                                             
    2 8.8.8.8                                                      timeout                                                                                                                             
    3 8.8.8.8                                                      timeout

Assumes you have the wireguardA interface as part of the LAN interface list of course.

Yes wg1 already was LAN member on both sides.

[nawrocki@RouterA] > /interface/list/member/print 
Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge   
;;; defconf
1 WAN   ether1   
2 LAN   wg1      
3 LAN   wg2      
[nawrocki@RouterA] >

Maybe something wrong with Masquerade?

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
[nawrocki@RouterA] /ip/firewall/nat>

anav · September 1, 2023, 4:44pm

I am not going to play what ifs…
Stick to the original assuming thats accurate.
With facts one can make the approriate assessments and fixes.

Post both configs
/export file=anynameyouwish ( minus router serial numbers, public WANIP info, keys etc.).

monster · September 1, 2023, 7:37pm

Hi,
I`ve started almost from scratch and finally got it working
I’m having custom route for specific host on SiteB (192.168.20.24) to the World.

Here you can find my configs
https://we.tl/t-wReUAvBBcU

Many thanks

Most probably its not the right place for making this question, but I hope you can give me the best answer.
Why should I put wireguard interface name in /ip/route for remote subnets instead of remote wireguard IP, like
/ip route
add dst-address=192.168.2.0/24 gateway=wg1
add dst-address=192.168.3.0/24 gateway=wg1
add dst-address=192.168.4.0/24 gateway=wg1

instead of
add dst-address=192.168.2.0/24 gateway=170.20.0.2
add dst-address=192.168.3.0/24 gateway=170.20.0.3
add dst-address=192.168.4.0/24 gateway=170.20.0.4

when I have three peers on wg1
/interface wireguard peers
add allowed-address=170.20.0.2/32,192.168.2.0/24 comment=RemoteSite1 endpoint-address=remote1IP endpoint-port=13231 interface=wg1
add allowed-address=170.20.0.3/32,192.168.3.0/24 comment=RemoteSite2 endpoint-address=remote2IP endpoint-port=13231 interface=wg1
add allowed-address=170.20.0.4/32,192.168.4.0/24 comment=RemoteSite3 endpoint-address=remote3IP endpoint-port=13231 interface=wg1

Would be it easier for Mikrotik to find the right route?

anav · September 1, 2023, 8:30pm

All the answers are in the article I posted.
Its also a matter of understanding how interfaces work on MT routers.
If there is local interface and the wireguard is one of them, then the router creates automatic routes for them.
Go to winbox and check your routers you will see routes for all local interfaces.

The router has no clue about subnets from other routers (not local) and thus if subnets are visiting or local users are visiting remote subnets then you need to tell the router that they exist and how to get there.