Dual WAN (Dynamic & PPPOE) PCC & Dual Wireguard

garyjduk · December 25, 2024, 11:22am

Hi, I spent a few days researching/configuring/testing this setup and I think it's doing everything I want. Before I put it into production could you have a look over the config and see if there are any glaring mistakes or anything to optimise the setup.

My must have with this setup is:-

1 - Dual WAN Load Balance (PCC) with failover. WAN1 is Dynamic IP (Virgin router in Bridge Mode) and WAN2 is PPPOE (BT router in Bridge Mode)
2 - Dual Wireguard connections to allow employees to connect over both connections using two separate WG tunnels and let them decide which one to use.

(There maybe a further firewall rule to add to allow the WG VPN to access the subnet but I'll test and amend when it's installed)

[admin@MikroTik] > export hide-sensitive

2024-12-25 11:03:17 by RouterOS 7.16.2

software id = 8J44-GUKS

model = CCR1009-8G-1S-1S+

serial number = *************

/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-gateway
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-gateway name=pppoe-out1 user=btbusinesshub@business.btclick.com
/interface wireguard
add comment=WAN2 listen-port=14231 mtu=1420 name="VDSL(WG)"
add comment=WAN1 listen-port=13231 mtu=1420 name="Virgin(WG)"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=Wireguard name=WG
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=to_ether1
add disabled=no fib name=to_ether2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-gateway list=WAN
add interface=bridge1 list=LAN
add interface=ether2-gateway list=WAN
add interface=pppoe-out1 list=WAN
add interface="VDSL(WG)" list=WG
add interface="Virgin(WG)" list=WG
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.30.1/32 interface="Virgin(WG)" name=Gary1 public-key="1bukt0UMWs4/5LFGh38sIcqUWh58EESEeD3pHXhzfD8="
add allowed-address=192.168.31.1/32 interface="VDSL(WG)" name=Gary2 public-key="7yZysM02Q7ITAuT2Fcj6NrK4oU57f8zwI4josSfmgQw="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.30.254/24 interface="Virgin(WG)" network=192.168.30.0
add address=192.168.31.254/24 interface="VDSL(WG)" network=192.168.31.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-gateway
add add-default-route=no disabled=yes interface=ether2-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.30.0/24 list=WG-subnets
add address=192.168.31.0/24 list=WG-subnets
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="WAN1 - Allow Wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="WAN2 - Allow Wireguard" dst-port=14231 protocol=udp
add action=accept chain=input comment="Allow router access across Wireguard" dst-address=192.168.1.0/24 in-interface="Virgin(WG)"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Wireguard " dst-address=192.168.1.0/24 in-interface="Virgin(WG)"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Load Balance" connection-mark=no-mark connection-state=new in-interface=ether1-gateway
new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=pppoe-out1 new-connection-mark=ether2_conn
passthrough=yes
add action=mark-routing chain=output connection-mark=ether1_conn new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=output connection-mark=ether2_conn new-routing-mark=to_ether2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN
new-connection-mark=ether1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN
new-connection-mark=ether2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_conn in-interface-list=LAN new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ether2_conn in-interface-list=LAN new-routing-mark=to_ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-address-type=local in-interface=pppoe-out1 protocol=udp to-addresses=192.168.18.93 to-ports=14231
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment="Ether1-Wan routing gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.18.1 pref-src=0.0.0.0
routing-table=to_ether1 scope=30 suppress-hw-offload=no target-scope=10
add comment=Ether1-Wan distance=1 gateway=192.168.18.1
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1-gateway routing-table=to_ether2 scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to_ether2 scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway="Virgin(WG)" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system scheduler
add interval=2s name=ChangeGateways on-event=":global newgw [/ip dhcp-client get [find interface="ether1-gateway" ] gateway ]\r
\n:global activegw [/ip route get [/ip route find comment="Ether1-Wan"] gateway ]\r
\n:if ($newgw != $activegw) do={\r
\n/ip route set [find comment="Ether1-Wan"] gateway=$newgw\r
\n/ip route set [find comment="Ether1-Wan routing gateway"] gateway=$newgw\r
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-12-15 start-time=23:12:33

anav · December 25, 2024, 8:56pm

THere is no need to provide two wireguard connections…
Simply use WAN1 and if WAN1 fails wireguard has the capacity to move traffic to WAN2 for any current connection.
HOwever if someone attempts to establish a tunnel while WAN1 is down, then having the backup is a decent option but let them know its only if Wireguard through WAN1 does not seem to be working.
Remove default router you set to yes for PPPOE, that way we can effect the rules required.
Re-ordered firewall rules
input chain rule to allow wireguard to subnet is wrongly place it would seem to be a forward chain rule
added a rule to allow access to router from wg subnets using wg interface list. If there are normal users besides admin coming in on wireguard then create a firewall address list for only admin IPs and then add scr-address-list=ADMIN to the new rule for better specificity.

# model = CCR1009-8G-1S-1S+
# serial number = *************
/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-gateway
/interface pppoe-client
add add-default-route=no disabled=no interface=ether2-gateway name=pppoe-out1 user=btbusinesshub@business.btclick.com
/interface wireguard
add comment=WAN2 listen-port=14231 mtu=1420 name="VDSL(WG)"
add comment=WAN1 listen-port=13231 mtu=1420 name="Virgin(WG)"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=Wireguard name=WG
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=use-WAN1
add disabled=no fib name=use-WAN2 Comment="backup vpn"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-gateway list=WAN
add interface=bridge1 list=LAN
add interface=ether2-gateway list=WAN
add interface=pppoe-out1 list=WAN
add interface="VDSL(WG)" list=WG
add interface="Virgin(WG)" list=WG
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.30.1/32 interface="Virgin(WG)" name=Gary1 public-key="1bukt0UMWs4/5LFGh38sIcqUWh58EESEeD3pHXhzfD8="
add allowed-address=192.168.31.1/32 interface="VDSL(WG)" name=Gary2 public-key="7yZysM02Q7ITAuT2Fcj6NrK4oU57f8zwI4josSfmgQw="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.30.254/24 interface="Virgin(WG)" network=192.168.30.0
add address=192.168.31.254/24 interface="VDSL(WG)" network=192.168.31.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-gateway
add add-default-route=no disabled=yes interface=ether2-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.30.0/24 list=WG-subnets
add address=192.168.31.0/24 list=WG-subnets
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WAN1 - Allow Wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="WAN2 - Allow Wireguard" dst-port=14231 protocol=udp
add action=accept chain=input comment="Allow admin from Wireguard" in-interface-list=WG    {  option to add src address list if needed }
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard to LAN" dst-address=192.168.1.0/24 in-interface-list=WG
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{ mangle traffic TO the router aka VPNS }
add action=mark-connection chain=input comment="vpn to WAN1" connection-mark=no-mark in-interface=ether1-gateway  \
new-connection-mark=incoming-wan1  passthrough=yes
add action=mark-connection chain=input comment="vpn to WAN2" connection-mark=no-mark in-interface=pppoe-out1  \
new-connection-mark=incoming-wan2  passthrough=yes
++++++++++++++++
add action=mark-routing chain=output connection-mark=incoming-wan1 \
new-routing-mark=use-WAN1  passthrough=no
add action=mark-routing chain=output connection-mark=incoming-wan2 \
new-routing-mark=use-WAN2  passthrough=no
{ mangle for load balancing }
add action=mark-connection chain=forward connection-mark=no-mark  dst-address-type=!local in-interface-list=LAN \
new-connection-mark=ether1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN \
new-connection-mark=ether2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
+++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=ether1_conn \
new-routing-mark=use-WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ether2_conn \
new-routing-mark=use-WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
{ main table routes recursive }
add check-gateway=ping  dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=WAN1
add check-gateway=ping  distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9  routing-table=main scope=10 target-scope=12  comment=WAN2
add dst-address=1.1.1.1/32 gateway=ether1-gateway-IP routing-table=main scope=10 target scope=11
add distance=2 dst-address=9.9.9.9  gateway=pppoe-out1-gateway-IP routing-table=main scope=10 target scope=11
{ special routes for LB }
add dst-address=0.0.0.0/0 gateway=ether1-gateway-ip  routing-table=use-WAN1
add dst-address=0.0.0.0/0 gateway=pppoe-out1-gateway-ip routing-table=use-WAN2
set [ find default=yes ] directory=/flash/pub
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system scheduler
add interval=2s name=ChangeGateways on-event=":global newgw [/ip dhcp-client get [find interface=\"ether1-gateway\" ] gateway ]\r\
\n:global activegw [/ip route get [/ip route find comment=\"Ether1-Wan\"] gateway ]\r\
\n:if (\$newgw != \$activegw) do={\r\
\n/ip route set [find comment=\"Ether1-Wan\"] gateway=\$newgw\r\
\n/ip route set [find comment=\"Ether1-Wan routing gateway\"] gateway=\$newgw\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-12-15 start-time=23:12:33

garyjduk · December 26, 2024, 6:28pm

In these lines in your config

{ special routes for LB }
add dst-address=0.0.0.0/0 gateway=ether1-gateway-ip routing-table=use-WAN1
add dst-address=0.0.0.0/0 gateway=pppoe-out1-gateway-ip routing-table=use-WAN2

What is ether1-gateway-ip if that connection is dynamic? Where is this variable being supplied from?

Do I substitute the gateway IP for the pppoe connection in here?

anav · December 26, 2024, 7:52pm

Good questions!
I believe this should address the dynamic nature of the WAN1 gateway as per your script!!
When installing the config the for wan1 use the actual current gateway IP. The script you made will keep the routes up to date.

/ip route
{ main table routes recursive }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=WAN1
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12 comment=WAN2
add dst-address=1.1.1.1/32 gateway=ether1-gateway-IP routing-table=main scope=10 target scope=11 comment=Ether1-Wan
add distance=2 dst-address=9.9.9.9 gateway=pppoe-out1-gateway-IP routing-table=main scope=10 target scope=11
{ special routes for LB }
add dst-address=0.0.0.0/0 gateway=ether1-gateway-ip routing-table=use-WAN1 comment=Ether1-Wan
add dst-address=0.0.0.0/0 gateway=pppoe-out1-gateway-ip routing-table=use-WAN2

++++++++++++++

Now for pppoe I never remember. I do believe that one can use the interface name “pppoe-out1” for gatewayIP and it should work.
Can you test to see if true??

garyjduk · December 26, 2024, 9:23pm

No WAN2 gateway remains as 9.9.9.9 and doesn’t update. In PPPOE client I haven’t added default route.

In Route List WAN2 remains 9.9.9.9 and USHI

anav · December 27, 2024, 12:59am

Okay so WAN1 works as is…
Suspect for WAN2 you will need the same thing. So see if this works…
a. a similar script to capture the change of IP address —> find comment=**"PPOE-Wan**
b. put the current pppoe gateway in on the config so it would look like…

/ip route
{ main table routes recursive }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=WAN1
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12 comment=WAN2
add dst-address=1.1.1.1/32 gateway=ether1-gateway-IP routing-table=main scope=10 target scope=11 comment=Ether1-Wan
add distance=2 dst-address=9.9.9.9 gateway=pppoe-out1-gateway-IP routing-table=main scope=10 target scope=11 comment=PPPOE-Wan
{ special routes for LB }
add dst-address=0.0.0.0/0 gateway=ether1-gateway-ip routing-table=use-WAN1 comment=Ether1-Wan
add dst-address=0.0.0.0/0 gateway=pppoe-out1-gateway-ip routing-table=use-WAN2 comment=PPPOE-Wan

garyjduk · December 27, 2024, 1:19pm

Ok got the script working and it's populating the route but no internet. Here is the current config.

2024-12-27 13:13:34 by RouterOS 7.16.2

software id = 8J44-GUKS

model = CCR1009-8G-1S-1S+

serial number = **************

/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-gateway
/interface pppoe-client
add disabled=no interface=ether2-gateway name=pppoe-out1 user=btbusinesshub@business.btclick.com
/interface wireguard
add comment=WAN2 listen-port=14231 mtu=1420 name="VDSL(WG)"
add comment=WAN1 listen-port=13231 mtu=1420 name="Virgin(WG)"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=Wireguard name=WG
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=use-WAN1
add disabled=no fib name=use-WAN2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-gateway list=WAN
add interface=bridge1 list=LAN
add interface=ether2-gateway list=WAN
add interface=pppoe-out1 list=WAN
add interface="VDSL(WG)" list=WG
add interface="Virgin(WG)" list=WG
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.30.1/32 interface="Virgin(WG)" name=Gary1 public-key="1bukt0UMWs4/5LFGh38sIcqUWh58EESEeD3pHXhzfD8="
add allowed-address=192.168.31.1/32 interface="VDSL(WG)" name=Gary2 public-key="7yZysM02Q7ITAuT2Fcj6NrK4oU57f8zwI4josSfmgQw="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.30.254/24 interface="Virgin(WG)" network=192.168.30.0
add address=192.168.31.254/24 interface="VDSL(WG)" network=192.168.31.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-gateway
add add-default-route=no disabled=yes interface=ether2-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.30.0/24 list=WG-subnets
add address=192.168.31.0/24 list=WG-subnets
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WAN1 - Allow Wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="WAN2 - Allow Wireguard" dst-port=14231 protocol=udp
add action=accept chain=input comment="Allow admin from Wireguard" in-interface-list=WG
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related disabled=yes hw-offload=
yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard to LAN" dst-address=192.168.1.0/24 in-interface-list=WG
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=input comment="vpn to WAN1" connection-mark=no-mark in-interface=ether1-gateway new-connection-mark=incoming-wan1 passthrough=
yes
add action=mark-connection chain=input comment="vpn to WAN2" connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=incoming-wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-wan1 new-routing-mark=use-WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=incoming-wan2 new-routing-mark=use-WAN2 passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ether1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN new-connection-mark=
ether2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_conn new-routing-mark=use-WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ether2_conn new-routing-mark=use-WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment=WAN1 dst-address=0.0.0.0/0 gateway=192.168.18.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment=WAN2 distance=2 dst-address=0.0.0.0/0 gateway=81.134.176.1 routing-table=main scope=10 target-scope=12
add disabled=no dst-address=1.1.1.1/32 gateway=ether1-gateway routing-table=main scope=10 suppress-hw-offload=no target-scope=11
add disabled=no distance=2 dst-address=9.9.9.9/32 gateway=pppoe-out1 routing-table=main scope=10 suppress-hw-offload=no target-scope=11
add disabled=no dst-address=0.0.0.0/0 gateway=ether1-gateway routing-table=use-WAN1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=use-WAN2 suppress-hw-offload=no
/system note
set show-at-login=no
/system scheduler
add interval=2s name=ChangeGateways on-event=":global newgw [/ip dhcp-client get [find interface="ether1-gateway" ] gateway ]\r
\n:global activegw [/ip route get [/ip route find comment="WAN1"] gateway ]\r
\n:if ($newgw != $activegw) do={\r
\n/ip route set [find comment="WAN1"] gateway=$newgw\r
\n/ip route set [find comment="WAN1 routing gateway"] gateway=$newgw\r
\n}\r
\n\r
\n:global newgw [/ip address get [/ip address find interface="pppoe-out1" ] network ]\r
\n:global activegw [/ip route get [/ip route find comment="WAN2"] gateway ]\r
\n:if ($newgw != $activegw) do={\r
\n/ip route set [find comment="WAN2"] gateway=$newgw\r
\n/ip route set [find comment="WAN2 routing gateway"] gateway=$newgw\r
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=1970-01-02 start-time=00:02:27

anav · December 27, 2024, 1:54pm

Routes are incorrect…
From
/ip route
add check-gateway=ping comment=WAN1 dst-address=0.0.0.0/0 gateway=192.168.18.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment=WAN2 distance=2 dst-address=0.0.0.0/0 gateway=81.134.176.1 routing-table=main scope=10 target-scope=12
add disabled=no dst-address=1.1.1.1/32 gateway=ether1-gateway routing-table=main scope=10 suppress-hw-offload=no target-scope=11
add disabled=no distance=2 dst-address=9.9.9.9/32 gateway=pppoe-out1 routing-table=main scope=10 suppress-hw-offload=no target-scope=11
add disabled=no dst-address=0.0.0.0/0 gateway=ether1-gateway routing-table=use-WAN1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=use-WAN2 suppress-hw-offload=no

TO:
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add dst-address=1.1.1.1/32 gateway=actual-gatewayIP-WAN1 routing-table=main scope=10 target-scope=11 comment=“WAN1”
add distance=2 dst-address=9.9.9.9/32 gateway=actual-gateway-IP-WAN2 routing-table=main scope=10 target-scope=11 comment=“WAN2”
add dst-address=0.0.0.0/0 gateway=actual-gatewayIP-WAN1 routing-table=use-WAN1 comment=“WAN1 routing gateway”
add dst-address=0.0.0.0/0 gateway=actual-gatewayIP-WAN2 routing-table=use-WAN2 comment=“WAN2 routing gateway”

garyjduk · December 27, 2024, 2:58pm

With those changes I can ping 8.8.8.8 from the router but not from anything behind the router.

When I check connections I’m seeing 4 connection marks
ether1_conn
ether2_conn
incoming-wan1
incoming-wan2

Is that correct?

anav · December 27, 2024, 5:06pm

Thats why I put separate names so that you can see if all four are being seen.
It must be something else in the config, will look at it later when I have time.