Dual WAN PCC - can not access LAN via Wireguard

costel · June 11, 2025, 1:41pm

Hello,
Want to help a friend of mine who own a small business, but got stuck configuring Wireguard over two WAN.

Situation:

small town in the mountains with frequent Internet failures - the need of two Internet connections;
simple failover config it would be sufficient, but, as he pay for both, PCC was considered as better option;
a number of 5 persons working remote - the need for Wireguard setup;
equipment: 2 HAP ax2, if everything goes as planed, main router will be an RB5009 and first two will be used as APs.

Problem:
Can not access local network over Wireguard session when both WAN interfaces are active. Found at least six discussions regarding this topic, here on forums, but wasn’t unable to solve the issue.
With both WAN interfaces active, I can initiate a working Wireguard session, either on WAN1 or WAN2, and can ping the router 192.168.88.1, but can not access none of others LAN devices.
With only one WAN active (either one) everything goes fine.

The config:

# 2025-06-08 11:00:44 by RouterOS 7.19.1
# software id = ---
#
# model = C52iG-5HaxD2HaxD
# serial number = ---
/interface bridge
add admin-mac=48:A9:8A:D5:EB:C0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-orange
set [ find default-name=ether2 ] name=ether2-digi
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-digi name=pppoe-digi \
    password=--- use-peer-dns=yes user=---
/interface wireguard
add comment="Wireguard server" listen-port=13231 mtu=1420 name=wireguard \
    private-key="---"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=miniLAN
/interface wifi channel
add band=5ghz-ax disabled=no name=wifi6 skip-dfs-channels=10min-cac width=\
    20/40mhz
add band=2ghz-ax disabled=no name=wifi4 skip-dfs-channels=10min-cac width=\
    20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=security \
    passphrase=---
/interface wifi configuration
add channel=wifi6 country=Romania disabled=no mode=ap name=wifi6 security=\
    security ssid=---
add channel=wifi4 country=Romania disabled=no mode=ap name=wifi4 security=\
    security ssid=---
/interface wifi
# operated by CAP 48:A9:8A:6B:39:EC%bridge, traffic processing on CAP
add configuration=wifi4 disabled=no name=cap-wifi1 radio-mac=\
    48:A9:8A:6B:39:F1
# operated by CAP 48:A9:8A:6B:39:EC%bridge, traffic processing on CAP
add configuration=wifi4 disabled=no name=cap-wifi2 radio-mac=\
    48:A9:8A:6B:39:F2
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration=wifi6 configuration.manager=capsman-or-local .mode=ap \
    .ssid=--- disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration=wifi4 configuration.manager=capsman-or-local .mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=digi
add disabled=no fib name=orange
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-orange list=WAN
add interface=wireguard list=LAN
add interface=pppoe-digi list=WAN
add interface=bridge list=miniLAN
/interface ovpn-server server
add mac-address=FE:B5:58:8B:42:3A name=ovpn-server1
/interface wifi cap
set certificate=none discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled comment="---" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:6B:39:F1 slave-configurations=wifi4 \
    slave-name-format=""
add action=create-enabled comment="---" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:6B:39:F2 slave-configurations=wifi6
add action=create-enabled comment="Local 1" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:D5:EB:C4 slave-configurations=wifi6
add action=create-enabled comment="Local 2" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:D5:EB:C5 slave-configurations=wifi6
/interface wireguard peers
add allowed-address=192.168.80.2/32 client-address=192.168.80.2/32 \
    client-dns=192.168.88.1 comment="---" interface=wireguard name=\
    wg1 private-key="---" \
    public-key="---"
...
add allowed-address=192.168.80.12/32 client-address=192.168.80.12/32 \
    client-dns=192.168.88.1 comment="Test" interface=wireguard name=\
    wg11 private-key="---" \
    public-key="---"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.80.1/24 interface=wireguard network=192.168.80.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-orange
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Allow forward for Wireguard Bridge" \
    in-interface=wireguard out-interface=bridge
add action=accept chain=forward comment="Allow forward for Bridge Wireguard" \
    in-interface=bridge out-interface=wireguard
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp \
    tcp-flags=syn
add action=mark-connection chain=prerouting comment=\
    "Mark NEW INPUT connections FROM Digi" connection-mark=no-mark \
    connection-state=new in-interface=pppoe-digi new-connection-mark=\
    digi_conn
add action=mark-connection chain=prerouting comment=\
    "MARK NEW INPUT connections FROM Orange" connection-mark=no-mark \
    connection-state=new in-interface=ether1-orange new-connection-mark=\
    orange_conn
add action=mark-routing chain=output comment=\
    "Mark NEW OUTPUT connections TO Digi" connection-mark=digi_conn \
    new-routing-mark=digi
add action=mark-routing chain=output comment=\
    "Mark NEW OUTPUT connections TO Orange" connection-mark=\
    orange_conn new-routing-mark=orange
add action=mark-connection chain=prerouting comment=\
    "PCC LAN - Digi 2/0" connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface-list=miniLAN \
    new-connection-mark=digi_conn per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-connection chain=prerouting comment=\
    "PCC LAN - Orange 2/1" connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface-list=miniLAN \
    new-connection-mark=orange_conn per-connection-classifier=\
    src-address-and-port:2/1
add action=mark-routing chain=prerouting comment=\
    "Mark FORWARD FROM LAN - Digi" in-interface-list=miniLAN \
    new-routing-mark=digi
add action=mark-routing chain=prerouting comment=\
    "Mark FORWARD FROM LAN - Orange" in-interface-list=miniLAN \
    new-routing-mark=orange
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT - DIGI" disabled=yes \
    ipsec-policy=out,none out-interface=pppoe-digi src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat comment="NAT - Orange" disabled=yes \
    ipsec-policy=out,none out-interface=ether1-orange
add action=masquerade chain=srcnat comment=\
    "masquerade - simply WAN" ipsec-policy=out,none \
    out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    90.84.225.1 routing-table=orange scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-digi routing-table=digi scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set ftp address=192.168.0.0/16
set ssh address=192.168.0.0/16
set telnet address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16 disabled=yes
set www-ssl address=192.168.0.0/16 disabled=yes
set winbox address=192.168.0.0/16
set api address=192.168.0.0/16 disabled=yes
set api-ssl address=192.168.0.0/16 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can you point me in the right direction or pin point the errors I made ?
Thank you!

anav · June 11, 2025, 1:59pm

I would only run one wireguard interface and over the primary WAN1 ( digi ).
If the primary WAN1 fails then Wireguard should work on the failover WAN2 (orange)
( note one should not PCC any of the wireguard traffic.

The key point for us is whether or not both ISP1 and ISP2 provide public IPs to the router or there is an upstream device that gets the public IP and this can be forwarded to the router.
Can you confirm this for both WANs ??

You seem to have warnings due to attempting to use CAPSMAN, which I detest but it should not be affecting wireguard use.

++++++++++++++++++++++++++++++++++++

First thing to change is this setting, for more than one WAN should be set to loose!
/ip settings
set rp-filter=strict
Second thing is change this to none. Known to cause all kinds of weird issues
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=
all wan-interface-list=all
It would appear your WAN1 is showing issues?? Ahhh, why do you have it disabled???
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-orange
Forward chain firewall rules modifications.
a. put wireguard rules AFTER default rules and you dont need users to wireguard…
you have ONLY clients on devices coming to the router so should be removed
add action=accept chain=forward comment=“Allow forward for Bridge Wireguard”
in-interface=bridge out-interface=wireguard

/ip firewall (forward chain)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=“wg clients to LAN”
in-interface=wireguard out-interface=bridge

+++++++++++++++++++++++++++++++++++++++++++++++++
5. I do not believe we need to mangle the WAN traffic as we will use main table routes for non-pcc traffic.
This does mean that we have to accept any WIREGUARD - LAN traffic prior to PCC.
SO:

/ip firewall mangle
{ prevent wg traffic capture in PCC }
add action=accept chain**=forward** in-interface=bridge out-interface=wireguard comment=“ensures return traffic goes back out wireguard”
{ PCC remaining LAN traffic }
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN
new-connection-mark=digi_conn per-connection-classifier=src-address-and-port:2/0 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN
new-connection-mark=orange_conn per-connection-classifier=src-address-and-port:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=digi_conn
new-routing-mark=digi passthrough=no comment=“Traffic for WAN2 - Digi”
add action=mark-routing chain=prerouting connection-mark=digi_conn
new-routing-mark=orange passthrough=no comment=“Traffic for WAN1 - Orange”

Your sourcenat rules are confused, either use two separate masquerade rules for each WAN
OR use one rule with interface-list=WAN but not a mix of both!!!
( okay I see you have orange disabled…why keep noise in your config , remove it!! )
Speaking of NOISE, since you dont use IPV6 (disabled), remove the noise of address lists and firewall rules!!!
FTP is not secure method of accessing router, so not sure why you have this service enabled??
In terms of routes, you have two out of the four required.
Am I too assume you have selected DEFAULT ROUTE=YES for both DIGI and ORANGE???
IF SO, then deselect and make them manually as per below.

The two routes you have entered for PCC, DO NOT require a distance separation, it is meaningless as they are in DIFFERENT TABLES
SO should simply be:
/ip route
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=main
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=90.x.x.x. routing-table=main
add dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=digi
add dst-address=0.0.0.0/0 gateway=90.x.x.x. routing-table=orange

Finally, what IP address do your client use in WG settings. The IP Cloud mynetname is a good one and that should point to the primary WAN when available and to the secondary WAN if not available, it takes some seconds to adjust but the wireguard connection should also switch accordingly.

costel · June 11, 2025, 2:17pm

HAP ax2 is connected directly to the Internet. Both WAN interfaces have public and static IPv4 addresses and, once connected, provide gateways (routes).
That’s my fear that, somehow, wireguard trafic got PCC and packets enter one WAN interface and leaves by the second - that’s why I have miniLAN interface list which does not contain wireguard interface. LAN list contain wireguard interface.
Please ignore the WiFi/capsman config as it will be reworked and equipment added.

Long time Mikrotik user, but for my personal use, at home. I am not familiar with complex setups.

Thank you for your support!

costel · June 11, 2025, 2:24pm

1., 2. and 4. - Will apply modifications.
3. Is disabled because with both WAN connections active wireguard sessions can not access local network.
I can make modifications only during work hours, so it could be a while until then.

Thank you!

costel · June 11, 2025, 4:16pm

/ip/settings/set rp-filter=loose

Second thing is change this to > none> . Known to cause all kinds of weird issues
/interface detect-internet
set detect-interface-list=> all > internet-interface-list=> all > lan-interface-list=
all > wan-interface-list=> all

/interface/detect-internet/print 
    detect-interface-list: none
       lan-interface-list: none
       wan-interface-list: none
  internet-interface-list: none

It would appear your WAN1 is showing issues?? Ahhh, why do you have it > disabled> ???
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-orange

With it enabled, wireguard is useless.

Forward chain firewall rules modifications.
a. put wireguard rules AFTER default rules and you dont need users to wireguard…
you have ONLY clients on devices coming to the router so should be removed
add action=accept chain=forward comment=“Allow forward for Bridge Wireguard”
in-interface=bridge out-interface=wireguard

/ip firewall > (forward chain)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=“wg clients to LAN”
in-interface=wireguard out-interface=bridge

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow forward for Bridge Wireguard " in-interface=bridge out-interface=wireguard

I do not believe we need to mangle the WAN traffic as we will use main table routes for non-pcc traffic.
This does mean that we have to accept any WIREGUARD - LAN traffic prior to PCC.
SO:

/ip firewall mangle
{ prevent wg traffic capture in PCC }
add action=accept chain> =forward > in-interface=bridge out-interface=wireguard comment=“ensures return traffic goes back out wireguard”

I added this as first rule, after clams to mtu

{ PCC remaining LAN traffic }
add action=mark-connection chain=> forward > connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN
new-connection-mark=digi_conn per-connection-classifier=src-address-and-port:2/0 > passthrough=yes
add action=mark-connection chain=> forward > connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN
new-connection-mark=orange_conn per-connection-classifier=src-address-and-port:2/1 > passthrough=yes
add action=mark-routing chain=prerouting connection-mark=digi_conn
new-routing-mark=digi > passthrough=no > comment=“Traffic for WAN2 - Digi”
add action=mark-routing chain=prerouting connection-mark=digi_conn
new-routing-mark=orange > passthrough=no > comment=“Traffic for WAN1 - Orange”

/ip firewall mangle
add action=change-mss chain=forward comment="Clams to MTU - conexiunea c\C4\83tre UK \C8\99i DE se fragamenteaz\C4\83 pachetele" new-mss=clamp-to-pmtu \
    protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="ensures return traffic goes back out wireguard" in-interface=bridge out-interface=wireguard
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN new-connection-mark=digi_conn \
    per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local in-interface-list=miniLAN new-connection-mark=orange_conn \
    per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="Traffic for WAN2 - Digi" connection-mark=digi_conn new-routing-mark=digi passthrough=no
add action=mark-routing chain=prerouting comment="Traffic for WAN1 - Orange" connection-mark=digi_conn new-routing-mark=orange passthrough=no

Your sourcenat rules are confused, either use two separate masquerade rules for each WAN
OR use one rule with interface-list=WAN but not a mix of both!!!
( okay I see you have orange disabled…why keep noise in your config , remove it!! )

Done.

Speaking of NOISE, since you dont use IPV6 (disabled), remove the noise of address lists and firewall rules!!!

Before wireguard situation, he used IPv6 and if/when situation will be resolved IPv6 will be restored.

FTP is not secure method of accessing router, so not sure why you have this service enabled??

Disabled.

In terms of routes, you have two out of the four required.
Am I too assume you have selected DEFAULT ROUTE=YES for both DIGI and ORANGE???
IF SO, then deselect and make them manually as per below.

The two routes you have entered for PCC, DO NOT require a distance separation, it is meaningless as they are in DIFFERENT TABLES
SO should simply be:
/ip route
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=main
add distance=> 2 > check-gateway=ping dst-address=0.0.0.0/0 gateway=90.x.x.x. routing-table=main
add dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=digi
add dst-address=0.0.0.0/0 gateway=90.x.x.x. routing-table=orange

Yes, default routes are enabled, but I can not make modifications right now as I risk to left myself out. Will try tomorrow, from location.

Finally, what IP address do your client use in WG settings. The IP Cloud mynetname is a good one and that should point to the primary WAN when available and to the secondary WAN if not available, it takes some seconds to adjust but the wireguard connection should also switch accordingly.

The wireguard clients were used previously Orange IP address. When second connection was added, we switched to c1.domain.ro for Digi and c2.domain.ro for Orange and remote users were instructed to edit connection and switch between c1 and c2. It was not the case, as both connection never worked simultaneously.

Thank you very much!
Will replay after I will be able to apply modifications from pct. 9

johnson73 · June 11, 2025, 5:00pm

[/quote]

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow forward for Bridge Wireguard " in-interface=bridge out-interface=wireguard

The last rule in the forward chain is moved up one step so that the last rule is always a Drop.
The order of firewall rules matters because the rules are executed from top to bottom.

anav · June 11, 2025, 5:13pm

I dont get your point Johnson,
The chap is using default rules which does not incorporate DROP ALL ELSE rules.
The rule above simply drops anything from the WAN side that is not destinated and has no effect on wireguard traffic.

johnson73 · June 11, 2025, 5:44pm

These are the last two rules of the forward chain he specified:

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow forward for Bridge Wireguard " in-interface=bridge out-interface=wireguard

The last rules of both the Input chain and the Forward chain should be ‘‘Drop’’. I’m not talking about ‘‘drop-all’’, but about the default, which in his case won’t be quite right, because the last rule is - ‘‘accept forward…allow WG…’’
In theory it will not be correct, right?ok? Typically, the Forward section always ends with a ‘‘drop’’ rule, which drops everything that is not defined (or by default, everything except the specified port)

anav · June 11, 2025, 6:00pm

Wrong …
The drop rule 'sort of included in the default rule, very confusing which I loathe, need not be last, in the default rules.
That rule only drops any wan traffic not identified for port forwarding, nothing more, nothing less. It has no bearing on any other traffic.
Basically the default rules allow any LAN to LAN or LAN to WAN traffic…

Hence why i explicitly prefer to state
lan to wan allowed,
Port forwarding allowed
Everything else dropped.

But that is not the point of the question today and thus didnt attempt to foist my preferred setup on the OP… keeps jaclaz, mkx, lurker happy LOL

johnson73 · June 11, 2025, 6:11pm

Wrong? If the last rule is ‘‘forward-accept…something’’, then the ‘‘Drop’’ above will not work.Am I wrong?
Yes, I agree with you, I also prefer - ''Everything else dropped and it works fine.

anav · June 11, 2025, 9:14pm

Firewalls are all about matching…
The default rule states, DROP all traffic coming from the WAN, unless that traffic is identified (by port number/protocol) in the NAT rules.
The rule after has nothing to do with WAN traffic, it addresses WIreguard and LAN traffic, a different animal.
This traffic had no match in the previous rule so hits the next rule …

costel · June 12, 2025, 7:47am

With add default route disabled both on DHCP client and PPPoE connections and:

/ip route
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=main
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=90.84.225.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=pppoe-digi routing-table=digi
add dst-address=0.0.0.0/0 gateway=90.84.225.1 routing-table=orange

there was no Internet access, even on router.
Probably a simple mistake, but had only few minutes to make tests, as they needed Internet connection.
Restored add default route on both connections and previous rules, corrected with distance 1 on both.

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    90.84.225.1 routing-table=orange scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-digi routing-table=digi scope=30 suppress-hw-offload=no \
    target-scope=10

Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS      GATEWAY      ROUTING-TABLE  DISTANCE
  DAv 0.0.0.0/0        pppoe-digi   main                  1
0  Is 0.0.0.0/0        90.84.225.1  main                  2
  DAc 192.168.80.0/24  wireguard    main                  0
  DAc 192.168.88.0/24  bridge       main                  0
  DAc 10.0.10.113/32   pppoe-digi   main                  0
1  Is 0.0.0.0/0        pppoe-digi   digi                  1
2  Is 0.0.0.0/0        90.84.225.1  orange                1

With both connections active, wireguard clients could not access internal network. So, no luck.
Will be able to make more tests on Saturday or, at least, Monday, as today was given 10 minutes max.

Thank you!

anav · June 12, 2025, 1:33pm

Post latest complete config for review please.

costel · June 12, 2025, 5:12pm

# 2025-06-12 19:59:39 by RouterOS 7.19.1
# software id = ---
#
# model = C52iG-5HaxD2HaxD
# serial number = ---
/interface bridge
add admin-mac=48:A9:8A:D5:EB:C0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-orange
set [ find default-name=ether2 ] name=ether2-digi
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-digi name=pppoe-digi \
    use-peer-dns=yes user=---
/interface wireguard
add comment="Wireguard server" listen-port=13231 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=miniLAN
/interface wifi channel
add band=5ghz-ax disabled=no name=wifi6 skip-dfs-channels=10min-cac width=\
    20/40mhz
add band=2ghz-ax disabled=no name=wifi4 skip-dfs-channels=10min-cac width=\
    20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=security
/interface wifi configuration
add channel=wifi6 country=Romania disabled=no mode=ap name=wifi6 security=\
    security ssid=---
add channel=wifi4 country=Romania disabled=no mode=ap name=wifi4 security=\
    security ssid=---
/interface wifi
# operated by CAP 48:A9:8A:6B:39:EC%bridge, traffic processing on CAP
# no available channels
add configuration=wifi4 disabled=no name=cap-wifi1 radio-mac=\
    48:A9:8A:6B:39:F1
# operated by CAP 48:A9:8A:6B:39:EC%bridge, traffic processing on CAP
add configuration=wifi4 disabled=no name=cap-wifi2 radio-mac=\
    48:A9:8A:6B:39:F2
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration=wifi6 configuration.manager=capsman-or-local .mode=ap \
    .ssid=--- disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration=wifi4 configuration.manager=capsman-or-local .mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=digi
add disabled=no fib name=orange
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-orange list=WAN
add interface=wireguard list=LAN
add interface=pppoe-digi list=WAN
add interface=bridge list=miniLAN
add interface=wireguard list=miniLAN
/interface ovpn-server server
add mac-address=FE:B5:58:8B:42:3A name=ovpn-server1
/interface wifi cap
set certificate=none discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled comment="---" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:6B:39:F1 slave-configurations=wifi4 \
    slave-name-format=""
add action=create-enabled comment="---" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:6B:39:F2 slave-configurations=wifi6
add action=create-enabled comment="Local 1" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:D5:EB:C4 slave-configurations=wifi6
add action=create-enabled comment="Local 2" disabled=no master-configuration=\
    wifi4 radio-mac=48:A9:8A:D5:EB:C5 slave-configurations=wifi6
/interface wireguard peers
add allowed-address=192.168.80.2/32 client-address=192.168.80.2/32 \
    client-dns=192.168.88.1 comment="---" interface=wireguard name=\
    wg1 private-key="---" \
    public-key="---"
...
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.80.1/24 interface=wireguard network=192.168.80.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-orange
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow forward for Bridge Wireguard" \
    in-interface=bridge out-interface=wireguard
/ip firewall mangle
add action=change-mss chain=forward comment="Clams to MTU" new-mss=clamp-to-pmtu \
    protocol=tcp tcp-flags=syn
add action=accept chain=forward comment=\
    "ensures return traffic goes back out wireguard" in-interface=bridge \
    out-interface=wireguard
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local in-interface-list=miniLAN new-connection-mark=\
    digi_conn per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local in-interface-list=miniLAN new-connection-mark=\
    orange_conn per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="Traffic for WAN2 - Digi" \
    connection-mark=digi_conn new-routing-mark=digi passthrough=no
add action=mark-routing chain=prerouting comment="Traffic for WAN1 - Orange" \
    connection-mark=digi_conn new-routing-mark=orange passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "masquerade - WAN - nu conteaza conexiunea" ipsec-policy=out,none \
    out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    90.84.225.1 routing-table=orange scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-digi routing-table=digi scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=90.84.225.1 \
    routing-table=main
/ip service
set ftp address=192.168.0.0/16 disabled=yes
set ssh address=192.168.0.0/16
set telnet address=192.168.0.0/16 disabled=yes
set www address=192.168.0.0/16
set www-ssl address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api address=192.168.0.0/16 disabled=yes
set api-ssl address=192.168.0.0/16 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · June 12, 2025, 5:38pm

You didnt remove the rule I requested and instead removed the rule you should keep.
ENSURE THIS IS THE RULE you have in the forward chain. ( there is no wg traffic originating from local users going to clients )
add action=accept chain=forward comment=“wg clients to LAN”
in-interface=wireguard out-interface=bridge
REMOVE wireguard interface from miniLAN interface list.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-orange list=WAN
add interface=wireguard list=LAN
add interface=pppoe-digi list=WAN
add interface=bridge list=miniLAN
add interface=wireguard list=miniLAN
You have a duplicate in your PCC route marking
add action=mark-routing chain=prerouting comment=“Traffic for WAN2 - Digi”
connection-mark=digi_conn new-routing-mark=digi passthrough=no
add action=mark-routing chain=prerouting comment=“Traffic for WAN1 - Orange”
connection-mark=digi_conn new-routing-mark=orange passthrough=no

The second one should be orange_conn

+++++++++++++++++++++++++++++++++++++++++++++++++

Seeing as you have ORANGE WAN disabled, the wireguard client, with the changes made, should have no issues connecting via wireguard.
Single WAN in effect. So lets ensure we do that successfully before anything else.

costel · June 13, 2025, 5:19am

Hello,

Made the modifications, sorry for the mistakes. From now, have access from home to them and won’t be working around the clock. Will need their help only to deactivate Orange connection if wireguard does not work.
The wireguard sessions are working all the time, they are important for them, I was sacrificing PCC for wireguard sessions.
Did a test with Orange connection active, wireguard ping to internal server start to loose packets.

Thank you!

costel · June 17, 2025, 11:49am

Tried today to finish the setup, but with limited success. Added dst-address-type=!local to all mangle mark rules, completed failover routes from initial config and it was working… for a while.
If the second connection (Orange) is activated and mangle rules are modified a new wireguard session can be established and it can access internal LAN.

Then I tested failover, deactivated pppoe-digi and all trafic were routed to Orange. Activated pppoe-digi and deactivated Orange, failover worked.
But no luck with wireguard. A new connection still can not access internal network.

Bottom line: I am able to make it work, but if one ISP connection fails, after the ISP service restore wireguard clients are not able to work.
Restored the config to the last state in this thread, with those 3 mistakes resolved.

What I am missing ?