My setup has 2 WAN. For simplitifaction only IPv4, no incoming connections, both are masqueraded for outgoing only.
Now I would like to route two (fixed IPv4 address based) outgoing WireGuard peers through the second WAN. All others through the first WAN.
Any idea, how the mangle rule should look like? So far I did not find a solution with the IP/protocol/port connection/route marking.
Thanks
dksoft
hello,
I’m sorry I don’t get your question - can you explain this?
Now I would like to route two (fixed IPv4 address based) outgoing WireGuard peers through the second WAN. All others through the first WAN.
do you mean:
outgoing wg should go out on wan2, and regular traffic go out on wan1?
Provide a network diagram and fully describe the Wireguard setup.
What do you have and is your router a client device or server device for the initial handshake.
a. wg from router to router
b. wg from external remote user to wireguar
c. wg to a third party provider
d. wg to your own VPS in the cloud
Which WAN is currently used for your wiregard.
WHat type of WAN connections are WAN1, WAN2, both public IPs, static dynamic…
Primary, failover, pcc???
Thanks for your quick input. I try to explain further my setup:
I have two WAN.
WAN1 has global IPv4. Is therefore reachable from outside and is default route. My router is WG server here, some road warriers are connecting.
WAN2 is IPv4 CGNAT. Therefore outgoing only and should offload WAN1 for WireGuard traffic to certain peers. My router is WG client here and creates the WG connection to these peers.
There is one WG interface:
/ip address
add address=10.0.0.1/20 interface=LAN network=10.0.0.0
add address=10.5.0.1/24 interface=WG1 network=10.5.0.0
/interface wireguard
add listen-port=13231 mtu=1412 name=WG1
Some road warriors which should come in over WAN1:
/interface wireguard peers
add allowed-address=10.5.0.15/32 comment="mein-iphone (road warrior)" interface=WG1 public-key="xxx"
add allowed-address=10.5.0.17/32 comment="mein-ipad (road warrior)" interface=WG1 public-key="yyy"
And two outgoing WG connections that should go out over WAN2:
/interface wireguard peers
add allowed-address=10.5.0.12/32 endpoint-address=1.2.3.4 endpoint-port=13231 interface=WG1 public-key="zzz"
add allowed-address=10.5.0.9/32,10.3.0.0/24 endpoint-address=5.6.7.8 endpoint-port=13231 interface=WG1 public-key="qqq"
All WAN interfaces are masqueraded:
/interface list
add comment="All WAN interfaces" name=WAN
/interface list member
add comment="Telekom modem" interface=FTTH-1U1 list=WAN
add comment="DG modem" interface=FTTH-DG list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN for internet access" out-interface-list=WAN
The solution should be that only the WG connection/traffic to host 1.2.3.4 and 5.6.7.8 goe out through WAN2. All other WG connections should come in out go out over WAN1.
So far I tried to create a routing table for WAN2. Added a mangle rule to mark new connection to 1.2.3.4 udp 13231. Than mark routing for this connection. With no success.
A simple and working solution is to create a route to these two WG peers. But then all traffic to these hosts goes through WAN2 (arising other problems):
/ip route
add dst-address=1.2.3.4/32 gateway="WAN2-gw-ip"
add dst-address=5.6.7.8/32 gateway="WAN2-gw-ip"
You really need to draw a diagram as you have conflicting statements as to your intended configuration of wireguard!
Also you need to forget about attempting to describe the config and requirements together.
I dont care about the config at the moment.
Please identify
a. user(s)/device(s) and groups of users/devices ( including you the admin )
b. identify the traffic each person/device requires (allow traffic ).
Internal originated traffic:
Be it single IP to single IP, single to many IPs, many IPs to single IP, many IPs to many IPs…
Or
single IP to internet, many IPs to internet ( LOCAL WAN )
Or
singe ip to internet, many IPs to internet ( Via Wireguard )
external originated traffic
Be it road warriors to LAN (via wireguard)
Be it admin to router to config router ( via wireguard )
+++++++++++++++++++++++++++++++++++++
I understand you have two WANS, and since WAN1 is the only one with a public IP address. This will be the ONLY WAN capable of establishing a wireguard tunnel in the Server mode.
If you wish to have a SECOND wireguard interface, and this interface is connecting to a third party or cloud wireguard, then and only then could you use WAN2 for wireguard but only as a Client.
There is no “off-loading”, wireguard must stay with the WAN in which the connection was established ( incoming or outgoing ).
This is the solution I was looking for. It was not working right from the beginning because even I disabled WG and cleared all connections, there where open connections via the first and default WAN1. Rebooting the router made it work right away. DG_rt is routing table and mark for my WAN2.
@Anav and @Wiseroute: Thanks for taking care of my request and your valuable input.
/routing table
add disabled=no fib name=DG_rt
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=DG_rt table=DG_rt
/ip route
add comment=DG_rt dst-address=0.0.0.0/0 gateway=100.84.0.1 routing-table=DG_rt
/ip firewall mangle
add action=mark-connection chain=output comment=DG_rt connection-state=new dst-address=1.2.3.4 dst-port=13231 \
new-connection-mark=DG_con passthrough=yes protocol=udp
add action=mark-connection chain=output comment=DG_rt connection-state=new dst-address=5.6.7.8 dst-port=13231 \
new-connection-mark=DG_con passthrough=yes protocol=udp
add action=mark-routing chain=output comment=DG_rt connection-mark=DG_con new-routing-mark=DG_rt passthrough=no
Hello,
i am trying to solve same problem. i am currently running on IPsec with Eoip and it works, i would just like to switch to WireGuard. I have to locations one has only 1xISP (500Mbps) and second has 2xISP(150Mbps each). All ISP has public IP.
Current configuration:
MK1:
/interface eoip
add allow-fast-path=no ipsec-secret=xxx local-address=ISP MK1 mac-address=xxx name=“Praha10 EoIP_ISP1” remote-address=ISP1 MK2 tunnel-id=1
add allow-fast-path=no ipsec-secret=xxx local-address=ISP MK1 mac-address= xxx name=“Praha10 EoIP_ISP2” remote-address=ISP2 MK2 tunnel-id=2
/interface bonding
add name=Praha10_bond slaves=“Praha10 EoIP_ISP1,Praha10 EoIP_ISP2” transmit-hash-policy=layer-2-and-3
MK2:
/interface eoip
add allow-fast-path=no ipsec-secret=xxx local-address=ISP1 MK2 mac-address=xxx name=“main EoIP_ISP1” remote-address=ISP MK1 tunnel-id=1
add allow-fast-path=no ipsec-secret=xxx local-address=ISP2 MK2 mac-address= xxx name=“main EoIP_ISP2” remote-address=ISP MK1 tunnel-id=2
/interface bonding
add name=main_bond slaves=“main EoIP_ISP1,main EoIP_ISP2” transmit-hash-policy=layer-2-and-3
/ip firewall mangle
add action=mark-connection chain=output new-connection-mark=“ISP1 conn” passthrough=yes src-address=ISP1 MK2
add action=mark-connection chain=output new-connection-mark=“ISP2 conn” passthrough=yes src-address=ISP2 MK2
add action=mark-connection chain=prerouting comment=“Mark input connections” connection-state=new in-interface=ether1-ISP1 new-connection-mark=“ISP1 conn” passthrough=yes src-address-list=!local-sub
add action=mark-connection chain=prerouting connection-state=new in-interface=ether2-ISP2 new-connection-mark=“ISP2 conn” passthrough=yes src-address-list=!local-sub
add action=mark-routing chain=output comment=“Output Routing Mark” connection-mark=“ISP1 conn” new-routing-mark=“ISP1 out” out-interface-list=!LAN passthrough=no
add action=mark-routing chain=output connection-mark=“ISP2 conn” new-routing-mark=“ISP2 out” out-interface-list=!LAN passthrough=no
/ip route
add distance=1 gateway=ISP1 MK2 routing-mark=“ISP1 out”
add distance=1 gateway=ISP2 MK2 routing-mark=“ISP2 out”
add distance=1 gateway=ISP1 MK2
add distance=10 gateway=ISP2 MK2
When trying to create 2 wireguard tunnels, the tunnel always switches to the next connection via ISP1 (default GW) and I can’t fix it in any way. Can’t assign source address to wireguard like IPsec 
Post your request in its own thread and provide a network diagram and the full config…
/export file=anynameyouwish (minus router serial number, public WANIP information, keys, long lease lists etc…)