Dual WAN Setup - Bind Wireguard to WAN2

RouterOS
1

Hi everyone, I have a router setup for Dual WAN connectivity for automatic fail-over. It is working great.

RouterOS 7.21 RB5009

However, I need to run a WireGuard VPN server on ONLY WAN2, where I will have a client attach, and I am having trouble with getting this to work.

Basic diagram of my setup:

Untitled Diagram.drawio(2)
Untitled Diagram.drawio(2)536×392 7.12 KB

I’ve setup recursive routing to check gateways for both WAN’s, which is working, and allowing the backup WAN port to pass traffic.

/ip/route> print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
0  As   ;;; Primary WAN via Recursive Google
dst-address=0.0.0.0/0 routing-table=main gateway=8.8.8.8 immediate-gw=192.168.12.1%ether1 check-gateway=ping distance=1 scope=30
target-scope=11

1   s   ;;; Backup WAN via Recursive Cloudflare
dst-address=0.0.0.0/0 routing-table=main gateway=1.1.1.1 immediate-gw=172.20.5.1%ether2 check-gateway=ping distance=2 scope=30
target-scope=11

2  As   ;;; ISP2 External Host Monitor
dst-address=1.1.1.1/32 routing-table=main gateway=172.20.5.1 immediate-gw=172.20.5.1%ether2 distance=1 scope=10 target-scope=10

3  As   ;;; ISP1 External Host Monitor
dst-address=8.8.8.8/32 routing-table=main gateway=192.168.12.1 immediate-gw=192.168.12.1%ether1 distance=1 scope=10 target-scope=10

So regular traffic is working fine, but now I try to connect to this Routers WireGuard tunnel on its WAN2 address from my remote device. Handshake fails.

As you can see below, Packets are coming in on ether2, however they are leaving via the default route, on ether1

image

image

So my first attempt was to use a Mangle rule to mark all packets with source port 51819 (the local WireGuard interface) and send these to a new routing table, which forces WAN2

So I create a routing table, and add a route for this interface

/routing table
add name=to_WAN2 fib

/ip route
add dst-address=0.0.0.0/0 gateway=172.20.5.1 routing-table=to_WAN2 distance=1

I then set the following mangle rules to mark the packets with source port 51819 (wireguard port) and hopefully allow them to route through WAN2:

/ip firewall mangle
add chain=output protocol=udp src-port=51819 \
    action=mark-routing new-routing-mark=to_WAN2 passthrough=no \
    comment="Force WireGuard replies out WAN2"

I see this rule is being hit, as the packet counter is incrementing, however, the packet sniffer now shows no packets, so with this rule it now appears to not be hitting any interfaces:

image
image735×313 26.2 KB

So it appears the mangle rule is unfortunately not working for this setup. So I tried another way, maybe a routing rule will work.

I clear out the Mangle rule, and enter this routing rule:

/routing rule add action=lookup-only-in-table disabled=no interface=StudioEngineer table=to_WAN2

I now check the packet sniffer again, and this time its like it completely ignores my routing rule, and still proceeds to send traffic out ether1

image
image853×146 15.1 KB

I’m pretty lost here at what to try next. Any suggestions would be greatly appreciated. Below is my entire router configuration (All of the VLAN etc configuration can be ignored):

 /export
# 2026-01-20 13:13:26 by RouterOS 7.21
# software id = 0MME-F4QU
#
# model = RB5009UPr+S+
# serial number = HJZ0AYQ598V
/interface bridge
add name=bridge-vlan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface wireguard
add comment="Remote Access WAN2" listen-port=51819 mtu=1420 name=StudioEngineer
/interface vlan
add interface=bridge-vlan name=vlan100 vlan-id=100
add interface=bridge-vlan name=vlan110 vlan-id=110
add interface=bridge-vlan name=vlan150 vlan-id=150
add interface=bridge-vlan name=vlan160 vlan-id=160
add interface=bridge-vlan name=vlan170 vlan-id=170
add interface=bridge-vlan name=vlan199 vlan-id=199
/interface list
add comment=defconf name=WAN1
add comment=defconf name=LAN
add name=WAN2
add comment="Allow access to managment and other subnets" name=Engineering
/ip pool
add name=pool-vlan100 ranges=10.0.1.200-10.0.1.250
add name=pool-vlan110 ranges=10.0.10.200-10.0.10.250
add name=pool-vlan150 ranges=10.0.110.230-10.0.110.250
add name=pool-vlan199 ranges=10.99.1.230-10.99.1.240
/ip dhcp-server
add address-pool=pool-vlan100 interface=vlan100 name=dhcp-vlan100
add address-pool=pool-vlan110 interface=vlan110 name=dhcp-vlan110
add address-pool=pool-vlan150 interface=vlan150 name=dhcp-vlan150
add address-pool=pool-vlan199 interface=vlan199 name=dhcp-vlan199
/routing table
add fib name=to_WAN2
/disk settings
set auto-media-interface=*B auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge-vlan interface=ether5
add bridge=bridge-vlan comment=Engineering interface=ether6 pvid=199
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=100
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=110
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=150
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=160
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=170
add bridge=bridge-vlan tagged=bridge-vlan,ether5 untagged=ether6 vlan-ids=199
/interface list member
add comment=defconf interface=*B list=LAN
add comment=defconf interface=ether1 list=WAN1
add interface=ether2 list=WAN2
add comment="Allow Local Engineering Access to Router Control" interface=vlan199 list=Engineering
add interface=*B list=Engineering
/interface wireguard peers
add allowed-address=172.20.50.2/29 client-allowed-address=::/0 comment=Engineer interface=StudioEngineer name=Engineer1 public-key=\
    "redacted-public-key-here"
/ip address
add address=10.0.1.100/24 interface=vlan100 network=10.0.1.0
add address=10.0.10.1/24 interface=vlan110 network=10.0.10.0
add address=10.110.1.1/24 interface=vlan150 network=10.110.1.0
add address=10.111.1.1/24 interface=vlan160 network=10.111.1.0
add address=10.112.1.1/24 interface=vlan170 network=10.112.1.0
add address=10.99.1.1/24 interface=vlan199 network=10.99.1.0
add address=172.20.50.1 comment=WireGuardEngineer interface=StudioEngineer network=172.20.50.0
/ip dhcp-client
add add-default-route=no interface=ether1 script=\
    ":if (\$bound=1) do={\
    \n    /ip route set [find comment=\"ISP1 External Host Monitor\"] gateway=\$\"gateway-address\"\
    \n}"
add add-default-route=no interface=ether2 script=":if (\$bound=1) do={\
    \n    /ip route set [find comment=\"ISP2 External Host Monitor\"] gateway=\$\"gateway-address\"\
    \n}\
    \n:if (\$bound=1) do={\
    \n    /ip route set [find comment=\"Return path for WAN2\"] gateway=\$\"gateway-address\"\
    \n}"
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.4.4 gateway=10.0.1.100
add address=10.0.10.0/24 dns-server=8.8.4.4 gateway=10.0.10.1
add address=10.0.110.0/24 dns-server=8.8.4.4 gateway=10.0.110.1
add address=10.99.1.0/24 dns-server=8.8.4.4 gateway=10.99.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input dst-port=51819 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!Engineering
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN1
/ip firewall mangle
add action=mark-routing chain=output comment="Force WireGuard replies out WAN2" disabled=yes new-routing-mark=to_WAN2 passthrough=no protocol=udp \
    src-port=51819
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN1
add action=masquerade chain=srcnat out-interface-list=WAN2
/ip route
add comment="ISP1 External Host Monitor" disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.12.1 routing-table=main scope=10 \
    target-scope=10
add comment="ISP2 External Host Monitor" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=172.20.5.1 routing-table=main scope=10 \
    target-scope=10
add check-gateway=ping comment="Primary WAN via Recursive Google" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main \
    scope=30 target-scope=11
add check-gateway=ping comment="Backup WAN via Recursive Cloudflare" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=\
    main scope=30 target-scope=11
add distance=1 dst-address=0.0.0.0/0 gateway=172.20.5.1 routing-table=to_WAN2
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no interface=StudioEngineer table=to_WAN2
/system clock
set time-zone-name=America/Denver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set memory-limit=1000KiB
2

It is unfortunately quite usual that mangle rules fail to work for locally originated traffic (which traffic that is encapsulated by a local service like wireshark is).

3

Yeah, pretty unfortunate if i cannot separate Wireguard out into WAN interfaces, as my whole more complex future network design has somewhat relied on that. Is there any workaround? Maybe with VRF routing?

4

One workaround is to make WAN2 the default WAN and mark the traffic for WAN1. That works well for all forwarded traffic.

5

The problem is I eventually plan on having 2 different WG interfaces, one for each individual WAN

6

You could file a bug report / feature request. Noting that it isn’t always possible to mark locally originated traffic.

When you have the budget, you could also buy a second router and use each on the different WAN lines, inter-connect the routers for the failover function.

7

Marking the wireguard outer (underlay) packets in output works entirely correctly. Your problem is most likely related to actually routing your packet.

The thing people are usually upset about is the source address selection for the wireguard reply...

Anyway, the good news is that this is in the past: 7.21 adds vrf support for the wireguard underlay. This is only available as a cli option (at least for now...). You can find this at /interface wireguard set ... vrf=xxx

EDIT: Just FYI: there is a whole true crime miniseries on the forum about these sorts of issues.

8

VRF Routing seems to be a working solution for this. This exercise was an introduction to VRF’s for me