Exclude WG traffic from IPsec

avelor76 · January 1, 2026, 9:39pm

Hi all,

Thanks to forum's advices I now have a working IPsec setup (NordVPN provider) for my CRS309-1G-8S+

Lately, I also configured a site-to-site WG connection between my mikrotik (192.168.30.x network) and a remote fritzbox (192.168.178.x network).

The issue that I have with this setup is that, when IPsec connection is running, I cannot reach the WG subnet (192.168.178.x).

A workaround I found is adding 192.168.178.0/24 subnet to the address-list used by mode-config.

Would you see an easier and cleaner solution to isolate WG from IPsec?

This is my routing table:

[admin@MikroTik] > /ip route print  
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS       GATEWAY        ROUTING-TABLE  DISTANCE
  DAd 0.0.0.0/0         192.168.1.254  main                  1
  DAc 10.6.0.7/32       sfp-sfpplus2   main                  0
  DAc 192.168.1.0/24    sfp-sfpplus2   main                  0
  DAc 192.168.30.0/24   vlan30         main                  0
  DAc 192.168.88.0/24   bridge         main                  0
;;; Remote LAN via WG
0  As 192.168.178.0/24  wg1            main                  1

My current config is right below.
Thanks to all for your help!

Lorraine

# 2026-01-01 22:20:56 by RouterOS 7.20.6
# model = CRS309-1G-8S+
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1412 name=wg1
/interface vlan
add interface=bridge name=vlan30 vlan-id=30
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 0 l3-hw-offloading=no
set 1 l3-hw-offloading=no
set 3 l3-hw-offloading=no
set 4 l3-hw-offloading=no
set 5 l3-hw-offloading=no
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no
/interface list
add name=WAN
add name=LAN
add name=WAN30
add name=LAN30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
add name=NordVPN_it responder=no src-address-list=nordvpn_it_list
add name=NordVPN_jp responder=no src-address-list=nordvpn_jp_list
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=it256.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN_it profile=NordVPN
add address=jp674.nordvpn.com exchange-mode=ike2 name=NordVPN_jp profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=pool_vlan30 ranges=192.168.30.10-192.168.30.100
/ip dhcp-server
add address-pool=pool_vlan30 interface=vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus8
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=sfp-sfpplus3 vlan-ids=30
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN30
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus2 list=WAN30
add interface=ether1 list=LAN30
add interface=sfp-sfpplus3 list=LAN30
/interface wireguard peers
add allowed-address=192.168.178.0/24 endpoint-address=<FRITZBOX_ADDRESS> endpoint-port=51730 interface=wg1 name=fritzbox \
    persistent-keepalive=25s preshared-key=<PSKEY> public-key=<PBKEY>    
/ip address
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add interface=sfp-sfpplus2
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
/ip firewall address-list
add address=192.168.30.95 list=nordvpn_jp_list
add address=192.168.30.95 list=nordvpn_it_list
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Allow Wireguard from WAN" dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=Wireguard-to-LAN in-interface=wg1 out-interface=bridge
add action=accept chain=forward comment=LAN-to-Wireguard in-interface=bridge out-interface=wg1
/ip firewall mangle
add action=change-mss chain=forward comment="MSS 1352 for Wireguard" in-interface=wg1 new-mss=1352 protocol=tcp tcp-flags=syn tcp-mss=\
    1353-65535
add action=mark-connection chain=forward comment="Mark IPsec out" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec in" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat in-interface=vlan30 out-interface-list=WAN30
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN_it peer=NordVPN_it \
    policy-template-group=NordVPN username=
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN_jp peer=NordVPN_jp \
    policy-template-group=NordVPN username=
/ip ipsec policy
add action=none dst-address=192.168.30.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add comment="Remote LAN via WG" disabled=no dst-address=192.168.178.0/24 gateway=wg1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Rome

sindy · January 1, 2026, 9:59pm

I’m not sure whether it is “easier”, but you can instead add another action=none policy before (above) the template one:

action=none dst-address=192.168.178.0/24 src-address=192.168.30.0/24

To me, such a method is more “readable” than adding the remote subnet to the address-list used by mode-config to dynamically generate the action=src-nat rule, but that may be subjective.

Sorry, wrong. You have to prevent the traffic towards 192.168.178.0/24 from getting src-nated to prevent it from matching the dynamically created IPsec policy, and since the dynamically generated action=src-nat rules are put to the beginning of the srcnat chain, you'd have to use raw for that, which is definitely more complicated and has side effects. So the way you have found is the simplest one available.

avelor76 · January 1, 2026, 10:26pm

Thank you! I'll go with my workaround then.

sindy · January 2, 2026, 8:02pm

An afterthought, mostly for people googling this topic up later - there actually is yet another (not simpler, though) way to control which traffic will get src-nated in order to match the NordVPN IPsec policy.

On the /ip/ipsec/mode-config row, it is possible to set some connection-mark value rather than the src-address-list one. Doing so will make the action=srcnat rule dynamically added by IPsec match on that connection-mark value, so if you do only that, no traffic will get into the tunnel.

To make it work, you also have to add action=mark-connection rules to the prerouting or even forward chain of/ip/firewall/mangle, which will assign that connection-mark value to traffic you want to match the rule (and thus leave via the NordVPN tunnel).

This approach definitely gives you much more detailed control over what to send via NordVPN and what to not, but the price to pay is higher complexity of the configuration.