[HELP] RouterOS 7.1.5 Wireguard Routing

RouterOS General
1

Hello, a newbie here needs a little help!

I have two ISPs at home and two Wireguard Tunnels from Server-‘X’(IP:XX.XX.XX.XX). I have upgraded my RB5009 to ROS7.1.5. As it’s now allowed to use same peer’s public key for different interfaces with new 7.1.5 update.

The Tunnel-1 goes through ISP-1 by default, as Default Route is marked on ISP-1.

I basically use, /ip routes then add the Server IP(IP:XX.XX.XX.XX) in Dst. Address:, ISP-X in Gateway: and select Routing Table: as main. Then the tunnel goes via that ISP-X.

Now my question is - how can I make my Tunnel-2 from same Server-‘X’(IP:XX.XX.XX.XX), to go via ISP-2?

Thank you!

2

Your description and requirements are not clear.
Please provide a network diagram.

Confirm that that RB5009 for both tunnels is acting as the Client device for the initial connection.
Also what type of Server are you connecting too? 3rd party VPN?

What type of traffic are you trying to push through each tunnel is it outbound only? Is it two way traffic

Will need to see config as well.
/export file=anynameyouwish

3

It’s explained in this Help page
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608

Plenty of other posts on this forum if you care to search for e.g. “dual wan”

PS you might want to change the title of this thread.
This is not about Wireguard itself. This is about routing to dual WAN connections.

4

I tried my best in this diagram to explain what I want to do. Hope you get it this time.

Basically, I want to route WG Tunnel-1 via ISP-1 and WG Tunnel-2 via ISP-2. Both of the tunnels are from same server.

5

That is an assumption and seeing how wireguard routing and IP routing work hand in hand,
its likely a both issue…
Making such conclusions before getting the facts is like ejaculation ( of the premature variety ).

6

Well. thats failover, but mine was keeping the connections active on both tunnels at the same time via two isps. I was confused thats why asked here.

7

No worries, lets help eliminate confusion!!!

Excellent diagram now fill in the holes.

  1. What traffic is going out tunnel 1
  2. What traffic is going out tunnel 2
  3. What traffic is coming in on tunnel 1
  4. What traffic is coming on tunnel 2
  5. Is there different traffic usage of wireguard tunnels depending upon subnet on 5009 ?
  6. Is there different traffic usage of wireguard tunnels depending upon device/user on 5009?
  7. what type of device or service is the WIREGUARD SERVER (another MT router?, a third party service ?)
  8. For each Tunnel the WIREGUARD Server that you are connecting too is providing:
    a. different or same endpoint address??
    b. different or same endpoint port ??
    c. different or same IP wireguard interface address

https://forum.mikrotik.com/viewtopic.php?t=182340

8

Thank you!

I would like to answer Q7 so most of the first ones will be easier to understand.

Answers ~
Q7. This is a local IX connected third party server. Both of my ISPs are connected to the same IX as the server, so whenever I am connected to the Wireguard Server, I get a speed boost. Now I want to keep two wireguard tunnels connected to the same server but using both ISPs.

Q1+Q2+Q3+Q4. Some selected address where I want my boosted speed to work. i will merge both tunnels using load-balancing for those destinations only. For ex., Google Drive Downloads, Some other download sites etc.
Q5+Q6. I would say no. These tunnels, I may use them for all the users on my network and for selected addresses only. So whenever they are hitting those heavy downloading destinations, they will use local IX bandwidth and get extra speed boost.
Q8a+Q8b. Same Endpoint address and Port.
Q8c. I got two wireguard.conf from the server. And, set them up as two differnet wireguard interfaces.


I am adding the /export info here for wireguards

/routing table
add disabled=no fib name=wg-tunnel-1
add disabled=no fib name=wg-tunnel-2

/interface wireguard
add listen-port=13231 mtu=1420 name=wg-tunnel-1
add listen-port=13232 mtu=1420 name=wg-tunnel-2

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=12.34.56.78 endpoint-port=
1080 interface=wg-tunnel-1 persistent-keepalive=25s public-key=
"DLUFOF82awjcY6T/CbkQVQvAgR0+fR7xsXJRNUyQD3U="
add allowed-address=0.0.0.0/0 endpoint-address=12.34.56.78 endpoint-port=
1080 interface=wg-tunnel-2 persistent-keepalive=25s public-key=
"DLUFOF82awjcY6T/CbkQVQvAgR0+fR7xsXJRNUyQD3U="

/ip address
add address=10.7.0.3/24 interface=wg-tunnel-1 network=10.7.0.0
add address=10.7.0.4/24 interface=wg-tunnel-2 network=10.7.0.0

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg-tunnel-1 routing-table=wg-tunnel-1
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wg-tunnel-2 routing-table=wg-tunnel-2
suppress-hw-offload=no

9

I am less then an IT or linux enganeer… (did train in Industrial but never used it)
All to say is that you will have to explain 9.
What is 9 (IX)

Is it a computer, is it an IT device?
Is it behind another Router?
Is it a virtual Server at a server Farm?

Very confusing to me when you say its local, I thought your 5009 was going over the internet to this device 9??

10

I missed the part where you indicated you want to keep both running.
Then it’s something like load balancing.

11

Ahh! well I think, I will stop this experiment for now! Thank you, btw!

12

Why, the suddenly cold feet??

By the way there is an issue with incomplete routiing…
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg-tunnel-1 routing-table=wg-tunnel-1
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wg-tunnel-2 routing-table=wg-tunnel-2
suppress-hw-offload=no

Tell me how the router is supposed to know which tunnel the traffic is supposed to go through if there are two options???
This is why I was asking which subnet or user is going to use wg1 and which wg2.
You need some structure or logic to the plan.!!