Help with traffic forwarding

PhilipPeake · February 13, 2024, 10:45pm

A long time ago, I set up a router running 6.x to forward all traffic from a specific internal IP to an OpenVPN connection.
When I upgraded everything (including router) I moved to the 7.x OS. There was an auto-upgrade of my config, including changing the routing that I was doing. I didn’t pay that much attention because it still seemed to work.

The OpenVPN connection was replaced by Wireguard, which appears to be working ok.
My problem is that I don’t think all my traffic is being directed over the wireguard link.
In paricular, uploading anything seems to take forever, and often fails. But a normal wireguard client connection from another system to the same remote server works fine.

I am missing something in this config, and I just can’t see it…
Just the relevant bits:

====================================

/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2

/routing table
add fib name=VPN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=3.11.140.NNN endpoint-port=
51820 interface=wireguard2 persistent-keepalive=25s public-key=
“mF7TFCjkSUrPVZ+/AteLLNvmLQzJXXXXXXXXXXXXXXXX=”

add address=10.9.0.128 interface=wireguard2 network=10.9.0.0

/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“;;; Tag packets for WireGuard link to UK” new-routing-mark=VPN
passthrough=yes src-address=10.0.0.23

/ip firewall nat
add action=masquerade chain=srcnat comment=“WG-UK VPN” out-interface=
wireguard2

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 pref-src=
“” routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10

Mesquite · February 14, 2024, 1:59am

As a general observation, if you cannot see it, what makes you think you know the relevant bits??
The MT RoS config is highly intertwined, and thus always best to provide the full config minus sensitive bits.

Error in address
add address=10.9.0.128 interface=wireguard2 network=10.9.0.0
Should be:
add address=10.9.0.128/24 interface=wireguard2 network=10.9.0.0
Please confirm you only want one user to go out wireguard, or the subnet ??? src-address=10.0.0.23

PhilipPeake · February 14, 2024, 4:57pm

I was trying to simplify things to save people having to wade through the entire config.

Ok on the Wireguard interface address (10.9.0.128.24).

Yes, it is only for traffic from one IP to be directed through the Wireguard interface.

Complete config:

===========================

2024-02-13 14:11:14 by RouterOS 7.13.4

software id = 3VQ9-S2GH

model = RB4011iGS+

serial number = F03A0EDA8E49

/interface bridge
add admin-mac=2C:C8:1B:7D:63:4E auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=“Extension Interface” name=
sfp-S+RJ10
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=5h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=VPN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
internal-path-cost=10 path-cost=10
add bridge=bridge comment=“Was WAN” interface=ether1 internal-path-cost=10
path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-S+RJ10 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=3.11.140.143 endpoint-port=
51820 interface=wireguard2 persistent-keepalive=25s public-key=
“mF7TFCjkSUrPVZ+/AteLLNvmLQzJXXXXXXXXXXXXXXX=”
/ip address
add address=10.0.0.1/24 comment=“Internal network gateway” interface=bridge
network=10.0.0.0
add address=10.9.0.128 interface=wireguard2 network=10.9.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment=“Xfinity DHCP” interface=sfp-S+RJ10 script=“:if ($bound=1) do={
\n/ip firewall address-list set [/ip firewall address-list find where comm
ent="WAN-IP"] address=$"lease-address" disabled=no
\n} else={
\n/ip firewall address-list set [/ip firewall address-list find where comm
ent="WAN-IP"] disabled=yes
\n}” use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.21,1.1.1.1,8.8.8.8
gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=73.37.97.160 comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“;;; Tag packets for WireGuard link to UK” new-routing-mark=VPN
passthrough=yes src-address=10.0.0.23
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-address-list=
WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.0.4 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS disabled=yes dst-address-list=
WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment=SMTP disabled=yes dst-port=25
protocol=tcp to-addresses=10.9.0.25 to-ports=25
add action=dst-nat chain=dstnat comment=IMAPS dst-address-list=WAN-IP
dst-port=993 protocol=tcp to-addresses=10.0.0.4 to-ports=993
add action=dst-nat chain=dstnat comment=“Wireguard UDP” dst-address-list=
WAN-IP dst-port=51820 in-interface=sfp-S+RJ10 protocol=udp to-addresses=
10.0.0.21 to-ports=51820
add action=masquerade chain=srcnat comment=“WG-UK VPN” out-interface=
wireguard2
add action=masquerade chain=srcnat comment=
“Hairpin - Loopback for external address” dst-address=10.0.0.0/24
src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment=“Camera 1” dst-address-list=WAN-IP
dst-port=554 protocol=tcp to-addresses=10.0.0.30 to-ports=554
add action=dst-nat chain=dstnat comment=“EchoLink - forward to laptop”
dst-address-list=WAN-IP dst-port=5198,5199 protocol=udp to-addresses=
10.0.0.143
add action=dst-nat chain=dstnat comment=SSH disabled=yes dst-address-list=
WAN-IP dst-port=22 protocol=tcp to-addresses=10.0.0.4 to-ports=22
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 pref-src=
“” routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.4
add address=132.163.97.3
/system resource irq rps
set sfp-S+RJ10 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3 filter-ip-protocol=udp filter-port=51820

Mesquite · February 14, 2024, 7:12pm

Thanks!

Most of us set this to NONE and its known to cause weird issues.
/interface detect-internet
set detect-interface-list=all
Nothing wrong with your table, the IP route or sourcenat rule.
The sourcenat rule is key to using a third party VPN because you are typically given a single IP address and thus all traffic from your router needs to be assigned that IP address.
IP address format needs to be fixed.
From:
/ip address
add address=10.0.0.1/24 comment=“Internal network gateway” interface=bridge
network=10.0.0.0
add address=10.9.0.128 interface=wireguard2 network=10.9.0.0

TO:
/ip address
add address=10.0.0.1/24 comment=“Internal network gateway” interface=bridge
network=10.0.0.0
add address=10.9.0.128/24 interface=wireguard2 network=10.9.0.0

Putting in the proper address format also creates as per any subnet on RoS, a local direct route
dst-address=10.9.0.0/24 gateway=wireguard2 routing-table=main

Remove mangle rules!!
Add routing rule instead
/routing rule add src-address=10.0.0.23/32 action=lookup table=VPN

This will take any traffic leaving 10.0.0.23 and send it to the Specific Table.
This table goes out wireguard. No leaking.

If you NEVER want that IP address to use the local WAN, if wireguard tunnel is down then change action too action=lookup-only-in-table.
Right now the router will go to main table to find an alternate routing.

PhilipPeake · February 14, 2024, 8:09pm

I corrected the 10.9.0.128/32 yesterday … didn’t make any obvious difference to my problem, but it was incorrect, so /24.

The original config (version 6.x) did the routing using tags (mangle) and it it worked ok, and I could understand what was happening.
When I migrated, that config was changed, and ended up being a mixture of tags (mangle) and routing based upon the tag matching a routing table.
I never really understood how it was supposed to work … but then there is a lot of black magic (to me) in Mikrotik config.

It worked for its intended purpose of streaming TV, but had problems transferring large files … (?).

Replacing the mangle woth direct routing worked wonders. Looks like it is working correctly now.
Fallback to communicating on the main external interface is fine, BTW.

Thanks for the help!!

Modified config:

=======================

2024-02-14 11:58:37 by RouterOS 7.13.4

software id = 3VQ9-S2GH

model = RB4011iGS+

serial number = F03A0EDA8E49

/interface bridge
add admin-mac=2C:C8:1B:7D:63:4E auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=“Extension Interface” name=
sfp-S+RJ10
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=5h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=VPN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
internal-path-cost=10 path-cost=10
add bridge=bridge comment=“Was WAN” interface=ether1 internal-path-cost=10
path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-S+RJ10 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=3.11.140.143 endpoint-port=
51820 interface=wireguard2 persistent-keepalive=25s public-key=
“mF7TFCjkSUrPVZ+/AteLLNvmLQzJAXXXXXXXXXXXXXX=”
/ip address
add address=10.0.0.1/24 comment=“Internal network gateway” interface=bridge
network=10.0.0.0
add address=10.9.0.128/24 interface=wireguard2 network=10.9.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment=“Xfinity DHCP” interface=sfp-S+RJ10 script=“:if ($bound=1) do={
\n/ip firewall address-list set [/ip firewall address-list find where comm
ent="WAN-IP"] address=$"lease-address" disabled=no
\n} else={
\n/ip firewall address-list set [/ip firewall address-list find where comm
ent="WAN-IP"] disabled=yes
\n}” use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.21,1.1.1.1,8.8.8.8
gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=73.37.97.160 comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“;;; Tag packets for WireGuard link to UK” disabled=yes new-routing-mark=
VPN passthrough=yes src-address=10.0.0.23
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-address-list=
WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.0.4 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS disabled=yes dst-address-list=
WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment=SMTP disabled=yes dst-port=25
protocol=tcp to-addresses=10.9.0.25 to-ports=25
add action=dst-nat chain=dstnat comment=IMAPS dst-address-list=WAN-IP
dst-port=993 protocol=tcp to-addresses=10.0.0.4 to-ports=993
add action=dst-nat chain=dstnat comment=“Wireguard UDP” dst-address-list=
WAN-IP dst-port=51820 in-interface=sfp-S+RJ10 protocol=udp to-addresses=
10.0.0.21 to-ports=51820
add action=masquerade chain=srcnat comment=“WG-UK VPN” out-interface=
wireguard2
add action=masquerade chain=srcnat comment=
“Hairpin - Loopback for external address” dst-address=10.0.0.0/24
src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment=“Camera 1” dst-address-list=WAN-IP
dst-port=554 protocol=tcp to-addresses=10.0.0.30 to-ports=554
add action=dst-nat chain=dstnat comment=“EchoLink - forward to laptop”
dst-address-list=WAN-IP dst-port=5198,5199 protocol=udp to-addresses=
10.0.0.143
add action=dst-nat chain=dstnat comment=SSH disabled=yes dst-address-list=
WAN-IP dst-port=22 protocol=tcp to-addresses=10.0.0.4 to-ports=22
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 pref-src=
“” routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup src-address=10.0.0.23/32 table=VPN
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.4
add address=132.163.97.3
/system resource irq rps
set sfp-S+RJ10 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3 filter-ip-protocol=udp filter-port=51820