Home network Wireguard VPN to Azure CHR default route weirdness

jwab76 · October 15, 2023, 6:36am

Hey All,

So I signed up for Azure 30day free trial. Loaded a CHR on their London data centre. Connected my AC2 via Wireguard. Set a mangle rule to divert all traffic from certain devices to the London CHR so I can access UK geo bound services.

Outcome? Ping all websites just fine. Can load simple webpages just fine, google, whatismyip, w3cschools etc great. But anything else is a nightmare. Can’t do speed test, can’t load itv.com or bbc.com properly.

HOWEVER If I install the Wireguard app on my android phone, connect direct to the London CHR. All is gravy, everything works as it should can do speedtest, load all the websites and watch the rugby, So why can’t I do this on the home network via the MK to MK WG link? Is it my mangle rule? Is it somthing todo with ports?

Config below for reference:

ROS 7.11.2
Home Router Mangle:
;;; UK Traffic
chain=prerouting action=route passthrough=no route-dst=10.30.30.2 src-address-list=UK-Traffic dst-address-list=!Local log=no

Really that’s it. As I said, WG tunnel works fine, and all traffic coming from UK-Traffic scr list is masq at the CHR end out of it’s WAN interface. I can ping dns address’s just fine, and simple websites work fine to, just nothing which is more comlicated.

If you need more info to go on I can provide. But perhaps there’s a special rule in routing via mangle I don’t know about.

Thanks in advance

anav · October 17, 2023, 5:24pm

Post your router config
/export file=anynameyouwish ( minus router serial #, public WANIP info, keys etc… )

Just to ensure all the little bits are correct,
May be some MTU issues, so would also suggest trying this
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

Just change wireguard interface to your wireguard interface.

jwab76 · October 18, 2023, 7:27am

OMG anav you bloody legend. That worked a treat. Thank you. I’ll have to learn what this MSS PMTU is all about.

anav · October 18, 2023, 12:38pm

To be frank, I dont know really how it works, just passing on information gleaned from many posts… All I know is that MTU negotiation is complex and takes place at both ends of a connection. This particular mangle rule somehow helps in that negotiation. Perhaps some other smart (Equus) poster like MKX will pop in and provide amplifying information that is understandable.