Dear All,
I have 6 WAN on Mikkrotik PCC Balanced and a Wireguard tunnel connected to CHR, and I want to pass all my LAN traffic to CHR using 6 WAN.
What do I need to do?
Do I need 6 Wireguard peers?
How do all 6WANs pass all LAN traffic to CHR?
Regards
Help please
The concept proposed is a non-PCC, ECMP approach with minimal mangling required.
We will use the listening port of the interfaces we create at the CHR (the endpoint ports in the router wireguard peer settings) as an entry argument for our mangle output chain rules.
In this way, the handshake ORIGINATING from the home device, regardless of which wireguard interfaces ( six, one for each WAN/ISP) will always go to the CHR IP address, and in ECMP routes (main), the path chosen for the user will be roughly shared between all the WANs available.
Once established the tunnels and routes will allow traffic to continue as designed.
One key point is that we use the limited address range of the wireguard interface address /30 so that we can, instead of using wireguard interface name, use the gateway address ( IP of other end ). This allows us to SIMULTANEOUSLY ( using check-gateway=ping ) to ensure the router knows if the interface is up or down as well as route traffic through the six WANS.
THis is critical for effective ECMP so that the router can adjust the LAN traffic to the remaining WANS if an ISP is not available.
We mirror this approach on the CHR so it also can adjust traffic accordingly.
Another key point is that we need to ensure if WANX goes down, any handshake type traffic does not ever leak to the main table and hence the black hole route.
/ip address ROUTER
add address=10.243.10.10/30 interface=wg11 network=10.243.10.0
add address=10.243.20.10/30 interface=wg12 network=10.243.20.0
add address=10.243.30.10/30 interface=wg13 network=10.243.30.0
add address=10.243.40.10/30 interface=wg14 network=10.243.40.0
add address=10.243.50.10/30 interface=wg15 network=10.243.50.0
add address=10.243.60.10/30 interface=wg16 network=10.243.60.0
/ip address CHR
add address=10.243.10.9/30 interface=wireguard11 network=10.243.10.0
add address=10.243.20.9/30 interface=wireguard12 network=10.243.20.0
add address=10.243.30.9/30 interface=wireguard13 network=10.243.30.0
add address=10.243.40.9/30 interface=wireguard14 network=10.243.40.0
add address=10.243.50.9/30 interface=wireguard15 network=10.243.50.0
add address=10.243.60.9/30 interface=wireguard16 network=10.243.60.0
/ip firewall mangle ROUTER
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23411 protocol=udp new-routing-mark=use-WAN1 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23412 protocol=udp new-routing-mark=use-WAN2 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23413 protocol=udp new-routing-mark=use-WAN3 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23414 protocol=udp new-routing-mark=use-WAN4 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23415 protocol=udp new-routing-mark=use-WAN5 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23416 protocol=udp new-routing-mark=use-WAN6 passthrough=no
/ip firewall nat (ROUTER)
add chain=src-nat action=masquerade out-interface-list=WAN comment=“applies to outgoing handshake traffic only”
We need to create SIX wireguard interfaces on each device. Important is the listening port on the six CHR interfaces.
/wg interface CHR
add interface=wireguard11 listening port=23411
add interface=wireguard12 listening port=23412
add interface=wireguard13 listening port=23413
add interface=wireguard14 listening port=23414
add interface=wireguard15 listening port=23415
add interface=wireguard16 listening port=23416
/Wg interface ROUTER
add interface=wg11 listening port=26411
add interface=wg12 listening port=26412
add interface=wg13 listening port=26413
add interface=wg14 listening port=26414
add interface=wg15 listening port=26415
add interface=wg16 listening port=26416
/wg peers ROUTER
add allowed-address=0.0.0.0/0 interface=wg11 endpoint-address=CHR-Public-IP port=23411 persistent-keep alive=30s
add allowed-address=0.0.0.0/0 interface=wg12 endpoint-address=CHR-Public-IP port=23412 persistent-keep alive=35s
add allowed-address=0.0.0.0/0 interface=wg13 endpoint-address=CHR-Public-IP port=23413 persistent-keep alive=40s
add allowed-address=0.0.0.0/0 interface=wg14 endpoint-address=CHR-Public-IP port=23414 persistent-keep alive=45s
add allowed-address=0.0.0.0/0 interface=wg15 endpoint-address=CHR-Public-IP port=23415 persistent-keep alive=50s
add allowed-address=0.0.0.0/0 interface=wg15 endpoint-address=CHR-Public-IP port=23416 persistent-keep alive=55s
/wg peers CHR
add allowed-address=LANSubnet,10.243.10.10 interface=wireguard11
add allowed-address=LANSubnet,10.243.20.10 interface=wireguard12
add allowed-address=LANSubnet,10.243.30.10 interface=wireguard13
add allowed-address=LANSubnet,10.243.40.10 interface=wireguard14
add allowed-address=LANSubnet,10.243.50.10 interface=wireguard15
add allowed-address=LANSubnet,10.243.60.10 interface=wireguard16
/ip route Router
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.10.9 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.20.9 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.30.9 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.40.9 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.50.9 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.243.60.9 routing-table=main
add black-hole=yes dst-address=CHR-Public-IP routing-table=main
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=CHR-Public-IP gateway=ISP1-gwy-IP routing-table=use-WAN1
add dst-address=CHR-Public-IP gateway=ISP2-gwy-IP routing-table=use-WAN2
add dst-address=CHR-Public-IP gateway=ISP3-gwy-IP routing-table=use-WAN3
add dst-address=CHR-Public-IP gateway=ISP4-gwy-IP routing-table=use-WAN4
add dst-address=CHR-Public-IP gateway=ISP5-gwy-IP routing-table=use-WAN5
add dst-address=CHR-Public-IP gateway=ISP6-gwy-IP routing-table=use-WAN6
/ip route CHR
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.10.10 routing-table=main
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.20.10 routing-table=main
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.30.10 routing-table=main
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.40.10 routing-table=main
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.50.10 routing-table=main
add check-gateway=ping dst-address=LANSUBNET gateway=10.243.60.10 routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=chr-gateway-ip routing-table=main
Note: Consider using the CHR for any needed firewall rules for LAN traffic as its acting as the main router.
LAN traffic never uses the local six wans for anything.
Well, thank you very much.
But one little thing is confusing me. This Mikrotik is currently running PCC Loadbalancing. How can I deploy this ECMP setting?
Shall I delete the PCC configuration? and reconfigure ECMP, or shall I do PCC and ECMP togeather.
My current Mangle rules are as follows:
/ip firewall mangle
add action=mark-connection chain=input comment="Old PCC" connection-mark=\
no-mark connection-state=new in-interface=1_WAN1 new-connection-mark=\
wan1_conn
add action=mark-connection chain=input connection-mark=no-mark \
connection-state=new in-interface=2_WAN2 new-connection-mark=wan2_conn
add action=mark-connection chain=input connection-mark=no-mark \
connection-state=new in-interface=3_WAN3 new-connection-mark=wan3_conn
add action=mark-connection chain=input connection-mark=no-mark \
connection-state=new in-interface=4_WAN4 new-connection-mark=wan4_conn
add action=mark-connection chain=input connection-mark=no-mark \
connection-state=new in-interface=5_WAN5 new-connection-mark=wan5_conn
add action=mark-connection chain=input connection-mark=no-mark \
connection-state=new in-interface=6_WAN6 new-connection-mark=wan6_conn
add action=mark-routing chain=output connection-mark=wan1_conn \
new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn \
new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan3_conn \
new-routing-mark=to_wan3
add action=mark-routing chain=output connection-mark=wan4_conn \
new-routing-mark=to_wan4
add action=mark-routing chain=output connection-mark=wan5_conn \
new-routing-mark=to_wan5
add action=mark-routing chain=output connection-mark=wan6_conn \
new-routing-mark=to_wan6
add action=accept chain=prerouting in-interface=1_WAN1
add action=accept chain=prerouting in-interface=2_WAN2
add action=accept chain=prerouting in-interface=3_WAN3
add action=accept chain=prerouting in-interface=4_WAN4
add action=accept chain=prerouting in-interface=5_WAN5
add action=accept chain=prerouting in-interface=6_WAN6
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan1_conn per-connection-classifier=src-address-and-port:6/0 src-address=\
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan2_conn per-connection-classifier=src-address-and-port:6/1 src-address=\
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan3_conn per-connection-classifier=src-address-and-port:6/2 src-address=\
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan4_conn per-connection-classifier=src-address-and-port:6/3 src-address=\
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan5_conn per-connection-classifier=src-address-and-port:6/4 src-address=\
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local new-connection-mark=\
wan6_conn per-connection-classifier=src-address-and-port:6/5 src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
new-routing-mark=to_wan1 passthrough=no src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
new-routing-mark=to_wan2 passthrough=no src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
new-routing-mark=to_wan3 passthrough=no src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan4_conn \
new-routing-mark=to_wan4 passthrough=no src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan5_conn \
new-routing-mark=to_wan5 passthrough=no src-address=\
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan6_conn \
new-routing-mark=to_wan6 passthrough=no src-address=\
172.30.30.10-172.30.30.250
Thanks
When you wrote you wanted to pass all the LAN traffic to the CHR, it seemed that you didn’t want to use the local WANs for anything else but for the Wireguard tunnels. Hence @anav suggested how you can create a WG tunnel via each WAN and use those WG tunnels instead of the actual WANs for all the LAN traffic. If that’s indeed what you wanted, disable/remove the PCC rules that send the LAN traffic directly via the WANs; if that’s not what you wanted, well, then describe more precisely what you actually want.
It wants Loadbalance on available WANs. Either it is with PCC on Local WAN or with ECMP through WG Tunnel. So the user didn’t face slow internet
(all WANs from the same ISP)
Can the speed for LAN users be reduced when the user accesses the internet through CHR over WG tunnel?
Not sure what you mean?
The LAN user will only go over the wireguard to the CHR, so there is no other alternative.
Yes expect a reduction of speed through wireguard to the CHR.
Got it.
One thing more. I want SIX wireguard interfaces to remain connected all the time.
And stick a few LAN users to use CHR and the rest of the users to use Local WAN.
How can it be?
Will it do with ECMP or by PCC?
Thats changing the requirements which nobody wants to deal with → its called scope creep.
The onus is on you to be honest and state the full requirements PRIOR to designing a config. Do better next time!!
So before answering, will request much better detail on any other requirements percolating…
how many users for example?
which wan will they use?
It may very well turn out ECMP is no longer viable, and in that case yes you will have to go back to PCC and that you should be able to handle on your own.
The advantage of ECMP as compared to PCC is simplicity of configuration; the advantage of PCC as compared to ECMP is the possibility to control the distribution more precisely.
As for your updated requirements - you can think about the WG tunels as about yet another set of WANs. So one group of LAN clients will use the “normal WANs” (and you can keep your PCC rules in place for them) whereas another, “special”, group of LAN clients will use the “WG WANs”, and since all those tunnels end up at the same CHR, there is no point in fine-tuning the distribution of the traffic among them, so ECMP is sufficient and you can benefit from the simplicity. The only additional complexity is that, since the first group of clients needs to continue working the same way it works now, you cannot put those routes via WG to routing table main so you must create a separate table for them, like via-WG, and use additional mangle rules to make sure that the LAN clients from the “special” group will use that table instead of main.
Based on Sindys advice, this may do the trick…
TO ADDRESS ADDITIONAL REQUIREMENT OF SOME USERS USING LOCAL WANS.
The key to ensure ECMP works, is for the routes in question to all have the same table with same distance.
/ip firewall filter
add action=fasttrack-connection connection-state=established,related connection-mark=no-mark
/ip firewall address-list
add address=localsubnetIP-1 list=STAYLOCAL
add address=localsubnetIP-2 list=STAYLOCAL
add address=localsubnetIP-N list=STAYLOCAL
/routing table addition
add fib name=LOCAL-WAN
/ip route REGULAR WAN ECMP.
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gwy-IP routing-table=LOCAL-WAN
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gwy-IP routing-table=LOCAL-WAN
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP3-gwy-IP routing-table=LOCAL-WAN
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP4-gwy-IP routing-table=LOCAL-WAN
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP5-gwy-IP routing-table=LOCAL-WAN
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP6-gwy-IP routing-table=LOCAL-WAN
/ip firewall mangle
add action=accept chain=prerouting src-address=LOCALSUBNET dst-address=LOCALSUBNET
add action=mark-connections chain=forward connection-mark=no-mark src-address-list=STAYLOCAL
address-type=!local new-routing-mark=no-wireguard passthrough=yes
add action=mark-routing chain=prerouting connection-mark=no-wireguard
new routing-mark=LOCAL-WAN passthrough=no
Additional note for CHR Traffic.
To ensure stable connectivity with all types of internet sites (banking etc.)
Suggest change default L3 hash on ECMP to L4.
This can only be done by CLI command.
/ip/settings
I have setup these rules
/ip address ROUTER
add address=10.243.10.10/30 interface=wg11 network=10.243.10.0
add address=10.243.20.10/30 interface=wg12 network=10.243.20.0
add address=10.243.30.10/30 interface=wg13 network=10.243.30.0
add address=10.243.40.10/30 interface=wg14 network=10.243.40.0
add address=10.243.50.10/30 interface=wg15 network=10.243.50.0
add address=10.243.60.10/30 interface=wg16 network=10.243.60.0
/ip address CHR
add address=10.243.10.9/30 interface=wireguard11 network=10.243.10.0
add address=10.243.20.9/30 interface=wireguard12 network=10.243.20.0
add address=10.243.30.9/30 interface=wireguard13 network=10.243.30.0
add address=10.243.40.9/30 interface=wireguard14 network=10.243.40.0
add address=10.243.50.9/30 interface=wireguard15 network=10.243.50.0
add address=10.243.60.9/30 interface=wireguard16 network=10.243.60.0
/ip firewall mangle ROUTER
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23411 protocol=udp new-routing-mark=use-WAN1 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23412 protocol=udp new-routing-mark=use-WAN2 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23413 protocol=udp new-routing-mark=use-WAN3 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23414 protocol=udp new-routing-mark=use-WAN4 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23415 protocol=udp new-routing-mark=use-WAN5 passthrough=no
add chain=output action=mark-routing dst-address=CHR-Public-IP dst-port=23416 protocol=udp new-routing-mark=use-WAN6 passthrough=no
/ip firewall nat (ROUTER)
add chain=src-nat action=masquerade out-interface-list=WAN comment=“applies to outgoing handshake traffic only”
We need to create SIX wireguard interfaces on each device. Important is the listening port on the six CHR interfaces.
/wg interface CHR
add interface=wireguard11 listening port=23411
add interface=wireguard12 listening port=23412
add interface=wireguard13 listening port=23413
add interface=wireguard14 listening port=23414
add interface=wireguard15 listening port=23415
add interface=wireguard16 listening port=23416
/Wg interface ROUTER
add interface=wg11 listening port=26411
add interface=wg12 listening port=26412
add interface=wg13 listening port=26413
add interface=wg14 listening port=26414
add interface=wg15 listening port=26415
add interface=wg16 listening port=26416
/wg peers ROUTER
add allowed-address=0.0.0.0/0 interface=wg11 endpoint-address=CHR-Public-IP port=23411 persistent-keep alive=30s
add allowed-address=0.0.0.0/0 interface=wg12 endpoint-address=CHR-Public-IP port=23412 persistent-keep alive=35s
add allowed-address=0.0.0.0/0 interface=wg13 endpoint-address=CHR-Public-IP port=23413 persistent-keep alive=40s
add allowed-address=0.0.0.0/0 interface=wg14 endpoint-address=CHR-Public-IP port=23414 persistent-keep alive=45s
add allowed-address=0.0.0.0/0 interface=wg15 endpoint-address=CHR-Public-IP port=23415 persistent-keep alive=50s
add allowed-address=0.0.0.0/0 interface=wg15 endpoint-address=CHR-Public-IP port=23416 persistent-keep alive=55s
/wg peers CHR
add allowed-address=LANSubnet,10.243.10.10 interface=wireguard11
add allowed-address=LANSubnet,10.243.20.10 interface=wireguard12
add allowed-address=LANSubnet,10.243.30.10 interface=wireguard13
add allowed-address=LANSubnet,10.243.40.10 interface=wireguard14
add allowed-address=LANSubnet,10.243.50.10 interface=wireguard15
add allowed-address=LANSubnet,10.243.60.10 interface=wireguard16
what I need to do further so I can route a few LAN users to CHR Wireguard. But I want PCC to work for my local WAN balance.
few users use local WAN and few use CHR WG-WAN
What rule do I need to do? I don’t want to delete PCC.
Sorry cannot help you. I have provided enough information to give you a load balance of ALL users going to CHR and a load balance of any users not going through CHR.
Not my problem you are fixated on PCC, when its not required and far more complex.
Additional note for CHR Traffic.
To ensure stable connectivity with all types of internet sites (banking etc.)
Suggest change default L3 hash on ECMP to L4.
This can only be done by CLI command.
/ip/settings
guide me about this please
It should work with the settings I provided via CLI at the end of the post.
Additional note for CHR Traffic.
To ensure stable connectivity with all types of internet sites (banking etc.)
Suggest try the default L3 hash on ECMP as that should provide optimal results.
If that doesnt work you can try L4 settings. This can only be done by CLI command.
/ip/settings
L3 → srcIPv4, dstIPv4
L4–> srcIPv4, dstIPv4, srcPort, dstPort, IP protocol
You can test yourself.
Take a router with two wans, setup up ECMP and attempt banking … with both Hash methods.
Hello Sir,
I have tried, but it didn’t pass the traffic over the Six WG interface:
Router
/ip address
add address=10.243.10.10/30 comment=wireguard-client interface=\
wireguard10-client network=10.243.10.8
add address=10.243.20.10/30 comment=wireguard-client interface=\
wireguard20-client network=10.243.20.8
add address=10.243.30.10/30 comment=wireguard-client interface=\
wireguard30-client network=10.243.30.8
add address=10.243.40.10/30 comment=wireguard-client interface=\
wireguard40-client network=10.243.40.8
add address=10.243.50.10/30 comment=wireguard-client interface=\
wireguard50-client network=10.243.50.8
add address=10.243.60.10/30 comment=wireguard-client interface=\
wireguard60-client network=10.243.60.8
/ip route
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.10.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.20.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.30.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.40.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.50.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=10.243.60.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=WG disabled=no distance=1 dst-address=\
134.122.100.126/32 gateway="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=1_WAN1 routing-table=use-WAN1 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=2_WAN2 routing-table=use-WAN2 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=3_WAN3 routing-table=use-WAN3 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=4_WAN4 routing-table=use-WAN4 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=5_WAN5 routing-table=use-WAN5 scope=30 suppress-hw-offload=no \
target-scope=10
add comment=WG-CHR disabled=no distance=1 dst-address=134.122.100.126/32 \
gateway=6_WAN6 routing-table=use-WAN6 scope=30 suppress-hw-offload=no \
target-scope=10
/ip firewall mangle
add action=mark-routing chain=output comment=wireguard dst-address=\
134.122.100.126 dst-port=23411 new-routing-mark=use-WAN1 passthrough=no \
protocol=udp
add action=mark-routing chain=output dst-address=134.122.100.126 dst-port=\
23412 new-routing-mark=use-WAN2 passthrough=no protocol=udp
add action=mark-routing chain=output dst-address=134.122.100.126 dst-port=\
23413 new-routing-mark=use-WAN3 passthrough=no protocol=udp
add action=mark-routing chain=output dst-address=134.122.100.126 dst-port=\
23414 new-routing-mark=use-WAN4 passthrough=no protocol=udp
add action=mark-routing chain=output dst-address=134.122.100.126 dst-port=\
23416 new-routing-mark=use-WAN6 passthrough=no protocol=udp
add action=mark-routing chain=output dst-address=134.122.100.126 dst-port=\
23415 new-routing-mark=use-WAN5 passthrough=no protocol=udp
/interface wireguard
add listen-port=23411 mtu=1420 name=wireguard10-client
add listen-port=23412 mtu=1420 name=wireguard20-client
add listen-port=23413 mtu=1420 name=wireguard30-client
add listen-port=23414 mtu=1420 name=wireguard40-client
add listen-port=23415 mtu=1420 name=wireguard50-client
add listen-port=23416 mtu=1420 name=wireguard60-client
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23411 interface=wireguard10-client name=wireguard10-chr \
persistent-keepalive=25s public-key=\
"GtoC5c5JeSa8DEZ0iZEVz7z5FbcMsU382A="
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23412 interface=wireguard20-client name=wireguard20-chr \
persistent-keepalive=30s public-key=\
"8rjVxmjWx4ylsxBlSkr3jGfuR7XxP5dBFeyY="
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23413 interface=wireguard30-client name=wireguard30-chr \
persistent-keepalive=35s public-key=\
"vOpoR36OQuIZHZmmmn+6bZdXrRXJBAgL4Hcr+W0="
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23414 interface=wireguard40-client name=wireguard40-chr \
persistent-keepalive=40s public-key=\
"zZXcMwC8YKgvdUUjrgiNcgxTV9oU2jBpds/2Y="
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23415 interface=wireguard50-client name=wireguard50-chr \
persistent-keepalive=45s public-key=\
"rxxWp9us/Kd6vwgNsLQVHGIIkWsAiAzfNi0="
add allowed-address=0.0.0.0/0 endpoint-address=134.122.100.126 endpoint-port=\
23416 interface=wireguard60-client name=wireguard60-chr \
persistent-keepalive=50s public-key=\
"53uIdijve5hhZgi1TdNkbeBGZJ4SxJz5j1U="
CHR
/ip address
add address=10.243.10.9/30 interface=wireguard10-chr network=10.243.10.8
add address=10.243.20.9/30 interface=wireguard20-chr network=10.243.20.8
add address=10.243.30.9/30 interface=wireguard30-chr network=10.243.30.8
add address=10.243.40.9/30 interface=wireguard40-chr network=10.243.40.8
add address=10.243.50.9/30 interface=wireguard50-chr network=10.243.50.8
add address=10.243.60.9/30 interface=wireguard60-chr network=10.243.60.8
/ip route
add check-gateway=ping comment=WG10 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.10.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG20 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.20.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG30 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.30.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG40 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.40.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG50 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.50.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WG60 disabled=no distance=1 dst-address=\
172.30.30.0/24 gateway=10.243.60.10 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-server
add listen-port=23411 mtu=1420 name=wireguard10-chr
add listen-port=23412 mtu=1420 name=wireguard20-chr
add listen-port=23413 mtu=1420 name=wireguard30-chr
add listen-port=23414 mtu=1420 name=wireguard40-chr
add listen-port=23415 mtu=1420 name=wireguard50-chr
add listen-port=23416 mtu=1420 name=wireguard60-chr
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard10-chr name=\
wireguard10-client public-key=\
"1K5Q2xfjlocXFNZfkTGFEHp6gvq8IOfAV9SOHQ="
add allowed-address=0.0.0.0/0 interface=wireguard20-chr name=\
wireguard20-client public-key=\
"TgZJNLm9CF7U/fSalOQOPL5koMZ6jCheEStOGI="
add allowed-address=0.0.0.0/0 interface=wireguard30-chr name=\
wireguard30-client public-key=\
"5MYs/2FaZc456uPtStyNjeC+p9ydi6RWO9kRggo="
add allowed-address=0.0.0.0/0 interface=wireguard40-chr name=\
wireguard40-client public-key=\
"SG3+jX2iwulUvQMXmSghaOf3azaSNYyxq8thXSs="
add allowed-address=0.0.0.0/0 interface=wireguard50-chr name=\
wireguard50-client public-key=\
"fIPcPB+H+B1dF7ZwcGvPoL1QRid0yD/STI1BC8="
add allowed-address=0.0.0.0/0 interface=wireguard60-chr name=\
wireguard60-client public-key=\
"6hmUfw1UKvcIC3Q3YC+x1fcpOzmTozYopmI="
If you dont post the complete config I dont bother looking.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys, long dchp lease lists )