I’m transitioning from a pfSense-based setup to MikroTik and I’m encountering a challenge when attempting to configure routing using WireGuard. I hope to gather insights from the community on how to approach this.
Previous Setup (pfSense):
Client A/Site 1: WireGuard Client on a Raspberry Pi, LTE WAN (No port forwarding, LAN Subnet: 192.168.10.0/24)
Server 1/Site 2: Cloud-hosted, with pfSense and WireGuard Server. Allowed IPs for Client A: 10.200.10.7/32 and 0.0.0.0/0
Client B/Site 3: connected to a local pfSense Router, previously set to route traffic via Client A’s WAN, or local WAN, depending on the NAT Settings.
Desired Flow:
Client A → WAN → WG-Server
Client B → WG → WAN of Site 1 through Client A
or
Client B → WAN of Site 3
Current Setup & Challenge:
Client A/Site 1: Still retains previous settings however it connects to Site 3 with the same Allowed IPs.
Site 2 is being eliminated, Site 3 has the WG Server
Client B/Site 3: Serves as the WireGuard server on MikroTik and hosts a specific VLAN named VPN-VLAN.
I am able to ping Site 1 LAN from Site 3 Clients (appropriate route has been added)
The challenge arises when Client B connects to the VPN-VLAN. I aim for devices within this VLAN to have the ability to either:
Use Site 3’s WAN as their default route for internet access
Utilize Site 1’s (Client A) WAN via WireGuard
My goal is to be able to seamlessly switch between these two internet breakout options for the VPN-VLAN. While I managed to set up similar configurations on pfSense with NAT, I’m finding it challenging on MikroTik.
Any guidance or suggestions on how to effectively set up this routing on MikroTik would be greatly appreciated. Thank you in advance for your expertise and time!
There is no way to arbitrarily decide which WAN a user will go out of at any given second.
We have tools of assigning routing rules OR mangles to ‘force’ users out wireguard.
Typically a few users or whole subnets points one towards using routing rules.
Anytime one has to use a firewall address list to identify a group of users to go out wireguard, mangling is the correct option.
THe only way I can think of, of the top of my head to have some flexibility is to assign a vlan to a WLAN(ssid) and let folks know, if they want to go out WANX, they need to use that WLAN.
and that can be setup easily with routing rules.
Thanks for your Response! So let’s simplify a bit: Let’s say I want to route just this VLAN completely through WG, the caveat being however, that the Route is going over a WG Client as described in Setup…
I could still go ahead and adjust the default route.
Should this be done with a mangle rule? Since I am not really good at it, would you be able to share the high level design, I could then try to implement it
Thanks!
as long as the wg client device peer settings pointing to the server device/router state 0.0.0.0/0 for allowed IPs that takes care of the wireguard rules…
you need a rule in the forward chain allowing that source vlan to go out the wireguard interface.
no mangling required
The issue may come up if you want that vlan to also be able to access other vlans or a shared device on another vlan and then you may need additional routing rule(s) prior in order.
Note that using action=“Lookup” means if the wireguard tunnel is not available the router will have the ability to go to the main table and go out the local WAN, and thus if your intent is to lock down the subnet to ONLY go out wireguard for internet then change action to lookup-only-in-table