IP Route

RouterOS Beginner Basics
1

Good morning guys,

I built a Wireguard VPN between two routers.
The handshake is already exchanged.
But…
How do I get it to only route a specific IP address into the VPN tunnel?
I have already looked at a few instructions, but they all don’t really work.
My goal is to route the one specific IP address from the other location through my public IP.

If anyone has a solution I would be very grateful!

mfg

2

I would make a mangle rule to route traffic from a specific IP in to the tunnel, i used an l2tp tunnel in my example but i think the same applies for wireguard;


# jun/18/2023 13:16:30 by RouterOS 6.49.6
# software id = 
#
#
#
/interface bridge
add name=bridge_LAN
/interface l2tp-client
add connect-to=192.168.159.148 disabled=no name=l2tp-out1 password=test user=test
/ip pool
add name=dhcp_pool0 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1
/interface bridge port
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
/ip address
add address=172.16.0.1/24 interface=bridge_LAN network=172.16.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=172.16.0.254 client-id=1:0:50:79:66:68:75 comment=VPC11 mac-address=00:50:79:66:68:75 server=dhcp1
add address=172.16.0.253 client-id=1:0:50:79:66:68:76 comment=VPC12 mac-address=00:50:79:66:68:76 server=dhcp1
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!172.16.0.0/24 new-routing-mark=TUNNEL src-address=172.16.0.253
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=l2tp-out1
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=TUNNEL

VPC11> trace 1.1.1.1
trace to 1.1.1.1, 8 hops max, press Ctrl+C to stop
1 172.16.0.1 0.421 ms 0.370 ms 0.325 ms
2 192.168.159.2 1.018 ms 0.618 ms 0.651 ms
3 * * *

VPC12> trace 1.1.1.1
trace to 1.1.1.1, 8 hops max, press Ctrl+C to stop
1 172.16.0.1 0.716 ms 0.302 ms 0.338 ms
2 192.168.2.1 0.978 ms 0.859 ms 0.918 ms
3 192.168.159.2 1.427 ms 1.343 ms 1.246 ms
4 * * *

If you don’t want to NAT traffic in to the tunnel, you have to make sure there is a route back on the other side of the tunnel;


/ppp secret
add local-address=192.168.2.1 name=test password=test remote-address=192.168.2.4 routes=172.16.0.253/32 service=l2tp
3

Create Table.
add fib name=useWG

Create Routeadd dst-address=0.0.0.0/0 gateway=WG-Interface-Name routing-table=useWG
Create Routing Rule
add src-address=SINGLEIP action=lookup table=useWG

NOTES:

  1. If you dont want the single user EVER to be able to access LOCAL WAN, if the wireguard connection goes down then change action:
    action=lookup-only-in-table

  2. You may need the single user to be able to reach other users in the same subnet or perhaps another subnet on the router. In this case you will need routing rules before the one just made to ensure desired traffic does not go out the wireguard tunnel.

Routing Rules
add dst-address=SUBNET action=lookup-only-in-table table=MAIN
add src-address=SINGLEIP action=lookup table=useWG

This will work for both cases,
a. single IP originates traffic to subnet user/device
b. single IP is responding to (return traffic) to a subnet user/device.

++++++++++++++++++++++++++++++++++++++

Discussion: What we are doing is creating an additional table and then making a route which includes that table.
Via the Routing Rule we identify traffic that should adhere to the routing rule.
Hence any traffic ( ANY TRAFFIC ) leaving the source IP identified will go out the wireguard tunnel. Thus we have to consider all the traffic and deal with it.

This method works well for a whole subnet, or a few users.
Clearly if one has users from various subnets or a huge amount of users from a single subnet, it gets more efficient to mangle.