Hi,
Is multiple wireguard interface (each with its own site-to-site peer connection) possible? I have seen examples of One interface with multiple peers, but not multiple interfaces for multiple peers. I tried it but it seems that only 1 interface is running as shown in the picture attached. Also, the IP addresses all shown invalid except for the one assigned to the running Wireguard interface. And the dynamic route is created automatically. No peers are set up at this stage.
Thanks
You can’t have all of them listen on the same port, obviously.
Yes, of course its possible but one has to be careful ON THE SAME WG INTERFACE, not to have overlapping peers (allowed IPs).
In such instances it actually makes sense to break out an additional WG INTERFACE.
Thanks for the tips, the unique listening port number fixes it. Cheers
Yup, covered in para (2),
Hi,
I’m in same spot, trying to setup two Wireguard interfces with Surfshark, with two different peers.
However, I can’t make it work.
You mentioned to change listenning ports, but I can’t do that, since these ports are specified by Surfshark.
Alsi IP/Address, I guess I can’t specify other IP’s, as they are also provided by Surfshark.
What am I missing here? See picture below:
Regards,
Hola, and hoder you beat Barca in the copa 
!!
Please export config
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc. )
Yes you can have more than one account with a third party provider.
Reasons… you may wish to access different regions for internet.
In fact I’m Barça season ticket holder!! 
I live 5 blocks away from Camp Nou stadium. Some players like Ferran just play sh** :-/ No worries, La Liga is still for us.
I’m changing my profile details now.. sometimes I think people won’t be able to find Barcelona in a map.
Se below my config details:
# apr/07/2023 18:59:33 by RouterOS 7.8
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:56:65:70 auto-mac=no comment=defconf name=bridge
add comment=defconf name=bridge-guests
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway
set [ find default-name=ether2 ] comment=LAN name=ether2-master-local
set [ find default-name=ether3 ] comment=LAN name=ether3-slave-local
set [ find default-name=ether4 ] comment=LAN name=ether4-slave-local
set [ find default-name=ether5 ] comment=LAN name=ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
comment=defconf country=spain disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik_2 wireless-protocol=\
802.11 wps-mode=disabled
set [ find default-name=wlan2 ] comment=defconf country=spain disabled=no \
mode=ap-bridge ssid=MikroTik_5
/interface wireless nstreme
set wlan1 comment=defconf
set wlan2 comment=defconf
/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark
add disabled=yes listen-port=51820 mtu=1420 name=WG-Surfshark_2
add listen-port=22134 mtu=1420 name=Wireguard-rw
/interface wireless manual-tx-power-table
set wlan1 comment=defconf
set wlan2 comment=defconf
/interface vlan
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 name=pppoe-out1 user=\
adsl@telefonicanetppa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Vlan2 (IPTV) & Vlan3 (VoIP)" name=Vlan2&3
add name=Surfshark
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp-lan ranges=192.168.87.163-192.168.87.254
add name=dhcp-guests ranges=192.168.77.2-192.168.77.254
add name=pool-IKEv2 ranges=192.168.67.10-192.168.67.254
add name=pool-ovpn ranges=192.168.75.10-192.168.75.20
/ip dhcp-server
add address-pool=dhcp-lan interface=bridge name=dhcp-lan
add address-pool=dhcp-guests interface=bridge-guests name=dhcp-guests
/ppp profile
add interface-list=LAN local-address=192.168.76.1 name=ovpn-profile \
remote-address=pool-ovpn use-encryption=yes
/routing table
add disabled=no fib name=Surfshark
add disabled=yes fib name=Surfshark_2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master-local
add bridge=bridge comment=defconf interface=ether3-slave-local
add bridge=bridge comment=defconf interface=ether4-slave-local
add bridge=bridge comment=defconf interface=ether5-slave-local
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-gateway list=WAN
add interface=pppoe-out1 list=WAN
add comment=defconf interface=vlan3 list=Vlan2&3
add interface=Wireguard-rw list=LAN
add interface=WG-Surfshark list=Surfshark
add interface=WG-Surfshark_2 list=Surfshark
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Madrid disabled=yes endpoint-address=\
84.17.62.163 endpoint-port=51820 interface=WG-Surfshark \
persistent-keepalive=30s public-key=\
"a30vOQfjwPzjRxGNi2dvSAMdaPHEYatR84cUXKOwls="
add allowed-address=0.0.0.0/0 comment=India disabled=yes endpoint-address=\
36.255.196.139 endpoint-port=51820 interface=WG-Surfshark \
persistent-keepalive=30s public-key=\
"+dmGrWPM9NI3vQkZ9E7hMRKAJYzd3YMXGq10sjbN0A="
add allowed-address=0.0.0.0/0 comment=Bordeaux endpoint-address=45.134.79.146 \
endpoint-port=51820 interface=WG-Surfshark persistent-keepalive=30s \
public-key="ArE5eVIEOPelzFlGK/oOcHCGnB+AAv0Un4C100COmw="
add allowed-address=0.0.0.0/0 comment="Buffalo, US" disabled=yes \
endpoint-address=172.93.148.173 endpoint-port=51820 interface=\
WG-Surfshark persistent-keepalive=30s public-key=\
"156ry2sOmv+I9KYTy2jR/BLTnPT+Qn+DoCNqOon1ys="
add allowed-address=192.168.50.2/32 comment="PeerRW - OPPO" interface=\
Wireguard-rw public-key="37DlMZM0F5YrNpK2BKDI0iBbAEqIUhcR5mTZkqOxhE="
add allowed-address=192.168.50.3/32 comment="ThinkPad - Windows" \
interface=Wireguard-rw public-key=\
"mvQz2cx2NO0p3xeWa11ek+R/udlpv+J/7bFS8Cm8ls="
add allowed-address=192.168.50.4/32 comment="ThinkPad - Ubuntu" \
interface=Wireguard-rw public-key=\
"LTDThBjfBYNlVLr+vMqfTiRthgE8ZUTGRB7asJwPfg4="
add allowed-address=0.0.0.0/0 comment="Amsterdam, NL" disabled=yes \
endpoint-address=143.244.42.74 endpoint-port=51820 interface=\
WG-Surfshark_2 public-key="Lxg3jAOKcBAtGBtB6vEWMFl5LUEB6AwOpuniYn1cig="
/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=\
192.168.87.0
add address=192.168.77.1/24 interface=bridge-guests network=192.168.77.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=192.168.50.1/24 interface=Wireguard-rw network=192.168.50.0
add address=10.14.0.2/16 disabled=yes interface=WG-Surfshark_2 network=\
10.14.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1-gateway use-peer-dns=no
/ip dhcp-server lease
add address=192.168.87.254 client-id=1:96:b:2b:a3:ea:3e comment=\
"OPPO per Wi-Fi" mac-address=96:0B:2B:A3:EA:3E server=dhcp-lan
add address=192.168.87.253 client-id=1:6:bf:e2:a7:94:d6 comment=\
"iPhone" mac-address=06:BF:E2:A7:94:D6 server=dhcp-lan
add address=192.168.87.252 client-id=1:ae:bd:f7:50:42:bb comment=\
"iPad" mac-address=AE:BD:F7:50:42:BB server=dhcp-lan
add address=192.168.87.251 client-id=1:50:76:af:1c:1b:32 comment=\
"iNUC per Wi-Fi" mac-address=50:76:AF:1C:1B:32 server=dhcp-lan
add address=192.168.87.250 comment=Chromecast mac-address=7C:2E:BD:19:5B:A2 \
server=dhcp-lan
add address=192.168.87.249 client-id=1:d8:80:83:52:8f:f1 comment=\
"Impresora Brother perWi-Fi" mac-address=D8:80:83:52:8F:F1 server=\
dhcp-lan
add address=192.168.87.246 client-id=1:3c:f0:11:c7:f5:1a comment=\
"Laptop via Wi-Fi" mac-address=3C:F0:11:C7:F5:1A server=\
dhcp-lan
add address=192.168.87.245 client-id=1:4a:3c:b1:76:bf:1a comment=\
"2nd iPhone" mac-address=4A:3C:B1:76:BF:1A server=dhcp-lan
add address=192.168.87.248 client-id=1:94:c6:91:ad:da:4a comment=\
"Intel Nuc per Ethernet" mac-address=94:C6:91:AD:DA:4A server=dhcp-lan
add address=192.168.87.244 client-id=1:4:8d:c:3b:75:5c comment=\
"Thinkpad via Wi-Fi - Ubuntu" mac-address=04:8D:0C:3B:75:5C \
server=dhcp-lan
add address=192.168.87.247 client-id=1:3c:55:76:cd:a:f5 comment=\
"ThinkPad via Wi-Fi - Windows" mac-address=3C:55:76:CD:0A:F5 \
server=dhcp-lan
add address=192.168.87.243 client-id=1:60:a4:b7:b3:15:ad comment=\
"miBox Android" mac-address=60:A4:B7:B3:15:AD server=dhcp-lan
add address=192.168.87.242 client-id=1:cc:1d:2:2e:95:35 comment=\
"Orange Pi per Wifi" mac-address=CC:1D:02:2E:95:35 server=dhcp-lan
add address=192.168.87.241 client-id=1:2:0:bb:35:da:3b comment=\
"Orange Pi per Ethernet" mac-address=02:00:BB:35:DA:3B server=dhcp-lan
/ip dhcp-server network
add address=192.168.77.0/24 gateway=192.168.77.1
add address=192.168.87.0/24 comment=defconf dns-server=\
192.168.87.241,192.168.87.1 domain=router.lan gateway=192.168.87.1
/ip dns
set allow-remote-requests=yes use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.87.241 comment=defconf name=pi.router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.87.241 disabled=yes list=Under_VPN
add address=192.168.87.247 disabled=yes list=Under_VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=accept chain=input comment="Allow Wireguard - Road Warrior" \
dst-port=22134 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSec" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="accept vpn encrypted input traffic" \
ipsec-policy=in,ipsec src-address=192.168.67.0/24
add action=accept chain=input comment=\
"Allow Wireguard - Road Warrior reach LAN" disabled=yes src-address=\
192.168.50.0/24
add action=accept chain=input comment=\
"Accept vlan2 & 3 (IPTV & VoIP) multicast & broadcast traffic" \
dst-address-type=!unicast in-interface-list=Vlan2&3
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"drop communication from LAN to GUEST network" dst-address=\
192.168.77.0/24 src-address=192.168.87.0/24
add action=drop chain=forward comment=\
"drop communication from GUEST network to LAN" dst-address=\
192.168.87.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block Brother printer to Internet" \
out-interface-list=WAN src-address=192.168.87.249
add action=drop chain=forward comment=\
"Drop all new unicast traffic from vlan3 & 2 (Voip & Iptv) not DSTNATed" \
connection-nat-state=!dstnat connection-state=new dst-address-type=\
unicast in-interface-list=Vlan2&3
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
WG-Surfshark passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
out-interface-list=Surfshark passthrough=yes protocol=tcp tcp-flags=syn
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=masquerade-ovpn src-address=\
192.168.76.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface-list=Vlan2&3
add action=masquerade chain=srcnat comment=masq-surfshark out-interface=\
WG-Surfshark
add action=masquerade chain=srcnat comment=masq-surfshark_2 disabled=yes \
out-interface-list=Surfshark
add action=dst-nat chain=dstnat comment=piholeNAT1 dst-address=\
!192.168.87.241 dst-port=53 in-interface=bridge protocol=udp src-address=\
!192.168.87.241 to-addresses=192.168.87.241
add action=dst-nat chain=dstnat comment=piholeNAT2 dst-address=\
!192.168.87.241 dst-port=53 in-interface=bridge protocol=tcp src-address=\
!192.168.87.241 to-addresses=192.168.87.241
add action=masquerade chain=srcnat comment=piholeNAT3 dst-address=\
192.168.87.241 dst-port=53 protocol=udp src-address=192.168.87.0/24
add action=masquerade chain=srcnat comment=piholeNAT4 dst-address=\
192.168.87.241 dst-port=53 protocol=tcp src-address=192.168.87.0/24
add action=dst-nat chain=dstnat comment=aMule dst-port=31540 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.87.241 to-ports=31540
add action=dst-nat chain=dstnat comment=aMule dst-port=31543 in-interface=\
pppoe-out1 protocol=udp to-addresses=192.168.87.241 to-ports=31543
add action=dst-nat chain=dstnat comment=aMule dst-port=26785 in-interface=\
pppoe-out1 protocol=udp to-addresses=192.168.87.241 to-ports=26785
add action=dst-nat chain=dstnat comment=Torrent dst-port=51413 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.87.241 to-ports=51413
/ip firewall raw
add action=drop chain=prerouting comment=\
"Rechaza direcciones IP de la Blacklist" src-address-list=blacklist
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-Surfshark \
pref-src="" routing-table=Surfshark scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WG-Surfshark_2 \
pref-src="" routing-table=Surfshark_2 scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP interfaces=bridge
/ip smb users
add name=admin read-only=no
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup disabled=no dst-address=192.168.50.0/24 src-address="" \
table=main
add action=lookup-only-in-table disabled=no src-address=192.168.87.241/32 \
table=Surfshark
add action=lookup-only-in-table disabled=yes src-address=192.168.87.247/32 \
table=Surfshark_2
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=numanGia_hAP_AC2
/system leds settings
set all-leds-off=immediate
/system scheduler
add interval=5d name="Update blacklist" on-event=Blacklist policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/27/2023 start-time=02:00:00
add interval=1d name="wlan1 ON" on-event="Turn wlan1 ON" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/19/2023 start-time=09:00:00
add interval=1d name="wlan1 OFF" on-event="Turn wlan1 OFF" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/19/2023 start-time=22:00:00
add interval=1m name="Pihole uptime check" on-event="Pihole bypass" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/03/2023 start-time=14:36:00
/system script
add dont-require-permissions=no name=Blacklist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="d\
elay 15\r\
\nip firewall address-list\r\
\n:local update do={\r\
\n:do {\r\
\n:local data ([:tool fetch url=\$url output=user as-value]->\"data\")\r\
\n:local array [find dynamic list=blacklist]\r\
\n:foreach value in=\$array do={:set array (array,[get \$value address])}\
\r\
\n:while ([:len \$data]!=0) do={\r\
\n:if ([:pick \$data 0 [:find \$data \"\\n\"]]~\"^[0-9]{1,3}\\\\.[0-9]{1,3\
}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\") do={\r\
\n:local ip ([:pick \$data 0 [:find \$data \$delimiter]].\$cidr)\r\
\n:do {add list=blacklist address=\$ip comment=\$description timeout=5d} o\
n-error={\r\
\n:do {set (\$array->([:find \$array \$ip]-[:len \$array]/2)) timeout=5d} \
on-error={}\r\
\n}\r\
\n}\r\
\n:set data [:pick \$data ([:find \$data \"\\n\"]+1) [:len \$data]]\r\
\n}\r\
\n} on-error={:log warning \"Address list <\$description> update failed\"}\
\r\
\n}\r\
\n\$update url=http://feeds.dshield.org/block.txt description=DShield deli\
miter=(\"\\t\") cidr=/24\r\
\n\$update url=http://www.spamhaus.org/drop/drop.txt description=\"Spamhau\
s DROP\" delimiter=(\"\\_\")\r\
\n\$update url=http://www.spamhaus.org/drop/edrop.txt description=\"Spamha\
us EDROP\" delimiter=(\"\\_\")\r\
\n\$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt descrip\
tion=\"Abuse.ch SSLBL\" delimiter=(\"\\r\")\r\
\n\$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/m\
aster/firehol_level2.netset description=\"FireHOL Level2\" delimiter=(\"\\\
n\")\r\
\n\$update url=https://lists.blocklist.de/lists/all.txt description=\"Bloc\
kList.de\" delimiter=(\"\\n\")"
add comment=defconf dont-require-permissions=no name=dark-mode owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add dont-require-permissions=no name="Turn wlan1 ON" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/interface/wireless/enable wlan1"
add dont-require-permissions=no name="Turn wlan1 OFF" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/interface/wireless/disable wlan1"
add dont-require-permissions=no name="Pihole bypass" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local piholedown [/ip firewall nat get value-name=disabled [find comment=\
\"piholeNAT1\"]]\r\
\n:local piholeDNS \"192.168.87.241\"\r\
\n:local testDomain \"www.google.com\"\r\
\n\r\
\n\r\
\n:if (\$piholedown = false) do={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS\r\
\n } on-error={\r\
\n\t\t/ip firewall nat;\r\
\n\t\t\tdisable [find comment=\"piholeNAT1\"];\r\
\n\t\t\tdisable [find comment=\"piholeNAT2\"];\r\
\n\t\t\tdisable [find comment=\"piholeNAT3\"];\r\
\n\t\t\tdisable [find comment=\"piholeNAT4\"];\r\
\n \t\t}\r\
\n} else={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS;\r\
\n\t\t/ip firewall nat;\r\
\n\t\t\tenable [find comment=\"piholeNAT1\"];\r\
\n\t\t\tenable [find comment=\"piholeNAT2\"];\r\
\n\t\t\tenable [find comment=\"piholeNAT3\"];\r\
\n\t\t\tenable [find comment=\"piholeNAT4\"];\r\
\n } on-error={}\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(1) Okay quickly looking at the config, it appears you have two accounts with third party VPN.
In addition you host WiREGUARD for remote access to your router.
(2) Lets look at WG settings - seem okay!
/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark
add disabled=yes listen-port=51820 mtu=1420 name=WG-Surfshark_2
add listen-port=22134 mtu=1420 name=Wireguard-rw
(3) Lets look WG peers. PROBLEM
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Madrid disabled=yes endpoint-address=
84.17.62.163 endpoint-port=51820 interface=*WG-Surfshark *
persistent-keepalive=30s public-key=
“a30vOQfjwPzjRxGNi2dvSAMdaPHEYatR84cUXKOwls=”
add allowed-address=0.0.0.0/0 comment=India disabled=yes endpoint-address=
36.255.196.139 endpoint-port=51820 interface=WG-Surfshark
persistent-keepalive=30s public-key=
“+dmGrWPM9NI3vQkZ9E7hMRKAJYzd3YMXGq10sjbN0A=”
add allowed-address=0.0.0.0/0 comment=Bordeaux endpoint-address=45.134.79.146
endpoint-port=51820 interface=WG-Surfshark persistent-keepalive=30s
public-key=“ArE5eVIEOPelzFlGK/oOcHCGnB+AAv0Un4C100COmw=”
add allowed-address=0.0.0.0/0 comment=“Buffalo, US” disabled=yes
endpoint-address=172.93.148.173 endpoint-port=51820 interface=
WG-Surfshark persistent-keepalive=30s public-key=
“156ry2sOmv+I9KYTy2jR/BLTnPT+Qn+DoCNqOon1ys=”
add allowed-address=192.168.50.2/32 comment=“PeerRW - OPPO” interface=
Wireguard-rw public-key=“37DlMZM0F5YrNpK2BKDI0iBbAEqIUhcR5mTZkqOxhE=”
add allowed-address=192.168.50.3/32 comment=“ThinkPad - Windows”
interface=Wireguard-rw public-key=
“mvQz2cx2NO0p3xeWa11ek+R/udlpv+J/7bFS8Cm8ls=”
add allowed-address=192.168.50.4/32 comment=“ThinkPad - Ubuntu”
interface=Wireguard-rw public-key=
“LTDThBjfBYNlVLr+vMqfTiRthgE8ZUTGRB7asJwPfg4=”
add allowed-address=0.0.0.0/0 comment=“Amsterdam, NL” disabled=yes
endpoint-address=143.244.42.74 endpoint-port=51820 interface=
WG-Surfshark_2 public-key=“Lxg3jAOKcBAtGBtB6vEWMFl5LUEB6AwOpuniYn1cig=”
Okay so you have 4 outgoing connections to wireshark, 1 to wireshark2 and 3 incoming to MT wg-rw.
Now this just proves to me you have not read the link and do not understand Allowed-Addresses!!
Read, think and come back and tell me why your wireguard-surfshark will not work!!!
Hint it will only work for Madrid.
(4) Lets look at IP addresses: Problem>>>>>>
/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=
192.168.87.0
add address=192.168.77.1/24 interface=bridge-guests network=192.168.77.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=192.168.50.1/24 interface=Wireguard-rw network=192.168.50.0
add address=10.14.0.2/16 disabled=yes interface=WG-Surfshark_2 network=
10.14.0.0
Its not unsual to have multiple IP addresses on an interface but very unusual for wg.
You really should have two separate interfaces… if they have truly given you a /16
Then use…
/ip address
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=10.14.1.2/16 disabled=yes interface=WG-Surfshark_2 network=
10.14.0.0
(5) The first routing rule is NOT required. A route for return traffic for remote wireguard users exists, and is created automatically by the router. Youwill see the route already in your IP route table
dst-address=192.168.50.0/24 gateway=wireguard-rw routing-table=main.
(6) Other routing rules…Why are you sending out only two addresses out to third party vpn providers?? one to each?
Very confused as to the purpose of your wireguard ???
+++++++++++++++++++++++++++++++++
Other!!
(XY) Comments are wrong.
allow wireguard - road warrior should be allow remote wireguard handshake.
allow wireguard - road warrior reach lan should be allow road warrior to router services
(XZ) Why are you letting traffic from vlans hit the ROUTER (input chain) , I dont understand the purpose.
(ZZ) the rule above is even more redundant and strange because the last rule allows all LAN interface traffic to the router??
(AA) Horrible forward chain rules.
Just do (after the default rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action= accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
What you will need is…
add action=accept chain=forward in-interface=wirguard-rw out-interface-list=LAN ( for remote rw to reach local subnet )
add action=accept chain=forward in-interface=??? out-interface=wg-surfshark
add action=accept chain=forward in-interface=??? out-interface=wg-surfshark2
All traffic is blocked unless accepted prior to the block rule.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In summary the config is confused, the purpose of third party VPN is not clear and is causing issues.
What is the norm.
ONE WIREGUARD INTERFACE, ONE IP ADDRESSS, ONE ENDPOINT.
Two use another endpoint means a separate wireguard connection so need
another IP address and wireguard interface to go along with second endpoint.
In your case suggest seeing if you can use the /16 address provided 10.14.0.2/16
wg1 10.14.0.2/24 network=10.14.0.0 Previous peer1 surfshark endpoint1
wg2 10.14.1.2/24 network=10.14.0.0 Previous peer2 surfshark endpoint2
wg3 10.14.2.2/24 network=10.14.0.0 Previous peer3 surfshark endpoint3
wg4 10.14.3.2/24 network=10.14.0.0 Previous peer4 surfshark endpoint4
wg5 10.14.4.2/24 network=10.14.0.0 Previous peer1 surfshark2 endpoint5’
As previous, though, the reason why you have surfshark is not clear.
Hi anav, thanks for such detailed answer. See below my answers:
I want to have four different servers (peers) for one interface, so I can change when required. But never more than one peer at same time.
In other words, If I want to shift from Madrid to Netherlands VPN server, I just deactivate one peer and ativate the other. Is this not correct?
I’ve tried, and both IP’s work, but not at same time. Surfshark provided me with this one: 10.14.0.2. You suggested to use 10.14.1.2 for setting-up a second WG interface.
Maybe Surfshark can see it?
I’ll go in deep through your comments on my Firewall rules, very interesting.
Thanks,
Ahh okay so rotating depending upon country of choice…
If they only gave you one IP address /16 I would be interested to see what happens if you try a second one.
Are you saying that surfshark2 is something different, or something you are no longer using? It suffers from the same issue, same IP address etc…
Nothing happens. IP Address table shows IP row in red color. See picture:
Using the wrong address format.
10.14.0.2/24 s1
10.14.1.2/24 s2
Correct, I was wrong. I went again through your first post. Tried again. But it’s not possible to keep address = 10.14.1.2/24 and at same time network 10.14.0.0.
Mikrotik automatically changes Network IP when clicking apply.
Not sure what you mean but MT has no say in the matter LOL
It should be entered like so…
/ip address
add address=10.14.0.2/24 interface=surfshark network=10.14.0.0
add address=10.14.1.2/24 interface=surfshark2 network=10.14.1.0
That is correct both fall under 10.14.0.0/16 so not to worry.
Hello Malabar,
I haven’t read the whole conversation, but I think your error comes from the fact that you have two WG interfaces on the same listening port (51820).
When I replicate this, I get in the “Could not create IPv4 socket” message. Open your log window, disable both interfaces and enable the WG-Surfshark_2 interface 1st, then the other one You should see the same message and WG-Surfshark’s IP address will now be red .
The reason that your interfaces work in alternance is that the 1st one to come up is OK then the 2nd fails because of a duplicate port being used.
Cheers,