Issues about wireguard connectivity on RouterOS with multiple WAN ports

Hello everyone,I have a problem with Wireguard connectivity on RouterOS with multiple WAN ports would appreciate help!

I have two different ISP accounts used as uplinks and both get a public IP after PPPOE dialup,and use RouterOS as a router with a 192.168.124.0/23 subnet.
When both ISP accounts are online at the same time, I can only connect to the wireguard on RouterOS through the IP assigned by one of the ISPs, and when I access it through the other ISP’s IP, the client prompts a handshake failure,client logs are below.

2023-11-23 22:08:37.841 [NET] peer(H1WC…Xrzs) - Sending handshake initiation
2023-11-23 22:08:42.848 [NET] peer(H1WC…Xrzs) - Sending handshake initiation
2023-11-23 22:08:48.052 [NET] peer(H1WC…Xrzs) - Handshake did not complete after 5 seconds, retrying (try 2)
2023-11-23 22:08:48.054 [NET] peer(H1WC…Xrzs) - Sending handshake initiation
2023-11-23 22:08:53.157 [NET] peer(H1WC…Xrzs) - Handshake did not complete after 5 seconds, retrying (try 3)
2023-11-23 22:08:53.158 [NET] peer(H1WC…Xrzs) - Sending handshake initiation
2023-11-23 22:08:58.394 [NET] peer(H1WC…Xrzs) - Handshake did not complete after 5 seconds, retrying (try 4)

But when only any ISP account is online, I can successfully connect to RouterOS via its IP.

I’ve tried reducing the MTU value of wireguard, or marking wireguard traffic according to the different ISPs it comes from and setting up routing table rules, none of it works.

Here is my configuration about pppoe-client,interface and dhcp-server.

/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1 name=pppoe_ha-ct password=pwd1 user=user1
add add-default-route=yes disabled=no interface=eth0.22 max-mtu=1492 name= pppoe_ha-cu password=pwd2 user=user2

/interface bridge
add name=lan

/interface bridge port
add bridge=lan interface=eth2
add bridge=lan interface=eth3

/ip pool
add name=dhcp_pool0 ranges=192.168.124.2-192.168.125.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan lease-time=10m name=dhcp1

/interface list
add name=wan_ha_cu
add name=LAN
add name=wan_ha_ct
add name=WAN

/interface list member
add interface=lan list=LAN
add interface=pppoe_ha-cu list=WAN
add interface=pppoe_ha-ct list=WAN
add interface=pppoe_ha-cu list=wan_ha_cu
add interface=pppoe_ha-ct list=wan_ha_ct

/ip dhcp-server network
add address=192.168.124.0/23 dns-server=192.168.126.3 gateway=192.168.124.1

/ip address
add address=192.168.124.1/23 interface=lan network=192.168.124.0
add address=192.168.204.1/23 interface=wireguard1 network=192.168.204.0

/ip dhcp-server network
add address=192.168.124.0/23 dns-server=192.168.126.3 gateway=192.168.124.1

Here is firewall configuration.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment= "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow OpenVPN" dst-port=51149 protocol=udp
add action=accept chain=input comment="allow wireguard" dst-port=52789 log-prefix=wireguard1 protocol=udp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input log=yes port=52789 protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from wan not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop all coming from ha_ct" in-interface=pppoe_ha-ct
add action=drop chain=input comment="drop all coming from ha_cu" in-interface=pppoe_ha-cu
add action=drop chain=input comment="drop upnp from ds920" dst-port=1900 protocol=udp src-address=192.168.125.1
add action=drop chain=input comment="drop upnp from ds920" dst-port=2828 protocol=tcp src-address=192.168.125.1
    
/ip firewall mangle
add action=mark-connection chain=input comment="mark wireguard from ct" dst-port=52789 in-interface=pppoe_ha-ct new-connection-mark=wireguard_ct_52789_conn passthrough=no protocol=udp
add action=mark-routing chain=output comment="routing wireguard from ct mark" connection-mark=wireguard_ct_52789_conn log=yes log-prefix=wg-ct-out new-routing-mark=wg-ct-out passthrough=no
add action=mark-connection chain=input comment="mark wireguard from cu" dst-port=52789 in-interface=pppoe_ha-cu new-connection-mark=wireguard_cu_52789_conn passthrough=no protocol=udp
add action=mark-routing chain=output comment="routing wireguard from cu mark" connection-mark=wireguard_cu_52789_conn log=yes log-prefix=wg-cu-out new-routing-mark=wg-cu-out passthrough=no
add action=mark-connection chain=input comment=cu-in in-interface=pppoe_ha-cu new-connection-mark=cu-in passthrough=yes
add action=mark-routing chain=output comment=cu-out connection-mark=cu-in new-routing-mark=cu-out passthrough=yes
add action=mark-connection chain=input comment=ct-in in-interface=pppoe_ha-ct new-connection-mark=ct-in passthrough=yes
add action=mark-routing chain=output comment=ct-out connection-mark=ct-in new-routing-mark=ct-out passthrough=yes
add action=mark-connection chain=prerouting comment="mark ds920 ovpn from ct" dst-port=41194 in-interface=pppoe_ha-ct new-connection-mark=ovpn_ct_41194_conn passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment="routing ds920 ovpn from ct mark" connection-mark=ovpn_ct_41194_conn new-routing-mark=ct-out passthrough=no src-address=192.168.125.1
add action=mark-connection chain=prerouting comment="mark ds920 ovpn from cu" dst-port=41194 in-interface=pppoe_ha-cu new-connection-mark= ovpn_cu_41194_conn passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment="routing ds920 ovpn from cu mark" connection-mark=ovpn_cu_41194_conn new-routing-mark=cu-out passthrough=no src-address=192.168.125.1
add action=mark-connection chain=prerouting comment="mark bt" dst-address-type=!local in-interface=lan new-connection-mark=bt passthrough=yes protocol=udp src-address=192.168.124.10 src-address-list="" src-port=63000,63001
add action=mark-routing chain=prerouting comment="routing bt mark" connection-mark=bt in-interface=lan new-routing-mark=bt passthrough=yes
add action=mark-connection chain=prerouting comment="https443_out_prerouting mark" dst-port=443 in-interface=lan new-connection-mark=https443 passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="https443_out mark route" connection-mark=https443 in-interface=lan new-routing-mark=cu-out passthrough=yes
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
    
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe_ha-ct
add action=masquerade chain=srcnat out-interface=pppoe_ha-cu
add action=dst-nat chain=dstnat comment=ovpn dst-port=41194 in-interface-list=WAN log=yes protocol=udp to-addresses=192.168.125.1  to-ports=41194
add action=dst-nat chain=dstnat dst-port=23333 in-interface-list=WAN protocol=tcp to-addresses=192.168.125.1 to-ports=23333
add action=dst-nat chain=dstnat dst-port=65432 in-interface-list=WAN protocol=tcp to-addresses=192.168.125.1 to-ports=65432
add action=endpoint-independent-nat chain=srcnat comment=FullCone_Nat dst-port=!41194 protocol=udp randomise-ports=yes
add action=endpoint-independent-nat chain=dstnat protocol=udp randomise-ports=yes

route.

/routing table
add disabled=no fib name=cu-out
add disabled=no fib name=ct-out
add disabled=no fib name=bt
add disabled=no fib name=wg-cu-out
add disabled=no fib name=wg-ct-out
add disabled=no fib name=wg

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-cu pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct pref-src="" routing-table=ct-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-cu pref-src="" routing-table=cu-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct routing-table=bt suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct pref-src="" routing-table=wg-ct-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-cu  pref-src="" routing-table=wg-cu-out scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no interface=pppoe_ha-ct  routing-mark=wg-ct-out table=wg-ct-out
add action=lookup-only-in-table disabled=no interface=pppoe_ha-ct  routing-mark=wg-cu-out table=wg-cu-out

and wireguard.

/interface wireguard
add listen-port=52789 mtu=1400 name=wireguard1 private-key="mC****="

/interface wireguard peers
add allowed-address=192.168.204.2/32 interface=wireguard1 private-key="YN*=" public-key="5A*="
add allowed-address=192.168.204.3/32 interface=wireguard1 private-key="yB*=" public-key="LS*="

Looking forward to your help,thanks!

(1) You should be able to connect to the same wireguard Interface with two difference clients on two different WANs into the router.
Can you confirm that is what you are attempting to do?

You need to ensure that the handshake is returned out the same WAN it comes in on.
I suspect that is your problem.
I have no clue what you are attempting to in mangling, but I suspect the only thing mangled is your config.

Are you attempting the same concept with OVPN?

It used to be (and possibly still is) that connection marks did not get from input to output with wireguard (or openvpn).
I have used the source IP address as a routing selector in the routing rules for this.
It does NOW remember the source IP address.

Assumes static IP address. Can update rules using script for dynamic IP address.

Something like

/routing rule
#local lan addresses
add action=lookup disabled=no dst-address=172.16.0.0/12 table=main 
add action=lookup comment="return path for wg/openvpn into wan1" disabled=no src-address=YOUR-WAN1-IPADDRESS/32 table=ViaWan1
add action=lookup comment="return path for wg/openvpn into wan2" disabled=no src-address=YOUR-WAN2-IPADDRESS/32 table=ViaWan2

yes,I’m trying to connect the same wireguard Interface with two difference clients on two different WANs into the router.
I have two OpenVPN server, one is the RouterOS(listen udp 51149),another one on 192.168.125.1(listen dup 41194),they are all working well

Too busy today to look at it, but I would scrap any mangle rules you have for wireguard.
What is required is mangle rules ensuring traffic coming in wanx, goes out wanx.

Ok, I removed all mangle rules,routing table,routing rule,and ip route related to wireguard,and only set firewall rule to accept wireguard’s port,but still only one of ISP can handshake successfully when both pppoe-client online.

The adjusted configuration is as follows:

/routing table
add disabled=no fib name=cu-out
add disabled=no fib name=ct-out
add disabled=no fib name=bt
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct \
    pref-src="" routing-table=ct-out scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-cu \
    pref-src="" routing-table=cu-out scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-ct \
    routing-table=bt suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_ha-cu \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip firewall filter
add action=accept chain=input comment= "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow OpenVPN" dst-port=51149 \
    protocol=udp
add action=accept chain=input comment="allow wireguard" dst-port=52789 \
    protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from wan not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all coming from ha_ct" \
    in-interface=pppoe_ha-ct
add action=drop chain=input comment="defconf: drop all coming from ha_cu" \
    in-interface=pppoe_ha-cu
add action=drop chain=input comment="drop upnp from ds920" dst-port=1900 \
    protocol=udp src-address=192.168.125.1
add action=drop chain=input comment="drop upnp from ds920" dst-port=2828 \
    protocol=tcp src-address=192.168.125.1

/ip firewall mangle
add action=mark-connection chain=input comment=cu-in in-interface=pppoe_ha-cu \
    new-connection-mark=cu-in passthrough=yes
add action=mark-routing chain=output comment=cu-out connection-mark=cu-in \
    new-routing-mark=cu-out passthrough=yes
add action=mark-connection chain=input comment=ct-in in-interface=pppoe_ha-ct \
    new-connection-mark=ct-in passthrough=yes
add action=mark-routing chain=output comment=ct-out connection-mark=ct-in \
    new-routing-mark=ct-out passthrough=yes
add action=mark-connection chain=prerouting comment="mark ds920 ovpn from ct" \
    dst-port=41194 in-interface=pppoe_ha-ct new-connection-mark=\
    ovpn_ct_41194_conn passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment=\
    "routing ds920 ovpn from ct mark" connection-mark=ovpn_ct_41194_conn \
    new-routing-mark=ct-out passthrough=no src-address=192.168.125.1
add action=mark-connection chain=prerouting comment="mark ds920 ovpn from cu" \
    dst-port=41194 in-interface=pppoe_ha-cu new-connection-mark=\
    ovpn_cu_41194_conn passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment=\
    "routing ds920 ovpn from cu mark" connection-mark=ovpn_cu_41194_conn \
    new-routing-mark=cu-out passthrough=no src-address=192.168.125.1
add action=mark-connection chain=prerouting comment="mark bt" \
    dst-address-type=!local in-interface=lan new-connection-mark=bt \
    passthrough=yes protocol=udp src-address=192.168.124.10 src-address-list=\
    "" src-port=63000,63001
add action=mark-routing chain=prerouting comment="routing bt mark" \
    connection-mark=bt in-interface=lan new-routing-mark=bt passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "https443_out_prerouting mark" dst-port=443 in-interface=lan \
    new-connection-mark=https443 passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="https443_out mark route" \
    connection-mark=https443 in-interface=lan new-routing-mark=cu-out \
    passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    192.168.124.0/23
add action=accept chain=prerouting dst-address=192.168.2.0/24 src-address=\
    192.168.124.0/23
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe_ha-ct
add action=masquerade chain=srcnat out-interface=pppoe_ha-cu
add action=dst-nat chain=dstnat comment=ovpn dst-port=41194 \
    in-interface-list=WAN log=yes protocol=udp to-addresses=192.168.125.1 \
    to-ports=41194
add action=dst-nat chain=dstnat dst-port=23333 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.125.1 to-ports=23333
add action=dst-nat chain=dstnat dst-port=65432 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.125.1 to-ports=65432
add action=endpoint-independent-nat chain=srcnat comment=FullCone_Nat \
    dst-port=!41194 protocol=udp randomise-ports=yes
add action=endpoint-independent-nat chain=dstnat protocol=udp \
    randomise-ports=yes

As you can see,I set up two routes for the main routing table for dst address 0.0.0.0/0, pointing to my two ISPs, but setting the distances differently, 10 for pppoe-ha_ct and 1 for pppoe-ha_cu, because I want to use pppoe-ha_ct as a backup.

But here’s the problem, my wireguard client is able to connect to the IP by the gateway with distance 1,in this configuration is pppoe-ha_cu. But when I adjusted the distance between these two routes to pppoe-ha_cu is 10 and pppoe-ha-ct is 1,the situation changed, I can connected to pppoe-ha_ct’s IP instead of pppoe-ha_cu’s IP

So,I think it’s still necessary to mark wireguard traffic, but my previous rule doesn’t work

Try these mangle rules.

add chain=prerouting action=mark-connection connection-mark=no-mark
in-interface=WAN2 new-connection-mark=incomingISP2 passthough=yes
add chain=output action=mark-routing connection-mark=incomingISP2
new-routing-mark=useWAN2 passthough=no

Dont forget the table.
/routing table add fib name=useWAN2

And the route
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main
add distance=4 dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=useWAN2

sorry,it’s still not working,I can see the packets hitting this prerouting rule growing,but no packets go through the output rule.

Then there is something else on your config that is blocking.
Please post FULL config

/export file=anynameyouwish ( minus router serial #, public WANIP information, keys, long dhcp lease lists, IPV6 anything if not using it)

firewall rules fixed Main issue is these rules which have been axed…
add action=drop chain=input comment=“defconf: drop all coming from ha_ct”
in-interface=pppoe_ha-ct
add action=drop chain=input comment=“defconf: drop all coming from ha_cu”
in-interface=pppoe_ha-cu
add action=drop chain=input comment=“drop upnp from ds920” dst-port=1900
protocol=udp src-address=192.168.125.1
add action=drop chain=input comment=“drop upnp from ds920” dst-port=2828
protocol=tcp src-address=192.168.125.1


/ip firewall address-list
add address=admin-IP1 list=Authorized comment=“Admin local desktop static lease”
add address=admin-IP2 list=Authorized comment=“Admin local laptop; static lease”
add address=admin-IP3 list=Authorized comment=“Admin local smartphone/ipad; static lease”
add address=admin-IP4 list=Authorized comment=“Admin local smartphone/ipad; static lease”
add address=admin-IP5 list=Authorized comment=“Admin remote wireguard IP”

/ip firewall filter
add action=accept chain=input comment= “defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Allow OpenVPN” dst-port=51149
protocol=udp
add action=accept chain=input comment=“allow wireguard” dst-port=52789
protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“LAN ACCESS” dst-port=53
protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“LAN ACCESS” dst-port=53
protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“DROP ALL ELSE” { make this the last rule you add }

{ forward chain }
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
----> add any other allowed traffic here <-----
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment=“DROP ALL ELSE”

wireguard with 2 gateways.

Conclusion
Likely only works well by using routing rules.

Some testing and observations:

Router with 2 wan ports (both with NAT, dhcp client),
wireguard configured, input rule to allow wireguard in,
otherwise near base configuration.

Configured mangle rules marking new connections to wireguard port
in prerouting, with 2 different marks (viawan1, viawan2)

Also configured passthrough mangle rules tracking the packets on the input
chain going to wireguard on input, and coming from wireguard on the output.
There were 3 rules on both input and output.
(Sometimes also enabled logging on these rules)

1. All packets bound for wireguard,
2. All packets from wireguard.
3. Packets with connection mark viawan1 to wireguard
4. Packets with connection mark viawan2 to wireguard
5. Packets with connection mark viawan1 from wireguard
6. Packets with connection mark viawan2 from wireguard

Rules 1, 2, 3, 4 packet counters incremented.
Rules 5 and 6 in the output chain did not increment.
=> Connection marking does not get from input to output.

When wan1 gateway has a lower distance than the wan2.
Connections to wireguard via wan1 work.
Connections to wireguard via wan2 don’t work.

Visa versa when wan2 had the lower distance.

When looking at the log for the output mangle rule (#2 above) it was
found that the packet at the output mangle rule already had the source
IP address of the lower distance wan port independent on which wan the
inbound packet came in on.

So you are pretty well done for before you start.

When the routing rules below were implemented, the packets at the output
mangle rule had the correct source IP address. (ie. Matching the IP
address/wan that the corresponding input packet came in too)

Note:
It was also found that wireguard worked correctly via both inbound wan
ports if both wans had the same distance configured on them.
(Though this seems likely a poor option)


Routing rules and associated Config that seem to work ok.

/routing rule
#local address ranges. (.70=wireguard)
add action=lookup disabled=no dst-address=192.168.70.0/24 table=main
add action=lookup disabled=no dst-address=192.168.88.0/24 table=main

#wan addresses, will be updated on dhcp client update.
add action=lookup comment=viawan1 disabled=no src-address=192.168.72.40 table=
viawan1
add action=lookup comment=viawan2 disabled=no src-address=192.168.73.40 table=
viawan2

/routing table
add disabled=no fib name=viawan1
add disabled=no fib name=viawan2


#IP DHCP Client and scripts to update routing rules.
#PPPoE should be similar.

/ip dhcp-client
add comment=defconf default-route-distance=5 interface=ether1 script=“/routing r
ule\r
\n:if ($bound = 1) do={\r
\n set [find where comment~"viawan1"] src-address=$"lease-address";\r
\n}\r
\n\r
\n”
add default-route-distance=10 interface=ether2 script=“/routing rule\r
\n:if ($bound = 1) do={\r
\n set [find where comment~"viawan2"] src-address=$"lease-address";\r
\n}”

I would be very happy if you could let me know, What is the issue that the user is experiencing with WireGuard connectivity on RouterOS with multiple WAN ports? I think it seems like your Wireguard handshake issue might be related to routing and connection marks. Ensure your firewall rules are correctly marking and routing Wireguard traffic based on the source ISP. Additionally, review your routing tables and rules to guarantee proper handling of Wireguard connections for each ISP. Thanks

Client data enters through the WAN1 port, but the router sends it back out through WAN2, causing the handshake to fail.
How can I control the router to send out data it actively initiates from a specified WANX port?