Thanks for the diagram. I too echo the sentiments, why have the MT slave do the routing letting MT master do that work.
You could do ONLY room1 through the master (transparently moving through the Slave via vlan).
To fully appreciate your network and an efficient config a full set of requirements is needed. Separate from any config,
identify users/devices and what they need to be able to do… and not do…
Slave and master are APs and connected over wireless repeater. The main AP for ROOM1 is slave. But APs should be interchangeable and wireless clients from ROOM1 can connect to master AP as well. And only master holds VPN connection that should encapsulate all ROOM1 traffic (it is not possible to make two VPN connections from each router).
The VPN is holding connection to the office for this room for several laptops and other mobile devices for Email, NAS, CMS, Zoom, etc. The traffic sometimes is 1-10Mbps. There are other two rooms with similar configuration and own VPNs for them, but I am trying to simplify…
So its not an internal VPN office to office ? its office to the internet through some VPN provider?
It is not office to office VPN, it is office to the Internet through some third party VPN provider.
But this question is not about VPN. VPN is working fine on Master router, I need now to route into this VPN users connected to Slave`s Wi-Fi based on source IP address.
I have been reading about VLANs and can’t understand if it is possible to assign VLAN ID based on source IP. Everywhere is told to choose interface for a given VLAN. But on Slave there are users (“Others”) that are also connected to Wlan1 Wi-Fi but should not be routed through VPN.
On the slave device,
IF ALL THE USERS are going to use the office VPN provider then its not so bad
dst-address=0.0.0.0/0 gwy=wireguard-interface-name table=main
If ONLY ONE VLAN of all the users on the Slave device are going to use VPN provider for internet.
/ip route
dst-address=0.0.0.0/0 gwy=wanIPgateway (for the slave device) table=main (for all other users)
dst-address=0.0.0.0/0 gwy=wireguard-interface-name table=useWG
To make the second IP route work you have to create a routing table and a routing rule
/routing table add fib name=useWG
/routing rule add src-address=vlansubnet (or interface=vlan-Name) action=lookup-only-in-table table=useWG
A vlan is just like a lan, just that it can share physical resources (ports, wires, switches). In a way it is like a virutal machine (VM) where you can have mulitple VMs sharing a physical server.
If you are interested in what vlans do, I recommend this VLANs — Index
But from your description, it doesn’t seem you need vlans, I think what you want is call policy based routing, where the route is can be chosen based on more than the destination ip address, for example, the source ip address. This can then apply to a subset of the devices connected to the wifi. Although it may be easier to dedicate a separate SSID for VPN access, and then apply to any connection to the vlan associated with the SSID.
So at least now you can search for topics with PBR or Policy Routing and you are more likely to find an answer that will solve your problem.
Unfortunately, I am also a RouterOS noob, and I haven’t used that feature on RouterOS. But I believe it will involve alternate routing tables, and uses firewall mangle rules to select an alternate routing table, at least that is what I would expect based on how it is done in other linux based routers. For an example in Linux Linux policy based routing
I just saw this post by @anav and it claims that your performance with mangling will tank if you were previously using fasttrack. I haven’t tried, so I don’t know, but almost certainly it will be slower than standard routing, because it is more involved.
