Multi wan and Wireguard server handshake

hairdresser06 · August 17, 2024, 9:44pm

Hello!

I have read the forum and found several similar issues, but none of proposed solution works, I’ll go through details later.

Context:

3 WAN connections
wan#1 - primary connection - Starlink (no public IP)
wan#2 - secondary connection - 1 public ipv4 IP
wan#3 - secondary connection - 1 public ipv4 IP
1 IPSEC tunnel terminating in AWS over #2 - but it is not relevant.

I mainly use wan#2 and wan#3 as backup connections, or to expose services publicly - but some services requiring public IP allowlisting or low latency such as VoIP are also going through wan#2 or wan#3.
I am only using mangling in my setup, and not routing rules. It might be a little complex, but it works really well so far.

I want to connect to my router using Wireguard - hence - turn my RB5009 as a “WG server”. I want to leverage one of the 2 connections with a public IP. Lets say wan#3.

When I’m inspecting packets, handshake is correctly coming through wan#3. The router then replies to this handshake, but packet leaves the router with wan#1- which obviously does not work.
I then tried to put mangling rule to mark WG packets, and change the routing table - similar to my other setups - to use wan#3. This time, I can see packet leaving the router on wan#3 - but with source IP address of wan#1 - and as such, packets get source-natted - which would be okay if source-port would not be changed.

I’m familiar with packet flow but hitting my limits here!

Is there a clean (or dirty !) way to change/override the source IP and port for wireguard handshake ? I tried source-nating - but it did not work. I saw some solutions based on routing-rules, but correct me if I’m wrong, this cannot be used here since I will use Wireguard clients with dynamic and unpredictable IP addresses, and it is not able to define routing rules based on port?

I’m attaching my configuration - but appreciate it can be fairly complex.

# 2024-08-17 23:34:37 by RouterOS 7.15.3
# software id = B9CF-ZH4I
#
# model = RB5009UG+S+
# serial number = XXXX
/interface bridge
add name=bridge1-mdns port-cost-mode=short
/interface ethernet
set [ find default-name=ether4 ] comment="Static Admin"
set [ find default-name=ether8 ] comment=Starlink
/interface veth
add address=192.168.254.1/24 gateway=192.168.254.254 gateway6="" name=veth1-mdns-container
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-wgcli
add listen-port=13232 mtu=1420 name=wireguard-server
/interface vlan
add comment="Access Points" interface=bridge1-mdns name=vlan2 vlan-id=2
add comment=IoT interface=bridge1-mdns name=vlan3 vlan-id=3
add comment=CCTV interface=bridge1-mdns name=vlan4 vlan-id=4
add comment=Infra interface=bridge1-mdns name=vlan5 vlan-id=5
add comment="Video Portier" interface=bridge1-mdns name=vlan6 vlan-id=6
add comment=Secure interface=bridge1-mdns name=vlan10 vlan-id=10
add comment=Guests interface=bridge1-mdns name=vlan100 vlan-id=100
add comment="VL101 - Amazon VPN" interface=bridge1-mdns name=vlan101 vlan-id=101
add comment="Clients of this VLAN will go through Starlink" interface=bridge1-mdns name=vlan200 vlan-id=200
add comment="Clients of this VLAN will go through WAN#2" interface=bridge1-mdns name=vlan201 vlan-id=201
add interface=bridge1-mdns name=vlan666 vlan-id=666
add comment="Data Wan#2" interface=bridge1-mdns name=vlan901 vlan-id=901
add comment="Data Wan#3" interface=bridge1-mdns name=vlan902 vlan-id=902
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi-local value=0x0104AC10053D
add code=119 force=yes name=search value=0x0c736f6f6e6f6f6e6f6e6f6e6f02636f02752700
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=tunnel-2 nat-traversal=no
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=tunnel-1 nat-traversal=no
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=tunnel-1-NAT
/ip ipsec peer
add address=x.x.x.x/32 local-address=x.x.x.x name=aws-wimax--2-1 profile=tunnel-1-NAT
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-0269e1769bdbda139-0
/ip pool
add name=vlan10 ranges=172.16.10.100-172.16.10.200
add name=vlan3 ranges=172.16.3.3-172.16.3.200
add name=vlan5 ranges=172.16.5.3-172.16.5.200
add name=vlan100 ranges=172.16.100.100-172.16.100.200
add name=vlan2 ranges=172.16.2.10-172.16.2.200
add name=vlan6 ranges=172.16.6.2-172.16.6.100
add name=vlan201 ranges=172.16.201.10-172.16.201.20
add name=vlan200 ranges=172.16.200.10-172.16.200.20
add name=vlan4 ranges=172.16.4.10-172.16.4.200
add name=vlan101 ranges=172.16.101.10-172.16.101.200
/ip dhcp-server
add address-pool=vlan10 interface=vlan10 name=vlan10
add address-pool=vlan3 interface=vlan3 name=vlan3
add address-pool=vlan5 interface=vlan5 name=vlan5
add address-pool=vlan2 interface=vlan2 name=vlan2
add address-pool=vlan6 interface=vlan6 name=vlan6 server-address=172.16.6.1
add address-pool=vlan201 interface=vlan201 name=vlan201
add address-pool=vlan200 interface=vlan200 name=vlan200
add address-pool=vlan4 interface=vlan4 name=vlan4
add address-pool=vlan101 interface=vlan101 name=vlan101
add address-pool=vlan666 interface=vlan666 name=vlan666
/ip smb users
set [ find default=yes ] disabled=yes
/routing pimsm instance
add disabled=no name=pimsm-instance1 vrf=main
/routing table
add disabled=no fib name=wimax-3
add disabled=no fib name=wimax-2
add disabled=no fib name=Aws
add disabled=no fib name=wgcli
/routing bgp template
add as=65000 disabled=no name=aws routing-table=main
/container
add entrypoint=/app/run.sh interface=veth1-mdns-container logging=yes start-on-boot=yes
/interface bridge port
add bridge=bridge1-mdns ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge1-mdns ingress-filtering=no interface=veth1-mdns-container internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=*A list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=vlan902 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=x interface=wireguard-wgcli name=peer3 public-key="xxxx"
add allowed-address=192.168.201.2/32 interface=wireguard-server name=peer5 public-key="xxxx"
/ip address
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.2.1/24 interface=vlan2 network=172.16.2.0
add address=172.16.3.1/24 interface=vlan3 network=172.16.3.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.100.1/24 interface=vlan100 network=172.16.100.0
add address=192.168.100.254/24 comment="Starlink Admin Interface" interface=ether8 network=192.168.100.0
add address=192.168.254.1 interface=veth1-mdns-container network=192.168.254.1
add address=172.16.1.1/24 interface=ether1 network=172.16.1.0
add address=172.16.6.1/25 interface=vlan6 network=172.16.6.0
add address=x.x.x.x/24 comment="wimax Data -3" interface=vlan902 network=x.x.x.0
add address=192.168.88.1/24 comment="Static Admin" interface=ether4 network=192.168.88.0
add address=172.16.201.1/24 interface=vlan201 network=172.16.201.0
add address=172.16.200.1/24 interface=vlan200 network=172.16.200.0
add address=x.x.x.x/24 comment="wimax Data -2" interface=vlan901 network=x.x.x.0
add address=172.16.4.1/24 interface=vlan4 network=172.16.4.0
add address=172.16.101.1/24 comment="AWS IOT TESTING" interface=vlan101 network=172.16.101.0
add address=169.254.37.226/30 comment="AWS Tunnel 1" interface=ether8 network=169.254.37.224
add address=172.16.66.1/24 interface=vlan666 network=172.16.66.0
add address=10.69.44.197 interface=wireguard-wgcli network=10.69.44.197
add address=192.168.201.1 interface=wireguard-server network=192.168.201.1
/ip dhcp-client
add interface=ether8
/ip dhcp-server network
add address=172.16.2.0/24 dhcp-option=unifi-local dns-server=172.16.2.1 gateway=172.16.2.1 netmask=24
add address=172.16.3.0/24 comment=IOT dns-server=172.16.3.1 gateway=172.16.3.1 netmask=24
add address=172.16.4.0/24 comment=CCTV dns-server=172.16.4.1 gateway=172.16.4.1 netmask=24
add address=172.16.5.0/24 comment=Infra dns-server=172.16.5.1 gateway=172.16.5.1 netmask=24
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1 netmask=24
add address=172.16.10.0/24 comment="Clients Secure" dns-server=172.16.10.1 gateway=172.16.10.1 netmask=24
add address=172.16.66.0/24 dns-server=8.8.8.8 gateway=172.16.66.2 netmask=24
add address=172.16.101.0/24 comment="AWS IOT TESTING" dns-server=10.128.1.242,10.128.1.192 gateway=172.16.101.1 netmask=24
add address=172.16.200.0/24 comment="Starlink Clients" dns-server=172.16.200.1 gateway=172.16.200.1 netmask=24
add address=172.16.201.0/24 comment="wimax Clients -3" dns-server=172.16.201.1 gateway=172.16.201.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.101.0/24 list=aws-advertised-net
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=vlan901 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13232 in-interface=vlan901 protocol=udp
add action=accept chain=input comment="Allow NTP on VL101" dst-port=123 in-interface=vlan101 protocol=udp
add action=accept chain=input comment="allow all trafic from VPN" in-interface=wireguard-server
add action=accept chain=forward comment="allow all trafic from VPN" in-interface=wireguard-server
add action=accept chain=forward comment="forward trafic to VPN" out-interface=wireguard-server
add action=accept chain=forward comment="Doorbell to Secure" dst-address=172.16.10.0/24 log=yes log-prefix="doorbell >> " src-address=172.16.6.0/24
add action=accept chain=forward comment="Secure to Doorbell" dst-address=172.16.6.0/24 log=yes log-prefix="doorbell >> " src-address=172.16.10.0/24
add action=drop chain=forward disabled=yes out-interface=ether8 src-address=172.16.5.10
add action=accept chain=input comment="IPSEC AWS" dst-port=500 protocol=udp src-address=52.16.22.9 src-port=500
add action=accept chain=input comment="IPSEC AWS" protocol=ipsec-esp src-address=52.16.22.9
add action=accept chain=forward comment="ALLOW FORWARD AWS IPSEC" ipsec-policy=in,ipsec
add action=accept chain=forward comment="ALLOW FORWARD AWS IPSEC" ipsec-policy=out,ipsec log=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related disabled=yes hw-offload=no
add action=accept chain=forward comment="allow internet access for VL101" in-interface=vlan101 out-interface=ether8
add action=accept chain=forward comment="allow other VLANs to talk to VL101" connection-state=established,related in-interface=vlan101
add action=drop chain=forward comment="Block from VLAN101 to the rest of home" in-interface=vlan101
add action=drop chain=input comment="Block from VLAN101 to the rest of home" in-interface=vlan101
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow SSH on wimax -3" dst-port=22 in-interface=vlan901 protocol=tcp
add action=accept chain=input comment="Allow HTTPS on wimax -3" dst-port=8443 in-interface=vlan902 protocol=tcp
add action=accept chain=input comment="Allow HTTPS on wimax -2" dst-port=8443 in-interface=vlan901 protocol=tcp
add action=accept chain=forward comment="wimax -3 TCP/80" dst-port=80 in-interface=vlan902 protocol=tcp
add action=accept chain=forward comment="wimax -2 TCP/80" dst-port=80 in-interface=vlan901 protocol=tcp
add action=accept chain=forward comment="SSH wimax -2" dst-port=2222 in-interface=vlan901 protocol=tcp
add action=accept chain=forward comment="wimax -3 TCP/443" dst-port=443 in-interface=vlan902 protocol=tcp
add action=accept chain=forward comment="wimax -2 TCP/443" dst-port=443 in-interface=vlan901 protocol=tcp
add action=drop chain=input in-interface=vlan902 protocol=tcp
add action=drop chain=input in-interface=vlan901 protocol=tcp
add action=drop chain=input in-interface=vlan902 protocol=udp
add action=drop chain=input in-interface=vlan901 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=output log=yes out-interface=vlan901
add action=accept chain=forward dst-port=554 in-interface=vlan902 protocol=tcp
add action=accept chain=forward dst-port=8000 in-interface=vlan902 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=output log=yes log-prefix=WG4 new-routing-mark=wimax-2 passthrough=yes protocol=udp src-port=13232
add action=mark-connection chain=output log=yes log-prefix=WG new-connection-mark=wireguardserver passthrough=yes protocol=udp src-port=13232
add action=mark-routing chain=output comment="Wiregard Server" connection-mark=wireguardserver log=yes log-prefix=WG2 new-routing-mark=wimax-2 passthrough=no
add action=mark-connection chain=prerouting comment="wgcli VPN" disabled=yes new-connection-mark=wgcli passthrough=yes src-address=172.16.10.169
add action=mark-routing chain=prerouting comment="wgcli VPN" connection-mark=wgcli new-routing-mark=wgcli passthrough=no
add action=mark-connection chain=prerouting comment="VM wimax" in-interface=vlan201 new-connection-mark=wimax--2 passthrough=yes
add action=mark-connection chain=prerouting comment="Route to AWS" connection-state="" dst-address=!172.16.0.0/16 log=yes log-prefix="aws >>" new-connection-mark=aws passthrough=yes src-address=172.16.101.0/24
add action=mark-connection chain=output comment="IPSEC through wimax to AWS" dst-address=52.16.22.9 dst-port=500,4500 new-connection-mark=wimax--2 passthrough=yes protocol=udp
add action=mark-connection chain=output comment="IPSEC through wimax to AWS" disabled=yes dst-address=52.19.132.11 dst-port=500,4500 new-connection-mark=wimax--2 passthrough=yes protocol=udp
add action=mark-connection chain=output comment="IPSEC through wimax to AWS" new-connection-mark=wimax--2 passthrough=yes protocol=ipsec-esp
add action=mark-connection chain=input comment="INPUT from wimax -3" dst-port=8443 in-interface=vlan902 new-connection-mark=wimax--3 passthrough=no protocol=tcp
add action=mark-connection chain=input comment="INPUT from wimax -2" dst-port=8443 in-interface=vlan901 new-connection-mark=wimax--2 passthrough=no protocol=tcp
add action=mark-routing chain=output comment="OUTPUT to wimax -3" connection-mark=wimax--3 new-routing-mark=wimax-3 passthrough=no
add action=mark-routing chain=output comment="OUTPUT to wimax -2 - " connection-mark=wimax--2 log=yes new-routing-mark=wimax-2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark wimax--3 everything coming in on wimax -3" in-interface=vlan902 new-connection-mark=wimax--3 passthrough=no
add action=mark-connection chain=prerouting comment="" in-interface=vlan901 ipsec-policy=in,none new-connection-mark=wimax--2 passthrough=no
add action=mark-routing chain=prerouting comment="Route to -3 connections marked to wimax -3" connection-mark=wimax--3 new-routing-mark=wimax-3 passthrough=yes
add action=mark-routing chain=prerouting comment="Route to AWS connections marked AWS" connection-mark=aws new-routing-mark=Aws passthrough=yes
add action=mark-routing chain=prerouting comment="Route to wimax -2 connections marked with wimax--2" connection-mark=wimax--2 new-routing-mark=wimax-2 passthrough=yes
/ip firewall nat
add action=src-nat chain=test comment="TEMPO / TEST" protocol=udp to-addresses=x.x.x.x to-ports=13232
add action=src-nat chain=srcnat connection-mark=wireguardserver log=yes log-prefix=SRCNATWG protocol=udp to-addresses=x.x.x.x to-ports=13232
add action=masquerade chain=srcnat connection-mark=wireguardserver disabled=yes log=yes log-prefix=WG3 protocol=udp to-addresses=x.x.x.x to-ports=13232
add action=src-nat chain=srcnat comment="NAT trafic from secure VLAN to AWS VPC" dst-address=10.128.0.0/24 src-address=172.16.10.0/24 to-addresses=172.16.101.1
add action=accept chain=srcnat comment="AWS NAT excemption" disabled=yes dst-address=169.254.37.225
add action=accept chain=srcnat comment="AWS NAT excemption" src-address=172.16.101.0/24
add action=accept chain=srcnat comment="AWS NAT excemption" disabled=yes dst-address=192.168.0.0/24 src-address=172.16.101.0/24
add action=accept chain=srcnat comment="AWS NAT excemption" disabled=yes dst-address=169.254.40.221 src-address=169.254.40.222
add action=masquerade chain=srcnat comment="Masquerade Starlink" out-interface=ether8
add action=masquerade chain=srcnat comment="Masquerade wgcli" out-interface=wireguard-wgcli
add action=masquerade chain=srcnat comment="Masquerade wimax -2" connection-mark=!wireguardserver out-interface=vlan901
add action=masquerade chain=srcnat disabled=yes out-interface=vlan902 to-addresses=x.x.x.x
add action=dst-nat chain=dstnat comment="HTTP/HTTPS from wimax -3 to Traefik" connection-mark=wimax--3 dst-port=80,443 in-interface=vlan902 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat comment="HTTP/HTTPS from wimax -2 to Traefik" connection-mark=wimax--2 dst-port=80,443 in-interface=vlan901 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat comment="HTTP/HTTPS from wimax -2 to Traefik" connection-mark=wimax--2 dst-port=2222 in-interface=vlan901 protocol=tcp to-addresses=172.16.5.60 to-ports=22
add action=dst-nat chain=dstnat comment="Hairpin from VLAN10 (users-secure)" dst-address=x.x.x.x dst-port=80,443 in-interface=vlan10 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat comment="Hairpin from VLAN10 (users-secure)" dst-address=x.x.x.x dst-port=80,443 in-interface=vlan10 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat comment="Hairpin from VLAN3 (iot)" dst-address=x.x.x.x dst-port=80,443 in-interface=vlan3 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat comment="Hairpin from VLAN5 (infra)" dst-address=x.x.x.x dst-port=80,443 in-interface=vlan5 protocol=tcp to-addresses=172.16.5.60
add action=dst-nat chain=dstnat connection-mark=wimax--3 dst-port=8000 in-interface=vlan902 protocol=tcp to-addresses=172.16.4.12
/ip ipsec identity
add peer=aws-wimax--2-1
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.0.0/8 peer=aws-wimax--2-1 proposal=ipsec-vpn-0269e1769bdbda139-0 src-address=172.16.101.0/24 tunnel=yes
add action=none dst-address=172.16.0.0/16 src-address=172.16.101.0/24
add dst-address=169.254.37.225/32 peer=aws-wimax--2-1 proposal=ipsec-vpn-0269e1769bdbda139-0 src-address=169.254.37.226/32 tunnel=yes
add dst-address=169.254.37.225/32 peer=aws-wimax--2-1 proposal=ipsec-vpn-0269e1769bdbda139-0 src-address=172.16.101.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.254 routing-table=wimax-3 suppress-hw-offload=no
add disabled=no dst-address=172.16.5.0/24 gateway=vlan5 routing-table=wimax-3 scope=10 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.254 routing-table=wimax-2 suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.16.5.0/24 gateway=vlan5 pref-src="" routing-table=wimax-2 scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.101.0/24 gateway=vlan101 pref-src="" routing-table=wimax-2 scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.10.0/24 gateway=vlan10 pref-src="" routing-table=wimax-2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.101.0/24 gateway=vlan101 pref-src="" routing-table=Aws scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=172.16.10.0/24 gateway=vlan10 routing-table=Aws suppress-hw-offload=no
add disabled=no dst-address=172.16.10.0/24 gateway=vlan10 routing-table=wgcli suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard-wgcli pref-src="" routing-table=wgcli scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=172.16.1.0/24 gateway=ether1 routing-table=wimax-2 suppress-hw-offload=no
add disabled=no dst-address=192.168.201.0/24 gateway=wireguard-server routing-table=wimax-2 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set www-ssl address=0.0.0.0/0 certificate=rb5009 disabled=no port=8443 tls-version=only-1.2
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing bgp connection
add as=65000 disabled=no hold-time=30s keepalive-time=10s listen=yes local.address=169.254.37.226 .role=ebgp name=aws-vpn-tunnel-1 output.keep-sent-attributes=yes .network=aws-advertised-net remote.address=169.254.37.225/32 \
    .as=64512 routing-table=Aws templates=aws
/routing pimsm interface-template
add disabled=no instance=pimsm-instance1 interfaces=vlan3,vlan10
/system clock
set time-zone-name=Europe/Paris
/system logging
add prefix=ipsec topics=ipsec
/system note
set show-at-login=no
/system ntp server
set enabled=yes use-local-clock=yes
/tool graphing interface
add interface=ether8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all filter-ip-protocol=udp filter-port=13232 memory-limit=1000KiB streaming-server=172.16.10.161

anav · August 18, 2024, 11:11am

So even on version 7.15.3 this is still happening???.. We thought it had been fixed.
When mangling which should work does not work…

Okay, the ‘dirty’ trick that we used to get around the problem which you probably came close to solving on your own it sounds is
the following.

/ip firewall nat
add chain=dstnat action=dst-nat dst-address-type=local in-interface=WAN3 protocol=udp dst-port=wg-port to-addresses=ip.of.wan.1

This tricks the router to respond to un-destinat any wireguard traffic back to WAN2.

anav · August 18, 2024, 11:19am

/ip firewall mangle
Your mangling looks like a mess… not going to try and read it…
but will show conceptually the mangling you should have for wireguard on wan3, which basically says any traffic to wan3, should go back out wan3

add chain=input action=mark-connections connection-mark=no-mark in-interface=WAN3
new-connection-mark=incoming-wan3 passthrough=yes
add chain=output action=mark-routing connection-mark=incoming-wan3
new-routing-mark=use-WAN3 passthrough=no

where
/ip table add fib name=use-WAN3

where
/ip route
add dst-address=0.0.0.0/0 gateway=WAN3-gatewayIP table=use-WAN3

Assuming you have proper sourcnat type rules for masquerade in place.

CGGXANNX · August 18, 2024, 5:21pm

It’s still there and affects configurations using ECMP too (since with ECMP the outgoing interface for the reply-packets is determined by a calculated hash value and only matches the incoming interface if we are lucky).

hairdresser06 · August 22, 2024, 8:49am

If there is a method / guidance to make it look “less messy”, I’m happy to learn it - if you can detail recommended approach ? Since I have 3 WAN + 1 ipsec tunnel - I unfortunately have many mangling rules.

Unfortunately, this is what I did since the beginning, but this doesn’t work with Wiregard, since the handshake packet is not considered as a related/established packet, but as a whole new packet from the Wiregard server daemon to the client.

hairdresser06 · August 22, 2024, 9:02am

Thanks!
This one fixed it !!
The wan1 IP being provided by starlink DHCP - I need to figure out how to automatically update this rule upon IP renewal. But many thanks !

CGGXANNX · August 22, 2024, 9:10am

If you only have dynamic WAN IPs you can also do this (works for me):

Add a static /32 IP address to the “lo” interface (like 10.20.30.40/32)
With the DST NAT rule, set to-addresses=10.20.30.40
Add a /routing rule that forces src-address=10.20.30.40 to use the routing table that has WAN3 as default route.

gt66 · October 31, 2024, 2:06am

the trick works, thank you @anav

natman · April 4, 2025, 12:44pm

Thanks for this workaround. Strange that mikrotik has not fixed this issue till now.. as of now 7.18.2