Output route selection - Wireguard

anav · August 18, 2025, 12:43am

Im for whatever is simple, and works......
Just need to know limitations.......

lurker888 · August 18, 2025, 5:55am

That's double nat. Either variation works reliably.

anav · August 18, 2025, 1:04pm

??? double nat ??? From my limited experience double nat is when you have two routers involved........

lurker888 · August 18, 2025, 3:20pm

Meant srcnat and dstnat to the address or address pair. Poor choice of words.

S8T8 · August 21, 2025, 2:20pm

Hi @lurker888 , I'm trying to understand your answer, could you please explain it in more detail?

Here’s the basic configuration I’m using to get WireGuard working:

/interface wireguard add comment="WireGuard" listen-port=12345 mtu=1432 name=WG private-key="..."
/interface wireguard peers add allowed-address=10.0.0.0/24 comment="WG Peer" endpoint-address=my.ip endpoint-port=12345 interface=WG responder=yes public-key="..."
/ip firewall filter add action=accept chain=input port=12345.... in-interface-list=WAN
/ip address add address=10.0.0.1/24 interface=WG
/interface list member add interface=WG list=LAN

(this is enough on my side, without any src-nat rule added)

Situation 1: We have two WANs, both with public IP, we want WG to always respond and then maintain a connection on whichever WAN the connection came in on:

If we aren't afraid of losing the primary route and address, a dstnat rule -> /ip firewall nat add action=dst-nat chain=dstnat dst-address=? dst-port=12345 in-interface=WG protocol=udp to-addresses=?
If we are afraid of losing the primary wan -> (this seems to be something @anav explained in Output route selection - Wireguard - #32 by anav)

Situation 2. We have two WANs, WAN1 with private IP and WAN2 with public IP, we know that we always want to use a given WAN connection for WG:

/ip firewall nat add action=src-nat chain=srcnat out-interface=WG to-addresses=10.0.0.1
/ip firewall mangle add action=mark-routing chain=output new-routing-mark=WG protocol=udp src-port=12345 out-interface=WAN2?
Do we also need a route and a routing rule here?

Sorry if my understanding is limited, still learning!

lurker888 · August 21, 2025, 4:14pm

It's time I wrote out a tutorial for the full solution. I'll reserve some time for it.

I hope you're willing to test it?

anav · August 21, 2025, 4:36pm

The more you describe the requirements the better the answers will be!

For example in Scenario1&2, Is PRIMARY WAN1, FAILOVER WAN2
or
LOADBALANCING the two WANs.

What is the purpose of the WIREGUARD on this device?
What are you connecting to/from over wireguard??

An approach and answers are predicated upon undertanding what traffic flow you are trying to establish and why.

S8T8 · August 21, 2025, 6:56pm

Appreciated! Of course will test all the scenarios you suggest.

@anav , request is more theoretical than a real necessity, I was following the main post to remain on topic, but there is always room for improvements or learning.
I have main WAN and failover with the config posted above working + a site-to-site, can't complain.
WireGuard is used to access the device remotely and browsing Uptime-Kuma located outside (via S2S).

anav · August 22, 2025, 1:15am

I work from facts, and problems needed to be solved, so not so helpful on theory............

S8T8 · September 7, 2025, 11:20pm

Is MikroTik reading the forum?

@lurker888