I was thinking how I could create a better fallback when one or more of multiple WireGuard connection fail at the same time. I already disable the WG connection when a IP address inside the WG connection is not pingable anymore by using Netwatch and a Routing Rule to get the correct WG connection.
I only put display the connection marking and the routing marking is not included here. I have four connections and the last one(s) are catch-all and the act when none of the connection-marking lines, finds a match. To find if there was a match can be seen with connection-mark=no-mark. Notice also that it skips the first distribution PCC, the first catch-all is marking that connection when there was no PCC match. This catch-all will mark the connection and so the three below do nothing. If the first is disabled then the next one takes over…and so on.
Also notice that I use a dedicated Chain (WireGuard) here and a Jump line to this chain is upper part of Mangle. When marking the routing then those lines are passthrough=no so processing in Manle stops there.
add action=mark-connection chain=wireguard comment=NordLynx-2 connection-mark=no-mark connection-state=new new-connection-mark=NordLynx-2 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=wireguard comment=NordLynx-3 connection-mark=no-mark connection-state=new new-connection-mark=NordLynx-3 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=wireguard comment=NordLynx-4 connection-mark=no-mark connection-state=new new-connection-mark=NordLynx-4 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=wireguard comment="NordLynx-1 (catch-all)(PCC 4/3)" connection-mark=no-mark connection-state=new new-connection-mark=\
NordLynx-1 passthrough=yes
add action=mark-connection chain=wireguard comment="NordLynx-2 (catch-all)" connection-mark=no-mark connection-state=new new-connection-mark=\
NordLynx-2 passthrough=yes
add action=mark-connection chain=wireguard comment="NordLynx-3 (catch-all)" connection-mark=no-mark connection-state=new new-connection-mark=\
NordLynx-3 passthrough=yes
add action=mark-connection chain=wireguard comment="NordLynx-4 (catch-all)" connection-mark=no-mark connection-state=new new-connection-mark=\
NordLynx-4 passthrough=yes
Underneath I only display the script/lines for the second connection. All connection have their own enties/scripts.
Netwatch UP script is finding new-connection-mark and enable that rule in Mangle:
# enable WG interface on UP:
/ip/firewall/mangle set disabled=no [find new-connection-mark="NordLynx-2"]
Netwatch DOWN script is finding new-connection-mark and disable both rules in Mangle, this only if the WAN connection is active:
# Disable WG when the IP is unreachable
# only disable if the gateway is active
:if ([/interface get [find name="pppoe-ikev2"] disabled]) do={
# not disabling when already disabled interface
:if (![/interface/wireguard get [find name="NordLynx-2"] disabled]) do={
/ip/firewall/mangle set disabled=yes [find new-connection-mark="NordLynx-2"]
/interface/wireguard set disable=yes [find name="NordLynx-2"]
:log warning "Waiting 5 minutes before trying again: NordLynx-2"
:delay 5m
/interface/wireguard set disable=no [find name="NordLynx-2"]
}
}
Routing rule used by NetWatch
/routing/rule
add action=lookup-only-in-table comment="Netwatch ping" disabled=no dst-address=198.18.0.2/32 table=wg-2
ps. when using NetWatch ping then also the WG connection is kept active. You could use schedule to to disable one ore more NetWatch lines to let the connection sleep when not needed.