hi
ive problem with multiple GW
i run a wireguard tunnel in my mikrotik over my defualt GW
and now i want to route my traffic through wireguard GW
but when i add default route , it conflict with main route …
excuse me about my weak english
You cannot have two active default routes in the same routing table (except ECMP load distribution but that’s not what you want here).
If you want all your traffic to go through Wireguard, you have to add a route towards the individual (/32) IP address of the Wireguard peer; if that address is not static, you can use two routing tables and let the router itself use the one with default route using the “normal” WAN gateway and all the devices connected to the router use the other one with the Wireguard tunnel as a gateway. Or you can choose the traffic to use the Wireguard tunnel using some more precisely targeted criteria, but you still need two routing tables for that.
thank you dear sindy
ok can u plz tell me after i create that rule or routing table, what shold i do, to assign my traffic to that rule ?
Sure, but first you have to specify what exactly means “my traffic”. All the traffic except the Mikrotik’s own one? All the traffic including Mikrotik’s own one, except the wireguard transport packets? Only the traffic from a given local IP address range (subnet)? Also, do you specify the remote Wireguard peer as a domain name or as an IP number?
as you see : this is my configuration
i create a rule if it is correct ?!
i think “all the traffic, except mikrotick’s own and wireguard transport packets” is true..
Wireguard transport traffic is part of Mikrotik’s own traffic - the other part being at least Mikrotik’s download of new RouterOS versions, and if Mikrotik serves as a DNS proxy for the LAN clients, also all the DNS queries (which may not be what you want, so make sure the DHCP server tells the clients to use some public DNS servers like 8.8.8.8 rather than the Mikrotik itself).
So let’s make it simple.
/routing/table/add name=via-wg fib
/ip/route/add gateway=wireguard1 routing-table=via-wg
/routing/rule/add dst-address=192.168.0.0/16 action=lookup table=main
/routing/rule/add dst-address=172.16.0.0/12 action=lookup table=main
/routing/rule/add src-address=192.168.0.0/16 action=lookup-only-in-table table=via-wg
/routing/rule/add src-address=172.16.0.0/12 action=lookup-only-in-table table=via-wg
ok , thanks
i’ll add them and tell u the results
it doesn’t need to use routing mark and etc … ?
it doesnt need to add nat rules ?
routing-mark and routing-table mean almost the same. You can use mangle rules for precise selection of traffic to send via the tunnel, and there the routing-mark name is used. Routing rules are somewhat faster but their match conditions are not that detailed, and there the routing-table name is used.
You do need to add the nat rule, but you haven’t posted a proper export of your configuration so I cannot say what you have done already and what you have not, so I’ve concentrated on the topic title.
thank u so much
i’ll check
Hi M, it important to understand what you are doing and not just copying rules…
What you want is to force one user, a group of users, a subnet or maybe an entire lan of many subnets, to go out wireguard for internet instead of your normal WANIP.
As sindy noted this is a routing issue primarily. YOu have a default route automatically created or manually entered that is required.
Then you need to identify which users or groups of users you need to enter the wireguard tunnel and he has pointed out the method to do that.
The action command in route rules is important as action=lookup, means that if the wireguard tunnel is NOT WORKING, then the router is allowed to go to the main table and find another route and it will find the ISP wan connection. If you DONT WANT your users EVER to use the WANIP for internet then use the action=lookup-only-in-table.
The route rules with table is a very easy method to use but its important to understand that you are forcing those users FOR ALL TRAFFIC to go out wireguard.
To ensure your users, if they need access to other LAN subnets, can reach those subnets, Sindy has provided you with additional route rules that state hey any traffic for these local subnets, use Table=Main. The important part is THE ORDER, so these rules have to be before the rules forcing users out wireguard.
I hope that helps understand what is going on. There are very things the router does automatically you have to tell it each part of the puzzle.
Now besides routing, the allowed IPs are important for successful wireguard. If your destination addresses are the internet then use 0.0.0.0/0.
If it was just another subnet at the other end of the tunnel then the wireguard address of the other end, and the subnet at the other end would be appropriate.
Note that if your need was all three, config the other end, reach a subnet at the other end AND the internet at the other end, 0.0.0.0/0 covers all of them !
Lastly firewall rules are important. You have to allow your local users to enter the wireguard tunnel. Typically:
add chain=forward action=accept in-interface-list=LAN (or perhaps src-address=subnet) out-interface=wg_interface_name.__
There is also perhaps a consideration for Source NAT. For example if using a third party VPN provider they often give you a specific address for your wireguard, which you then assign into the router under IP ADDRESS.
Since the third party provider has a fixed allowed IPs for whats coming into the router, you have to NAT all your source subnet users to the IP address of the wireguard.
add chain=srcnat action=masquerade out-interface=wireguard_interface_name
Another neat way to accomplish the same is if you already have a wan interface list and are using the default sourcenat rule. Then simply add the wireguard interface to the WAN List and you are done.
/interface list members
add interface=ether1 list=WAN
add interface=wireguard_interface_name list=WAN
/IP firewalladd chain=srcnat action=masquerade out-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++
Note: that if you have a very complex set of users that need to go out wireguard for VPN then you will most likely need mangle rules.
++++++++++++++++++++++++++++++++++++++++++++++++++++
As sindy has noted.
POST YOUR CONFIG!!!
/export file=anynameyouwish (minus router serial number and any public WANIP information ) ( I use notepadd++ to copy and paste )
hi dear anav
thank u for your information
this is soooo amazing
u answer me any questions that I did not know how to ask !!!
" Instead of taking a fish for someone
Teach him how to fishing… "
i’ll do all the things u say …
I forgot to state the reason to create tables in vers 7, is that we need to identify a table that we are pushing the users too…
We reference the table in routes and in the routing rule.
If we use action=lookup-only-in-table the router is only allowed to use that table for whatever traffic is being directed.
If you have time for reading and some learning…
Lookup PARA F - https://forum.mikrotik.com/viewtopic.php?t=182373
If you need further help post the full config, as noted above, for review.