redirecting Bridge Internet traffic to local gateway and not over VPN

Status: clients have static IP and gateway configuration on remote location where main network is accessed over VPN where is main gateway.

Problem: On remote location we want to filter internet traffic that should go throught local gateway and send it directly to internet. Main problem is here how to pull traffic from “bridge”. Somehow i cannot manage to properly configure “use-ip-firewall” option.

## Client config

• IP: 10.22.11.2/16
• GW: 10.22.1.1
• DNS: 10.22.1.1
  ## Main location
  IP: 10.22.1.1/16
  ## REMOTE location (where Problem is)
  Config export:

# jan/02/1970 03:01:43 by RouterOS 7.5
# software id = 2SDY-BY0I
#
# model = RB5009UG+S+
# serial number = EC190FA98E0E
/interface bridge
add fast-forward=no name=LOCAL protocol-mode=none
/interface eoip
add local-address=192.168.99.9 mac-address=02:C9:94:90:D4:E7 name=eoip-tunnel1  remote-address=192.168.99.1 tunnel-id=534
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="AL2VEB22IIEuF9K+GtaEKJhjF87lXZEL9C3Dj/Q4sEQ="
/interface bridge port
add bridge=LOCAL hw=no interface=ether8
add bridge=LOCAL hw=no interface=ether7
add bridge=LOCAL hw=no interface=ether6
add bridge=LOCAL hw=no interface=ether5
add bridge=LOCAL interface=eoip-tunnel1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-redirects=yes accept-source-route=yes allow-fast-path=no route-cache=no secure-redirects=no tcp-syncookies=yes
/interface wireguard peers
add allowed-address=192.168.99.0/24 endpoint-address=123,234.234.234 endpoint-port=9876 interface=wireguard1 public-key="gdZXfmvAYK6TELJUr/A/MeNnnRvXGOyeB7a82xc+5BU="
/ip address
add address=10.22.11.1/16 interface=LOCAL network=10.22.0.0
add address=192.168.99.9/24 interface=wireguard1 network=192.168.99.0
/ip dhcp-client
add interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.22.1.1 new-connection-mark=conn_gw passthrough=yes
add action=mark-packet chain=prerouting connection-mark=conn_gw new-packet-mark=pack_gw passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

My first gool to get some traffic on connection and package marking failed, counters all 0

Does anyone have idea how to properly redirect “internet traffic” to local gateway? Thanks for any tips&tricks

Are we talking an entire subnet, are we talking 2 -10 users, are we talking 50 users etc…

Hi anav,

we are talking about 10 users. sadly not the same all the time. Main problem is that is this some industry devices that i cannot just simple change gateway IP everytime they are on remote location and DHCP is not supported on some devices (

… i am kind of stuck

That’s because use-ip-firewall has a different purpose. You need something else - bridge nat rules.

Assuming you want traffic towards private addresses to use the remote gateway and traffic towards public ones to get routed by the Mikrotik, the rules would like somehow like this:
/interface bridge nat
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=10.0.0.0/8 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=172.16.0.0/12 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=192.168.0.0/16 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip action=redirect

etherX is the bridge port to which the device is connected. If the Mikrotik itself is not the actual gateway to the Internet, use action=dst-nat to-dst-mac-address=mac:of:the:actual:gw.