I have a CGNATed fiber Internet connection that is connected to my RB5009. This connection is used for all of the normal Internet traffic. I’d prefer to keep the main connection CGNATed.
I also have a secondary LTE Internet connection on another interface of the same RB5009 (using SXT LTE6 Kit in passthrough mode as the modem), that gives the RB5009 a public IP address. This secondary connection is only used for WireGuard remote access. None of the normal Internet traffic should go through it because it only has a 10GB monthly data limit. This is enough for the occasional remote access but nothing else.
To make this work properly, I have the secondary Internet connection configured like this:
10.177.0.3 is the SXT LTE6 Kit passthrough interface gateway, the same as obtained by the DHCP client.
███.███.███.███ is my LTE public IP, the same as obtained by the DHCP client.
This works good for the WireGuard remote access, but only when I’m not connected to my home network.
When I am on my home network, instead of forwarding the request to the fiber WAN, the router tries to respond directly and because of the routing rule the response tries to go out through the LTE WAN interface, and because the destination IP is a LAN address it never arrives.
I’d like to be able to connect from my home network through the fiber WAN and the Internet to the LTE WAN IP, for testing purposes. I’d also like to be able to do a bandwidth test this way.
What should I change in my configuration to make this work? I’d like this to be done entirely on the RB5009 and avoid reconfiguring the SXT LTE6 Kit.
I understand your confusion.
You only have one external main route for WAN traffic and thus all your local traffic should use that route.
I think the problem is that you dont have a regular route for the LTE WAN setting.
Either Accept default route in IP DHCP client but set a distance of 5 or something ( advanced tab setting for default route distance ).
OR add manual route for LTE main table and set distance of 5
When it’s off, the WireGuard connection works locally but not remotely, and it doesn’t even use pppoe-WAN or LTE-WAN interfaces. The router gets a packet from vlan50-HOME and responds directly to vlan50-HOME as the public IP. This is not what I want.
When it’s on, The WireGuard connection works remotely but not locally. This is acceptable and was the situation until now, but I want to get it to work both remotely and (semi) locally, with the communication passing through the LTE connection in both cases.
So “locally”, instead of:
vlan50-HOME ↔ public IP (input)
I want:
vlan50-HOME ↔ 192.168.1.1 <-forward-> CGNAT IP ↔ pppoe-WAN ↔ Internet ↔ LTE-WAN ↔ public IP (input)
Well adding new elements is confusing for sure.
Before we get to vlan 50
DId you add a router for LTE in the main table either through IP DHCP client or manually with distance=5.
This will ensure that the router alway chooses the CGNAT connection for local traffic first.
I am assuming that the wireguard is for remote connection inbound, ( origin of traffic external to the router from a client to the MT ), and NOT OUTBOUND. Please confirm.
a. either MT is acting as server for handshake and you have single remote clients??
OR
b. same but at the other end is another MT router as a client device as well as single remote users??
OR
c. the wireguard is a client for handshake to a third party VPN provider??
Assuming that the issue is when a remote client connects to lets say vlan50, the response from the users on vlan50 goes out the main table and thus never reaches the remote wg users and the desired traffic does not take place ??? Shouldnt happen looking at your ip route tables.
Well there are some things that come in to play on the config
a. FW rules - allow wg traffic to reach LAN (responses will be permitted for the same connection) Is this done???
b. IP route - ensure LAN traffic goes out wireguard for response.
a. Rest of config not shown, so not clear, nor is wireguard for that matter
b. When you create an Ip address for wireguard the router creates a route for wg as seen, in the DAC route.
Thus any remote traffic from a single user coming in, will get a route back so nothing stopping that to work.
The table, routing rule and route you created was to simply ENSURE that the handshake reply from WG server on WAN2, went back out WAN2 and thats good and works.
This makes no sense to me, as its a poor attempt at describing a use case. vlan50-HOME ↔ public IP (input)
I want:
vlan50-HOME ↔ 192.168.1.1 <-forward-> CGNAT IP ↔ pppoe-WAN ↔ Internet ↔ LTE-WAN ↔ public IP (input)
Never mind the path, describe in terms of user traffic. The below are clear and unambiguous statements. Local User on vlan50 should reach the internet via Wireguard and NOT the local WANIP.
or Remote wireguard users should be able to reach VLAN50
This is not clear!
I want:
vlan50-HOME ↔ 192.168.1.1 <-forward-> CGNAT IP ↔ pppoe-WAN ↔ Internet ↔ LTE-WAN ↔ public IP (input)
The default route (0.0.0.0/0) for LTE-WAN in main routing table (that I added now) is from DHCP with distance 5. It’s the one highlighted in blue and it is not active, because there is already an active default route with lower distance - to pppoe-WAN. The default route for LTE-WAN on the “wan-public” routing table (that I had before) is set manually.
The RB5009 is a WireGuard server, with remote peers such as my phone.
This is not the issue. WireGuard remote access works completely fine. This was solved with the configuration I provided in my first post. The issue I have now is that the connection doesn’t get established when the WireGuard peer is INSIDE vlan50-HOME. I don’t need this to work for remote access from the Internet to vlan50-HOME or any other VLAN, I need this just for speed testing the LTE connection.
Yes, there are forward firewall rules to allow access from WireGuard interface to whatever I need to have remote access to, and an input rule to allow inbound connections to the WireGuard port. They work properly. Again, this is not the issue.
Yes
As for describing the connection in terms of user traffic, I’m not sure if I can do it better, but I can try: The RB5009 is acting as my main router and a WireGuard server. It has two WAN interfaces, pppoe-WAN and LTE-WAN. pppoe-WAN has the default route in main routing table, and WireGuard is accessible via LTE-WAN that has a separate default route on a separate routing table, wan-public. When the WireGuard peer is on a network where the RB5009 is the gateway (a.k.a. LAN), instead of connecting directly to the RB5009 (input chain) I want it to pass through the RB5009 once (forward chain) and out through pppoe-WAN using the default route on main table. Then I want the connection to make a loop through the Internet and reach the WireGuard server on the RB5009 through LTE-WAN.
This DOES work already with the config I had before:
Remotely connecting to my network through WireGuard to the public IP, when I’m not home.
When connected through WireGuard, accessing my home server and other devices that I allowed in firewall to be accessible from the WireGuard connection.
Accessing the Internet when connected through WireGuard. After the WireGuard tunnel, the fiber connection is used as expected and intended.
Maybe these drawings will help (edit - updated with better drawings):
I want A and C to work at the same time.
Also, I wouldn’t have to do A and C and use A and B instead (which I also can’t get to work at the same time) if there was an option to select the interface to use in Bandwidth Test.
I would imagine its all very doable but before I wrap my head around it, WHY?
You can access your synology locally, do dont see the logic in creating a more complex config to achieve what you wish.???
Besides the direct obvious route, you want to connect to the LTE from your phone while behind the CGNAT connection. Through the connection to LTE you want to establish a wireguard connection.
The problem is that the initial handshake will be between TWO WANs on the same router and the router will attempt a shortcut approach to this.
Possible approach
DITCH THE ROUTING RULE
Keep current route and associated table for WAN2
Create similar route and associated table for WAN1
/routing table add fib name=wan-cgnat
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe_WAN routing-table=wan-cgnat
This is similar to the effect you had previously but now we apply it to both WANs to ensure no cross-over at all.
I still have a sinking feeling that its not quite enough but try the above and see if there is some partial success.
PS. If you have a fastrack rule in your forward chain modify it to this: add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes connection-mark=no-mark
I’ll check if this works tomorrow (well, today, but I mean after sleep and when I’m back home after work).
IIRC I had a setup using mangle rules previously, that worked for port forwarding to the NAS but not for WireGuard server on the router (the current setup works for WG but not port forwarding). It would be nice to find a config that can do both.
Though I’m not sure if it would change whether the router would pass the packet from LAN addressed to LTE IP to pppoe-WAN or “unknown 0” (router’s own input interface, I wish Mikrotik would finally give them actual names and made it possible to add them to interface lists):
input: in:vlan50-HOME out:(unknown 0), connection-state:new src-mac 12:34:56:78:9A:BC, proto UDP, 192.168.1.244:51820->LteWanIP:WireGuardPort, len 176
It seems like no matter what I do, “unknown 0” acts like a big magnet that pulls in every packet addressed to any of the router’s own IPs, no matter which interface they come in through.
As for why, I need the “C” way just for the bandwidth test. I wouldn’t need it if there was an option to select the interface that I want to do the bandwidth test on. The fiber connection is much faster than the LTE connection, so that testing through such a loop would show me the speed of the LTE connection. Currently I have to reconfigure everything so that the main default route is on the LTE-WAN every time I want to do the bandwidth test on LTE-WAN, and then changing everything back to pppoe-WAN.
The “B” way is so that the WireGuard connection would work the same no matter if the peer is on LAN or using a different Internet connection. Assuming that both “A” and “B” would work at the same time. So for the WireGuard tunnel doesn’t stop working when the phone switches from LTE to home Wi-Fi. Of course it wouldn’t make sense to keep using it when on home Wi-Fi, but it would make some things more convenient, such as waiting for a large file to finish sending before I turn the tunnel off, or testing a new peer configuration without having to switch to LTE.
You should publish all the rule after you implement the suggestion, would not surprize me that something else your doing is getting in the way or is incorrect/
/export file=anynameyouwish ( minus router serial number, public WANIP info, keys, long assed dhpc lease lists )
I think I’ll reset another router to default settings and test on that router. If it still doesn’t work as I’d like it to then that means the issue isn’t with my other changes. If I can get it to work on the test router but the same configuration won’t work on the main router, then I will have to check the rest of my configuration, and I’ll just check the things that I made different from defconf.
When publishing the configuration here, I will replace all the secret information like logins, passwords, private/public keys, my public IP etc. with placeholders.
Sorry for the wait, I decided to do this on the weekend so I have more time. I have attached two files: original.rsc (7.52 KB)
this is my original configuration as described in first post, just on the test router instead of the main one. Using this configuration, the WireGuard connection can only get established as in the A drawing. Internet access works through pppoe-WAN as expected. mangle.rsc (8.06 KB)
configuration with mangle rules as in here. Using this configuration, the WireGuard connection can only get established as in the B drawing. A (which I need for remote access) and C (which I want for the speed testing) don’t work. If I disable the “Add default route” setting on pppoe-WAN, the LAN devices lose Internet connection and still only B works.
Also the router can ping external addresses through pppoe-WAN but gets timeouts when pinging through LTE-WAN (update: it’s like this on both configurations).
