Since your Mikrotik is currently acting as a switch, you won’t be able to perform routing with it. You’ll have to configure a DHCP server and deal with double NAT or find another Mikrotik (e.g. hAP ac²) and put it in place of your home router, if possible and your budget allows it, because you’ll have much more options, with which you can customize your home network to your will
MIght work, let me review the config.
What you FAIL to mention is what you are connecting to ???
Another mikrotik router and a friends, your CHR in the cloud, a third party VPN provider???
The Mikrotik device should be on the same LAN as your main router and in that case better to use a fixed lanIP.
Lets say your main router subnet is 192.168.10.0/24
Lets say your Mikrotik device is given a static DHCP lease IP of 192.168.10.10
The IP address is already added because of the DHCP Client, but as “D - Dynamic”. So I think that config step is redundant.
What would the new IP route change?
Also, I am missing the confic which basically says “all wifi1 users are using the routing table use-WG”. How does wifi1 know which routing table to use?
To answer your open question: The WG server is on a CHR and is working totally fine with the WG App on my phone.
I am now giving it a try by double-NATing. Although I was hoping that it is possible without. (basically “borrowing” the main DHCP Server but doing the routing myself).
This means that all packets (including those of wifi clients) with source address 192.168.10.0/24 should use use-WG table which contains a default route to the Wireguard interface.
Correct, the easiest thing to do is turn the device into a router and do it that way. Its how most of us would approach given that the intent is only for the wifi users on the device to go out the tunnel.
Update… I have now turned it into a router. It get’s a WAN IP, nat masq from a DHCP server on wlan1 interface (via bridge).
WAN access works just fine so far.
I then added the wireguard config as per reddit post. And nothing is working any more… (client device displays “no internet”)
ping via interface “wg1” works.
You are missing so many rules for a router /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1
Note: If wireguard connection goes down, your router will not know so the action of lookup only is the same, in effect as, lookup-only-in -table.
One has to monitor the wireguard connection… More on that later…
I would certainly add firewall rules but assume you want to keep it lean,
for tracking testing would at least put in the following /ip firewall
add chain=input action=accept dst-port=45586 protocol=udp log=yes log-prefix=“wiregard handshake”
/interface list
add name=WAN
add name=LAN
/interface list members
add bridge1 list=LAN
add ether1 list=WAN
Regarding use of the routing table action…
a. lookup → basically means use the preferred table but if not available router can look at main table for an alternative active route → out the local WAN for example.
b. lookup-only-in-table —> means if the preferred table is not available the router cannot look for an alternative active route.
Clearly if your choice had been b., we dont really care if wireguard is down as the users are simply not allowed local internet and since the router is not able to know if wireguard is down will keep sending traffic out a dead end. However, if that reallly is the requirement, best to put in option b in the rule.
However, the Router has to be aware if routes are available or not and wireguard is an interface not a route.
Thus to use the option a, then the router needs to know to switch to MAIN …
The middle two rule recursively lets the router know if the wireguard interface in its gateway form, is routable or not. The small caveat is that perhaps the dns site cloudflare is not up…
One could make the decision dependent upon two remote sites.
)