Route DNS traffic between multiple CHR based on source and destination

kleshki · September 30, 2024, 3:16pm

Hi everyone!
I have such scheme:

Wireguard clients → CHR1 → CHR2/3/4
BGP peer with “set gw 127.0.0.2” routing filter on CHR1. So if CHR2 fails then CHR3 kicks in and so on. All works fine.

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=127.0.0.2/32 gateway=10.1.0.2%wg-vps1 routing-table=main scope=20 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=127.0.0.2/32 gateway=10.2.0.2%wg-vps2 routing-table=main scope=20 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=127.0.0.2/32 gateway=10.0.0.2%wg-vps3 routing-table=main scope=20 suppress-hw-offload=no target-scope=10

All CHR act as DNS servers inside wireguard.
For clients I have four different wireguard profiles on CHR1. Two of them mostly terminate traffic at CHR1, while other two - mostly at CHR2/3/4
CHR1 has such addresses for wireguards:
First two:
172.18.0.1/24, 172.18.1.1/24
Other two:
172.18.2.1/24, 172.18.3.1/24
Clients have corresponding IP set as DNS in their client wireguard profile. Example of client of last profile:

[Interface]
PrivateKey = 
Address = 172.18.3.2/32
DNS = 172.18.3.1

Routing is done using /routing/rules based on source wireguard interface. I also have a separate routing table with all routes but 0.0.0.0/0 dst-address for such purpose (maybe this helps in resolution of the problem described further)

Now I want CHR1 to not answer for DNS requests, received by WG profile 3 and 4 (172.18.2.1/24, 172.18.3.1/24) but instead forward them to a next upstream CHR2/3/4 based on same logic described above (so if CHR2 available then forward to 2, if not then to 3 and so on). There are plans for adding more upstream tunnels, so some kind of “dynamic” but maybe more complex solution is preferred (so when tunnel added, not much extra maintenance required).

Changing client profiles is possible but very undesired. My thoughts were to Netwatch tunnels and update dst-nat rule accordingly, but maybe there’s a more nice solution to that? I have access to all CHR so configuration can be modified on any side.
Thanks in advance!