I’m using RouterOS v7.8 on hAP ac lite. It has two wireless interfaces, so I use one of them as uplink and second as a client network, with several Virtual AP on it. I also have a link to external wireguard peer. Is it possible to route traffic for 1.2.3.4 through WG interface only when connected to one specific Virtual AP?
I thought that I could do something like Dst.Address = 1.2.3.4/32, Gateway = %wg_interface and VRF Interface = Virtual_AP_Interface, but it applies to any wireless clients.
Yes…
How do you assign traffic (from internet/uplink) to users on multiple virtual wlans? (Assuming one MAIN WLAN and then several vWLANS using main WLAN as master)
If via vlans then this becomes simple as you only need to do three things for a subnet lets say vlan10-Users which is 192.168.10.0/24
/routing table add fib name=useWG
/ip route
dst-address=0.0.0.0/0 gwy=wireguard-interface table=useWG
/routing rule add action=lookup src-address=192.168.10.0/24 table=useWG
/ip firewall filter
add action=accept chain=forward in-interface=vlan10-Users out-interface=wireguard interface
/interface wireguard peer
allowed-addresses=0.0.0.0/0 persistent keep alive = 35 secs public key etc…
Note: if you want subnet to also be able to reach other local subnets you will need additional routing rules allowing such before forcing wireguard routing rule.
Nope, I’ve just added all virtual interfaces to the bridge and i have a DHCP server with single pool for bridge
Well thats silly…
No way to isolate guest from family, or iOT devices etc.
At least assign different subnets to the WLANs… and dont use a bridge
OR
create vlans and assign to bridge.
If your happy with one flat network then you will have to decide the complexity.
How many people in your single flat subnet do you want to go out wireguard for internet.
+++++++++++++++++++++++++++++++++++++++++++++++++++
The quick answer is YES< if your wlans were separated by subnets (easiest method is by vlans)
You could try this…
/routing table add fib name=useWG
/ip route
dst-address=0.0.0.0/0 gwy=wireguard-interface table=useWG
/routing rule add action=lookup interface=virtualWLAN-interface-name table=useWG
/ip firewall filter
add action=accept chain=forward in-interface=bridge out-interface=wireguard interface
/interface wireguard peer
allowed-addresses=0.0.0.0/0 persistent keep alive = 35 secs public key etc…
It’s totally ok, because I’m the only person who can theoretically use that AP =)
but I’ve got your idea about vlans
Modified my post, I had an idea!!
see if that works,
it should be quick to try!!
Ok, stupid question. If I want to connect to 1.2.3.4 thru wg, I should add a route to useWG?
Please be clear…
Do you want to connect to the internet via the wireguard connection if so
/interface bridge port
add bridge=br1 interface=wifi1
add bridge=br1 interface=vWLAN-two
add bridge=br1 interface=vWLAN-three
/routing rule add action=lookup interface=vWLAN-two table=useWG
/routing table add fib name=useWG
/ip route
add dst-address=0.0.0.0/0 gwy=wireguard table=useWG
/ip firewall filter
add chain=forward action=accept in-interface=vWLAN-two out-interface=wireguard
/ip wireguard peers
add allowed-address=0.0.0.0/0
++++++++++++++++++++++++++++++++++++++
In other words dont care what the actual external IP you want to connect to is… there are many on the internet.
Did you have something else in mind?
I guess I should start to draw =)
I want to route all traffic from any device connected to Virtual AP2 to 1.2.3.4 through Wireguard “server”.
Sorry makes no sense to me (diagram useless in adding additional info)
You either have a regular (local) path to the internet via the uplink on the router to whatever is providing you internet.
OR
You have a wireguard path to the internet via another router somewhere (friend, your own, third party provider, cloud etc.) that has a wireguard IP address structure (transparent for this discussion).
What is so important about 1.2.3.4 , is it an IP address that links you to the pot of gold at the end of the rainbow??
Is it supposed to represent (any wanip)???
etc…
For Gods sake properly articulate the users requirements on that virtual WLAN
or are you saying you want to force users on virtual wLANx out wireguard (not access local internet) and only be able to visit one IP address on the internet. ???
or are you saying for users on wLANx you want to force them out on wireguard vice local internet for only wanip 1.2.3.4 and for all other WANIPs go out the local internet???
I want to make all devices on virtual AP1 to access the Internet as if they connected directly to ISP router and to make all device on virtual AP2 to access the Internet as if they connected directly to ISP router, except IP 1.2.3.4, that should be routed through WG.
1.2.3.4 is just some example, let’s think it’s SomeBlockedIP that can’t be accessed directly from the internet.
I do not know how to explain it more clearly. Let’s just assume that there is some address 1.2.3.4 that I can’t connect using my ISP, but I can do it using WG.
Okay lets see if I have it correctly you have two wifi interfaces on the LAN side (not 1, not 3 not 4 etc,)
vWLAN1 - ALL internet traffic goes out local uplink internet (even 1.2.3.4)
vWLAN2 - All internet traffic goes out local uplink internet EXCEPT for one single WANIP 1.2.3.4 that must use Wireguard to access..
The only way this works is if you actually assign an IP interface to the vWLAN.
You can take it off the bridge and give it its own IP address etc…
Or
create two vlans with interface bridge with their own subnets etc…