I have 2 mikrotik (Mikrotik HQ and Mikrotik RM) routers having a site to site VPN between them using wireguard.
Mikrotik HQ has 2 WAN and i am using a routing rule (Routing-> Rules) to route a specific LAN IP from HQ to a specific WAN (ex ip 192.168.XX.100 (server) → WAN 2)
When this routing rule is enabled, i cannot reach lan ip 192.168.XX.100 from Mikrotik RM, it is reacheable only from Mikrotik HQ.
I understand this happens because the specific lan ip is looking another routing table. Is there any possibility to route lan ip from WAN 2 and also to make it reachable from the Remote Mikrotik through the VPN?
Yes! The problem is the traffic reaches the server but the return traffic does not!! Its being forced to WAN2 by the routing rule!!!
Think about it if you have: /routing table add fib name=useWAN2
/ip route add dst-address=0.0.0.0/0 gwy=ISP2 routing-table=useWAN2
AND the appropriate routing rule: /routing rule add src-address=192.168.xx.100/32 action=lookup-only-in-table table=useWAN2
Then what your telling the router is, ANY Traffic from .100 will go out WAN2.
So any traffic from another subnet on RouterHQ, will hit the device and the response will go out WAN2 and not back to the user in the other subnet.
Similarly any traffic from wireguard from MT RM, will hit .100 and the response will go out WAN2 and not back to the remote user.
Traffic from the same subnet 192.168.xx.yy, is at L2 and not subject to L3 routing and will not be captured by the routing rule and thus why that traffic works.
In order to ensure return traffic, to other users, than the same subnet from the device is respected…
we can do so via two options…
/routing rule(order is important, any rules have to go before the forcing out wan2 rule) add dst-address=wireguardsubnet action=lookup-only-in-table table=useWireguard.
add dst-address=SubnetB action=lookup-only-in-table table=main comment=“optional rule for other subnet MT HQ return traffic allowed”
add src-address=192.168.xx.100/32 action=lookup-only-in-table table=useWAN2
Option2:
Very similar pretty sure will work for wireguard. Would recommend that wireguard interface name is added to routers LAN member list.
The idea here is that the prefix states allow local type traffic to occur ( subnets known, local to router )…
I used option 2 and worked like charm! Didn’t know that creating a plain rule only with lookup at specific table is actually reffering to local type traffic.
Now my server is routed through WAN2 and also the remote site has still access to the server!