I have multiple ROS CHR instances running on DO, US-SF, US-NY, singapore, and germany, all linked together with multiple wireguard tunnels for manual routing of traffic, they also connect to onsite RB3011 (configured as sw/connector) that side of things works correctly, no issue, but recently i added a WG tunnel from my RB5009 (test router) to each site and set up a specific subnet for VPN client, along with its routing table and routing rules
/ip address add address=192.168.222.1/28 interface="4. VLAN - " network=192.168.222.0 (along with config for DHCP server)
/routing table add disabled=no fib name=“VPN CLIENT”
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ 172.22.110.3 routing-table=“VPN CLIENT” scope=30 suppress-hw-offload=no
target-scope=10
/routing rule add action=lookup disabled=no src-address=192.168.222.1/28 table=“VPN CLIENT”
eth that going to WAN and all wg instances have srcnat masquerade
The problem ? Singapore and germany nodes works properly, if i go to ip route and change the gateway to either singapore or germany internal WG address and connect to PVID4 wifi i have internet and “what is my ip” on google shows correct address, for some reason on both US sites traffic would come into the router from wireguard tunnel (i see the ping i sent to my other server somewhere with torch on chr) and then it never left the WAN to the internet, if i route PVID4 to either US-SF or US-NY, google.com wont even load even tho from terminal within those CHR ping google.com gets average 1.5ms
All nodes have same firewall rules with all the WG interface masqueraded, the only difference would be some different additional manual routes here and there
Config of US-SF CHR with ip addresses and keys removed https://pastebin.com/N8bZNfSJ
172.25.100.x internal WG address from sin (for permanent installation) 172.22.100.x (for portable devices and routers)
172.25.110.x internal WG address from US-SF (for permanent installation) 172.22.110.x (for portable devices and routers)
172.25.120.x internal WG address from DE (for permanent installation) 172.22.120.x (for portable devices and routers)
172.25.130.x internal WG address from US-NY (for permanent installation) 172.22.130.x (for portable devices and routers)
172.25.150.x internal WG address from ID (for permanent installation) 172.22.150.x (for portable devices and routers)
Im not sure what else i do wrong, thank you very much for the help
i posted the same on reddit but maybe people here can help as well