src-address for wireguard endpoint connection

RouterOS General
1

I want to do bonding with wireguard+eoip and several pppoe connections (each pppoe connection is on a unique ADSL line)

I am using routeros 7.1rc5

I use mangle rules to match the wireguard interface’s endpoint port and mark routing so each wg interface should route via a unique pppoe connection

However I’m facing a problem, namely all the wireguard connections are trying to use the same src-address (from whichever pppoe interface is the default route on main table), so it seems impossible to route each wireguard tunnel over a unique pppoe connection

How can I change the source address for each wg connection (ideally based on the endpoint port)?

It seems the only solution is to have a second mikrotik router and then do mangling on the forwarded packets. Surely this shouldn’t be necessary??

Any ideas welcomed

2

So you have only one (main) routing table you say? How can that possibly work? And what does it have to do with wireguard?

3

Hi

No, there’s a routing table created for each pppoe interface, each with a default route for that pppoe interface only. The problem is even if I mangle the wireguard ports and mark routing to the respective routing tables, the return packet replies never arrive from the remote host (the server) because all outgoing traffic (on the client) comes from the same src-address and routeros is using the src-address associated with the default route from the main rotating table

If the remote host had several public IP addresses then I could route each public IP address to a different PPPoE interface. It only has one though, so the best I can do is mangle the endpoint ports (src or destination) however this doesn’t change the src-address problem and so replies never get routed back

4

Ok I think I fixed it !!

Solution as follows:

assume router’s lan IP is 192.168.0.2
assume default route (on main) is another router 192.168.0.1

assume remote wireguard host = 196.1.0.1
assume pppoe1 IP = 172.16.0.1
assume pppoe2 IP = 172.17.0.1

/ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark connection-state=new dst-address=196.1.0.1 dst-port=13241 protocol=udp new-connection-mark=pppoe1_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=pppoe1_conn new-routing-mark=to_pppoe1 passthrough=no

/ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark connection-state=new dst-address=196.1.0.1 dst-port=13242 protocol=udp new-connection-mark=pppoe2_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=pppoe2_conn new-routing-mark=to_pppoe2 passthrough=no

/ip firewall nat add action=src-nat chain=srcnat protocol=udp src-address=192.168.0.2 src-port=13241 to-addresses=172.16.0.1
/ip firewall nat add action=src-nat chain=srcnat protocol=udp src-address=192.168.0.2 src-port=13242 to-addresses=172.17.0.1

As you can see the router tried to establish the connections with src-address=192.168.0.2
It seems the solution was simply to add src-nat with relevant ports and to-address to the IP address of the respective pppoe interface.

The src-nat rules on their own don’t work unless output packets are marked and routed. So it’s a combination of all 3 rules that gets things going

So far so good, I will complete the setup and test to see if everything works as expected

5

Isn’t your scenario what is explained in this document (shared by @anav):

https://mum.mikrotik.com/presentations/US12/steve.pdf

6

That’s a great guide for load balancing in general, but actually no it doesn’t go into the specific issue I had here, which is namely to do with ensuring that all the wireguard interfaces use separate source addresses when establishing their links even if they all have the same endpoint IP (but not port obviously). So even though yes I’m implementing a load balancing solution as described in that document, the root problem here actually had nothing to do with the load balancing side of things, lol xD anyways it’s sorted now and I’m happy as hell. The power of MikroTik proves it’s worth for me yet again "thumbs up*

Thank you, guys

7

:smiley: