In my main routing table I need to configure static route toward a list of networks that will be reachable over a wireguard tunnel.
I created an address list, but I can not insert it in the destination field, when creating the static route.
What is the best way to do this?
Correct. Each remote subnet must be a separate entry.
The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!!
The purpose is also so that remote users coming in to access local servers or use the local WAN, have their return traffic go back through the wireguard tunnel.
Which is the case or both for you???
The only time it would be easier is if you only had to worry about incoming and at the other end they sourcenatted their traffic out the wireguard tunnel and then you would not have to create any subnets, as the router would simply use the DAC route created by the wireguard IP address. If, as you state, you have local users going to all those remote networks (originating traffic) then there is no easy shortcut that comes to mind.
What you could do is lets say you have an address list of the remote subnets that you would like to reach through wireguard called REMOTE.
Lets say you have 5 local subnets and that only two of them require this routing and make an interface list called Subnets-To-WG
/Ip table
add fib name=useWG
/ip nat (mangle)
add chain=prerouting action=mark-routing in-interface-list=Subnets-To-WG dst-address-list=REMOTE new-routing-mark=UseWG
/ip route
add dst-address=0.0.0.0/0 interface=wireguard1 routing-table=useWG
/ip firewall filter
add chain=forward action=accept in-interface-list=Subnets-To-WG dst-address-list=REMOTE
Dont forget that with mangling one has to either turn fastrack off or make adjustments to fastrack.
In this case not marking connections so one cannot use the standby of simply adding mark=no-mark to the fastrack rule.
Suggestion: Modify the forward chain as follows…
/ip firewall filter
add action=accept chain=forward connection-state=established,related src-address-list=REMOTE
add action=accept chain=forward connection-state=established,related dst-address-list=REMOTE
{default fastrack rule}
Correct. Each remote subnet must be a separate entry.
I was hoping I could create only one static route entry toward address list of IP subnets. Because there is like 30 IP subnets.
The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!!
…This is my usage scenario.
Ok, so I create new routing table, then I configure default route over the wireguard interface.
Can you please explain me the mangle rule, what is it doing? How will my Subnets-To-WG use newly created routing table when the destination is dst-address-list=REMOTE? Why are you creating new-routing-mark when you don’t use it anywhere? I’m a little new to mikrotik, so I’m sorry in advance if my question is stupid.
/ip nat (mangle)
add chain=prerouting action=mark-routing in-interface-list=Subnets-To-WG dst-address-list=REMOTE new-routing-mark=UseWG
Hi there,
The table is required because that is what we are creating, an independent new routing table, so that we can tell the router where to send traffic, separately from the Main Table.
Mangling is a method of identifying traffic with some specificity, in order to apply routes as required. I havent used mangling for other needs other than involved in routing but there may be other cases… We can specify and move traffic differently as well with the use of Routing RULES.
In the mangling rules, we don’t state table to identify the table, we use the Routing Mark to do so. It ties to what we have entered in the TABLE definition itself ( the link you seek ).
Correct we do create one route, but we specify with either MANGLING or Routing Rules, what particular traffic is to use that route withe the new routing table.
What we are saying in the mangle rule is that for the identified local traffic wishing to go to these destinations, assign a route-mark in prerouting.
When it comes time to send the traffic, the router will bypass the main table and send the traffic out wireguard as we want.
However it as a last step has to ensure the firewall rules allow it.
Add chain=forward action=accept in-interface-list=Subnets-to-WG dst-address-list=REMOTE
Routing rules ( separate from mangling ) are excellent for forcing traffic out any Routing Table, as long as the source is a single subnet or single address (NO LISTS)
You could apply it smartly to contain a number of contiguous subnets by use of netmask . The table and IP route are still required, and we add the routing rule (no mangles).
192.168.0.0/24 for single subnet into wireguard
192.168.0.0/XX for multiple subnets into wireguard.
/routing table add fib name=useWG
/ip route
add dst-address=0.0.0.0/0 interface=wireguard routing-table=useWG
/routing rule dst-address=192.168.0.0/XX action=lookup-only-in-table table=main
/routing rule src-address=192.168.0.0/XX dst-address=10.10.10.0/YY action=lookup table=useWG
The advantage is that its much simpler to do in many cases and does not affect fasstrack rules.
When using mangles one must ensure the traffic does not hit the fasstrack rule otherwise performance bogs down and I think errors may occur.
If using Routing Rules for any WANIP traffic, the WANIP must be static/fixed
You should note above I have two routing rules and ORDER is critical. The second rule the one pushing traffic to wireguard pushes ALL TRAFFIC.
Imagine if local subnet wants to either
a. originate traffic to another local subnet OR
b. answer a query from another local subnet.
Wouldnt work because all that traffic would get forced into the wireguard tunnel and go nowhere.
Thus we ensure local traffic desired is permitted by ensuring that traffic goes first in routing rules;.
Final note: Mangle takes precedence over Routing Rules if there is overlap.
Thank you very much for your detailed answer. I learned some new things about Mikrotik.