Trouble with Multiple Routing Tables

Long time lurker, first time posting. Please let me know if there are any ways I can improve the post or information provided.

I am having a bit of trouble with multiple routing tables and could definitely use a more experienced eye.

Specifically, I am running ROS 7.1 on a CCR2004-1G-12S+2XS and trying to use Wireguard to connect to an external VPN provider. To this end, I have used the built-in scripting language to automate registration of my local public key with the provider using their REST APIs. This is working and I am able to receive the appropriate connection details (local IP, remote gateway, etc.) from their servers without issue. I am then able to take these details and set up the wireguard interface more or less without issue.

The problem arises when I try to route traffic to this interface. I am using a separate routing table and routing marks to send traffic to this interface. The central idea behind this is that the separate table allows me to blindly nuke and recreate the routes as appropriate during periodic re-registration without having to maintain persistent state information across multiple invocations.

Unfortunately, it doesn’t seem that my setup of this second table is correct as I get various Destination Host Unreachable errors when trying to access the wider internet. I am able to ping the remote gateway from the router without issue:

[admin@MikroTik] > /ping 10.25.128.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                    
    0 10.25.128.1                                56  64 11ms244us 
    1 10.25.128.1                                56  64 12ms837us 
    2 10.25.128.1                                56  64 11ms646us 
    3 10.25.128.1                                56  64 12ms832us 
    4 10.25.128.1                                56  64 11ms934us 
    sent=5 received=5 packet-loss=0% min-rtt=11ms244us avg-rtt=12ms98us max-rtt=12ms837us 
    
[admin@MikroTik] > /ping interface=wireguard-pia 10.25.128.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                    
    0 10.25.128.1                                56  64 12ms984us 
    1 10.25.128.1                                56  64 12ms934us 
    2 10.25.128.1                                56  64 13ms573us 
    3 10.25.128.1                                56  64 12ms759us 
    sent=4 received=4 packet-loss=0% min-rtt=12ms759us avg-rtt=13ms62us max-rtt=13ms573us

I am also able to ping the remote gateway from a downstream Linux host:

$ ping 10.25.128.1
PING 10.25.128.1 (10.25.128.1) 56(84) bytes of data.
64 bytes from 10.25.128.1: icmp_seq=2 ttl=63 time=12.0 ms
64 bytes from 10.25.128.1: icmp_seq=3 ttl=63 time=12.6 ms
^C
--- 10.25.128.1 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 2055ms
rtt min/avg/max/mdev = 11.976/12.306/12.636/0.330 ms

Things break down when I try to reach beyond the first remote hop on either the router or any other host:

[admin@MikroTik] > /ping interface=wireguard-pia 1.1.1.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                    
    0                                                              126 (No error information)                                                                                                                                                
    0 10.25.184.192                              84  64 113us      host unreachable                                                                                                                                                          
    1                                                              126 (No error information)                                                                                                                                                
    1 10.25.184.192                              84  64 94us       host unreachable                                                                                                                                                          
    2                                                              126 (No error information)                                                                                                                                                
    2 10.25.184.192                              84  64 89us       host unreachable                                                                                                                                                          
    3                                                              126 (No error information)                                                                                                                                                
    3 10.25.184.192                              84  64 84us       host unreachable                                                                                                                                                          
    sent=4 received=0 packet-loss=100% 
    
###############################################
    
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.30.1 icmp_seq=1 Destination Host Unreachable
From 192.168.30.1 icmp_seq=2 Destination Host Unreachable
From 192.168.30.1 icmp_seq=3 Destination Host Unreachable
From 192.168.30.1 icmp_seq=4 Destination Host Unreachable
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3102ms

And, finally, the (current) routing table and firewall rules:

[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, d, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY        DISTANCE
  DAd  0.0.0.0/0        xx.xx.xx.1            1
  DAc  10.25.128.0/17   wireguard-pia         0
  DAc  xx.xx.xx.0/19    sfp28-1               0
  DIcH 192.168.10.0/24  sfp-sfpplus1          0
  DAc  192.168.20.0/24  sfp-sfpplus2          0
  DAc  192.168.30.0/24  sfp-sfpplus3          0
0  As  0.0.0.0/0        10.25.128.1           1
1  As  10.25.128.1/32   wireguard-pia         1
[admin@MikroTik] > /ip/firewall/mangle/print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=mark-connection new-connection-mark=pia_wireguard_conn src-address=192.168.0.0/16 dst-address=!192.168.0.0/16 connection-mark=no-mark 

 4    chain=prerouting action=mark-routing new-routing-mark=routes-pia src-address=192.168.0.0/16 connection-mark=pia_wireguard_conn

I am (almost) certain that I have the second routing table setup incorrectly but am not sure what else to change (I usually work at layer 1 & 2). I can post my VPN registration script but, at this point, it seems to be working and sets whatever I tell it to; presumably the settings themselves are incorrect.

Apologies for the wall of text and thanks in advance for any assistance.

You don’t need the last route (to 10.25.128.1/32), that’s already covered by connected route to 10.25.128.0/17, but it shouldn’t break anything. Is 10.25.184.192 router’s address on wireguard-pia? Try to post your config (/export hide-sensitive file=yourconfig), it must be something that’s not visible here.

Yes, 10.25.184.192 is my local IP and changes every time I re-register with their API.

Additionally, my full config is below.

I think I have some conceptual breakdown on how multiple routing tables are handled in ROS. Most of my experience is in low-level switch firmwares where, once a frame is allocated to a particular table it will only consider routes from that table (which is why I added the redundant route directly to the wireguard interface. Does ROS still consider the main routing table for this traffic? Likewise, I tried adding a routing rule to only look up in the second table but this had the same effect.

My ultimate goal here is to create a routing “bucket” that I can send arbitrary frames to and be sure that they will egress via wireguard without further consideration. Is there a better way to achieve this, especially since my connection details can change after a re-registration?

# dec/27/2021 07:00:56 by RouterOS 7.1
# software id = QKDK-CKFY
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F10DDCF4FD
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface wireguard
add listen-port=59999 mtu=1420 name=wireguard-pia
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=sfp-sfpplus1 lease-time=30m name=dhcp1
add address-pool=dhcp_pool1 interface=sfp-sfpplus2 lease-time=30m name=dhcp2
add address-pool=dhcp_pool2 interface=sfp-sfpplus3 lease-time=30m name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=routes-pia
add fib name=""
add fib name=""
add fib name=""
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=10.25.128.1/32 endpoint-address=143.244.49.26 endpoint-port=1337 interface=wireguard-pia persistent-keepalive=25s public-key="<redacted>"
/ip address
add address=192.168.10.1/24 interface=sfp-sfpplus1 network=192.168.10.0
add address=192.168.20.1/24 interface=sfp-sfpplus2 network=192.168.20.0
add address=192.168.30.1/24 interface=sfp-sfpplus3 network=192.168.30.0
add address=192.168.40.1/24 interface=sfp-sfpplus4 network=192.168.40.0
add address=192.168.50.1/24 interface=sfp-sfpplus5 network=192.168.50.0
add address=10.25.184.192/17 interface=wireguard-pia network=10.25.128.0
/ip dhcp-client
add interface=sfp28-1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.2,192.168.10.3 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.2,192.168.10.3 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.2,192.168.10.3 gateway=192.168.30.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=sfp28-1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=sfp28-1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from incorrect subnet (10)" in-interface=sfp-sfpplus1 log=yes log-prefix=not-10net src-address=!192.168.10.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (20)" in-interface=sfp-sfpplus2 log=yes log-prefix=not-20net src-address=!192.168.20.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (30)" in-interface=sfp-sfpplus3 log=yes log-prefix=not-30net src-address=!192.168.30.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (40)" in-interface=sfp-sfpplus4 log=yes log-prefix=not-40net src-address=!192.168.40.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (50)" in-interface=sfp-sfpplus5 log=yes log-prefix=not-50net src-address=!192.168.50.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (60)" in-interface=sfp-sfpplus6 log=yes log-prefix=not-60net src-address=!192.168.60.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (70)" in-interface=sfp-sfpplus7 log=yes log-prefix=not-70net src-address=!192.168.70.0/24
add action=drop chain=forward comment="Subnet 50 routes ONLY to internet" in-interface=sfp-sfpplus5 log=yes log-prefix=50net-not-inet out-interface=!sfp28-1
add action=drop chain=forward comment="Subnet 60 routes NOWHERE" in-interface=sfp-sfpplus6 log=yes log-prefix=60net-not-routable out-interface=!sfp-sfpplus6
add action=drop chain=forward comment="Subnet 70 routes NOWHERE" in-interface=sfp-sfpplus7 log=yes log-prefix=70net-not-routable out-interface=!sfp-sfpplus7
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address=!192.168.0.0/16 new-connection-mark=pia_wireguard_conn src-address=192.168.0.0/16
add action=mark-routing chain=prerouting connection-mark=pia_wireguard_conn new-routing-mark=routes-pia src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp28-1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=sfp28-1 src-address=192.168.30.0/24
add action=masquerade chain=srcnat out-interface=sfp28-1 src-address=192.168.40.0/24
add action=masquerade chain=srcnat out-interface=sfp28-1 src-address=192.168.50.0/24
add action=masquerade chain=srcnat out-interface=sfp28-1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=wireguard-pia
add action=dst-nat chain=dstnat dst-port=9022 in-interface=sfp28-1 protocol=tcp to-addresses=192.168.30.10 to-ports=22
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add dst-address=0.0.0.0/0 gateway=10.25.128.1 routing-table=routes-pia
add dst-address=10.25.128.1/32 gateway=wireguard-pia routing-table=routes-pia
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=9022
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Los_Angeles
/system logging
add topics=ovpn,debug
add topics=script,debug
/system package update
set channel=testing
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Disable FastTrack (your first firewall rule; https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack) it’s not compatible with mangle rules. The “host unreachable” still seems weird, but hopefully that’s it.

Routing rules are possible solution too, but it’s less flexible, because you can work only with addresses. Mangle rules in firewall can work with individual connections. On the other hand, routing rules should be a bit more efficient, and also compatible with FastTrack.

I had the same problem
changed allowed-address for wiredguard peer to 0.0.0.0/0 and it helped

Unfortunately, disabling the FastTrack rule in the forward chain did not fix it.

Is there a way to get more detailed debug information about the routing decisions being taken for a connection / frametype / etc? My suspicion is that something is incorrect about the default route and the frames in question are not actually hitting the wireguard interface but I am not sure how to prove / disprove this.

What is the best way to extract more diagnostic information from ROS? I know about

/system logging add topics=<topics>

and such but, as far as I am aware, this doesn’t go down to the granularity of routing path?

(1) No input chain rules and thus no protection and device should not be connected to the internet.

(2) not required as interfaces are disabled - I note various rules suffer from this…
add address=192.168.40.1/24 interface=sfp-sfpplus4 network=192.168.40.0
add address=192.168.50.1/24 interface=sfp-sfpplus5 network=192.168.50.0

(3) Since your wireguard setup is for the PEER side, connecting to a remote WG server, I am confused by
the fact that you have a listen port entered on the client router??

(4) Wireguard peer settings?? why is your address setup as 10.23.128.1/32 ???
Assuming this is a private IP that will be the only destination for any traffic you send through the tunnel from the client router ??

(5) Why do you need to give your wg interface an IP address?? ALSO its very weird to have an address and a network that dont seem to match up??
add address=10.25.184.192/17 interface=wireguard-pia network=10.25.128.0

(6) Why these rules in this order ??
add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface=sfp28-1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=“Drop incoming from internet which is not public IP” in-interface=sfp28-1 log=yes log-prefix=!public src-address-list=not_in_internet

The first rule will drop all WAN packets (not meant for dst nat) and thus the next rule will not really be matched…
Would make sense the other way round to me…but Im no expert.
Further why limit the addresses not on internet hitting the LAN from the WAN side ?? Dont you want to stop same from LAN to LAN or LAN to WAN side ?? ( just dont include your own subnets).
Personally I dont use bogons in firewall rules periods…but just saying if I did…

(7) After looking at your firewall rules two comments ( 1 above already pointed out) .
2. Garbage on the forward chain, you would be better off sticking to defaults… or at least take this rule modify it and add two more.
add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface=sfp28-1 log=yes log-prefix=!NAT
TO
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat connection-state=new in-interface=sfp28-1
add action=accept chain=forward comment=“allow internet access” in-interface= ??? out-interface=spf1-28
where ??? can be an interface, an interface list or a source address list
add action=drop chain=forward comment=“drop all else”

Now, all the traffic you have not explicitly allowed will be dropped which covers off everything you entered ( WAN to LAN, LAN to LAN and LAN to WAN)
If you want to add bogons after you can do that in IP routes vice firewall rules…

(8) YOu only need one masquerade rule.
add action=masquerade chain=srcnat out-interface=sfp28-1

(9) What is the purpose of the mangle, very confusing and probably the reason I dont understand the purpose of your network overall.

(10) DONT UNDERSTAND Your ROUTES.

First of all above its clear that you WANT to send traffic destined for a single IP through the tunnel.
So why use 0.0.0.0/0?. This would be a valid suggestion if your intention was to send all inquiries from a certain segment on your LAN to the internet of the Remote Server Router.

The second one is also sketchy … I like the fact that it supports a previous entry where IP address is NOT required on the config for WG interface,
but to match your config, the dest address should be…
add dst-address=10.23.128.1/32 gateway=wireguard-pia routing-table=routes-pia

@anav: Your attempt to confuse me didn’t succeed, but you helped me to discover what’s behind the nagging feeling that I’m missing something obvious, which I had all along:

/interface wireguard peers
add allowed-address=10.25.128.1/32 endpoint-address=143.244.49.26 endpoint-port=1337 interface=wireguard-pia persistent-keepalive=25s public-key=“”

That’s it, this tunnel allows communication with only single address!

Few more notes for @anav:

3. There’s always port, the only difference is that if you don’t set it, router will choose random number.

4. Good catch, except there’s no address with 23 in it.

5. 10.25.184.192 is in 10.25.128.0/17, have something to play with: http://www.subnetmask.info

6. The one for WG should probably exist too. But you’re probably right about others. If it’s meant as some kind of source filtering, it should be in filter.

7. To route everything from 192.168.0.0/16 though WG tunnel.

8. OP complains about not being ale to access internet through tunnel, so it’s pretty clear that route with 0.0.0.0/0 is desired. It’s WG config what’s wrong. And route to 10.23.128.1/32 is not required, that address is accesible using connected route which comes from 10.25.184.192/17 on WG interface. And sure, you can skip that and use interface as gateway, but I still don’t see why it’s supposed to be so much better.

Isnt it obvious, the OP got lost in the fog of too many subnets and IP addresses floating around.
KISS buddy!! like a cleaner firewall filter, much easier to see the errors too.

But if WG client is allowed to use only one address (which may be the case here), then in order to use the tunnel from LAN, you need srcnat. So instead of assigning IP address to WG interface, you’ll have to add the same IP address as to-addresses= to srcnat rule. So no big difference.

Bull pucky LOL, you are more of a fiction writer than I am. ;-PPP

Normally the client dst-address is 0.0.0.0/0 because the admin wants to give the client coming in all the possible destinations required (be it lan subnets or internet access).
On my server router I am hosting two examples an entire subnet client router (accessing the tunnel) and one a single IP for the iphone.

In both cases the allowed IPs on the client peer is 0.0.0.0/0
There is nothing more to consider for the iphone case
For the client router I also have an IP Route to match the peer setting of 0.0.0.0/0 gateway=wg interface table=wgtable (where wg table has a route rule from source subnet only lookup in table).

So all this traffic gets through the tunnels to the server router.
What is the basic need of the server tunnel…an IP Route with dst=subnet of client router gw=wg interface table=main and dst=ipofiphone gw=wg interface table=main
Now depending upon my firewall rules,
I may need some input chain rules if I want to manage the server router from my iphone for example
I may need some forward chain rules to allow wg tunnel folks to access LAN assets

Where in the heck in this equation are you stating source nat is needed???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets look at the harebrained idea postulated in this outlandish statement - But if WG client is allowed to use only one address

That would mean the IP Route on the client router, or iphone, would be a single IP address.
So either my iphone or my client router subnet would only be attempting or allowed to contact one address at the SERVER router.
This changes nothing!!
Yes, the client peer settings for allowed addresses would be a single address in both cases as well.

At the server router, incoming traffic would still have the originating IP address be it the iphone address, or the subnet address (as identified in the server peer settings) and would be allowed to reach the single IP address, return traffic due to the existing IP route on the server router would send the traffic back appropriately. NO SOURCE NAT

Port Sport Fort Sort …how bout ABORT your sentence…
(LISTENING PORT IS NOT required on CLIENT ROUTER, regardless, it is required on SERVER router and obviously in client peer settings to go along with endpoint IP address).

In retrospect, SRC NAT may be required for the use case where the WG Server Router (MT), is behind an ISP router. (The opposite of my scenario and hence my blind spot).
In which case to solve how to ensure return traffic from the tunnel client subnet that went out the server routers WAN to the internet via the ISP router, gets returned back to the tunnel.
If the front router is an MT router we create a route for that traffic back through the LANIP of the secondary router (its wanip) and all done.
Typically ISP routers do not have such capabilities (usually only port forwarding at best).

I think you are suggesting
add chain=src-nat action=src-nat source-address=subnet of client router to-address=WANIP of MT router out-interface=etherWANport
add chain=src-nat action=src-nat source-address=ipofIPHONE to-address=WANIP of MT router out-interface=etherWANport

Such that when the return traffic comes back from the ISP router headed towards the LANIP of the MT router (its wanip), the MT router will un source nat that traffic back to the client traffic addresses and then via IP route be sent back through the tunnel. Close??

Let’s say you’re my employee (that’s not an offer ) and I give you access to company network. You get exactly one address for your client (there’s allowed-address=x.x.x.x/32 for your peer on my side). WG itself won’t accept any other source address from you.

Maybe you don’t want to connect just one device but your whole home network. I don’t mind, because I don’t trust you anyway, so access is as limited as possible (firewall allows only few addresses and ports). If you manage to break something, it will be my fault for not securing it enough. But I will also know that it was you, because I’ll have your address. But main point, you still have only one address, so for this you need srcnat to hide your whole network behind this address. You can either assign address to WG interface and use masquerade, or you can skip address, but then you need to put it in srcnat. That’s what I meant.

I assume that all those “hide from your ISP and route everything through us” VPNs do the same thing, except they do allow access to 0.0.0.0/0. Which I of course wouldn’t, VPN would be only for accessing company network and not for you browsing internet and downloading who knows what over company’s connection.

Good, now you are better describing the BOGUS use case, as I surmized.
It has nothing to do with what I discussed previously although it was brilliant.

So you are talking about a client on the CLIENT ROUTER being given access to the WG tunnel.
Now this client is attached to the client ROUTER not by a company PC but by an illegal ROUTER that allows the client to attach many more devices to this WG tunnel then authorized.

LIke I said, your example is BS.

By the way, no worries on the employee front, I work for free LOL.

The Wireguard tunnel can handle any payload addresses at both local and remote side; the only thing is that, like with OpenVPN, you have to tell the Wireguard itself to which peer to route which addresses, as multiple peers may be accessible via a single Wireguard interface. I.e. the Wireguard behaves like another router adjacent to the basic one.

@anav: There’s nothing bogus about it, it’s perfectly valid config. But if you don’t like it, let’s try something else.

Typical home router with 192.168.88.1/24 in LAN, and goal is to allow remote clients access it from elsewhere. We both start with LAN:

/ip address add address=192.168.88.1/24 interface=LAN

VPN clients will have addresses from 192.168.44.0/24, so I’ll add address for WG interface:

/ip address add address=192.168.44.1/24 interface=WGserver

and it will automatically give me route to all 192.168.44.x clients. Addressophobic like you won’t have any of that, but router still needs some route to clients, so you’ll have to add that instead:

/ip route add dst-address=192.168.44.0/24 gateway=WGserver

And now look, I as client can ping 192.168.44.1 and see if the router is alive:

Reply from 192.168.44.1: bytes=32 time=1ms TTL=64

But it’s no big deal, because you can ping 192.168.88.1 instead. What if I ping remote device that’s turned off, e.g. 192.168.88.11? Router/server will tell me that it’s not available:

Reply from 192.168.44.1: Destination host unreachable.

What do you get?

Request timed out.

Isn’t mine nicer? And have you checked your traceroute?

>tracert -d 192.168.88.10

Tracing route to 192.168.88.10 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     3 ms     4 ms     3 ms  192.168.88.10

Trace complete.

What’s that hole doing in there? Don’t you want to have nice complete one like I do?

>tracert -d 192.168.88.10

Tracing route to 192.168.88.10 over a maximum of 30 hops

  1     1 ms     2 ms     1 ms  192.168.44.1
  2     9 ms     5 ms     3 ms  192.168.88.10

Trace complete.

Yes, you can fix it with e.g.:

/ip route add dst-address=192.168.44.0/24 gateway=WGserver pref-src=192.168.44.1

But doesn’t the address on WG interface feel simpler and more straightforward? After all, interfaces often have addresses, it’s not like it would be the only interface on your router with own address.

Thank you all for the detailed discussion. It has highlighted a number of gaps in my knowledge, which is always a good thing when learning.

For what it is worth, most of this configuration I am sort of reverse-engineering. The VPN provider has a couple of bash scripts using wg-quick to set up the wg interface for a Linux desktop. Using these, I have backported most of the functionality into the internal scripting language. Unfortunately, as there is no formal API documentation, I am making several educated guesses about the proper configuration. For example, when registering with a given server, I ultimately receive an API response that looks similar to the following:

{
    "status": "OK",
    "server_key": "<redacted>",
    "server_port": 1337,
    "server_ip": "143.244.49.26",
    "server_vip": "10.25.128.1",
    "peer_ip": "10.25.184.192",
    "peer_pubkey": "<redacted>",
    "dns_servers": [
        "10.0.0.243",
        "10.0.0.242"
    ]   
}

I take this to mean that the “public” IP of the server to initiate the connection with is 143.244.49.26 while the address of the router inside of the tunnel is 10.25.128.1. Likewise, my local address is 10.25.184.192. One of the things I do not know is if the tunnel will accept any address or just the one they have assigned me. I have been operating on the assumption that @sob states; specifically that the provider is expecting a single client address and that I should either SRCNAT or MASQUERADE.

In response to the specific points raised by @anav:

(1) This is still very much a work in progress and I have not yet switched to it full-time as my primary device.

(2) Several interfaces are disabled as I do not yet have them wired but I wanted to get the config “on paper” so I wouldn’t forget settings as I read through the various documentation online.

(4) I am a bit confused, I don’t have a 10.23.128.1; the remote endpoint’s address inside of the tunnel should be 10.25.128.1?

(5) I gave the interface an address as I was hoping to MASQUERADE and not have to set up a SRCNAT for each client or similar. Regarding the mismatch of addresses, notice in the API response above that there are no CIDR addresses or netmasks. My script actually calculates the netmask manually by comparing the server_vip and peer_ip addresses to figure out which is the first bit that they differ at. This is not ideal but I do not know of a better way of addressing this. Any input on this is most welcome as my programmer senses are screaming “HACK”.

(6 and 7) I definitely need to revisit these. Many of the rules I got from the MikroTik wiki (here). It is very possible I misunderstood / misconfigured something there; the whole firewall needs to be revisited.

(3, 8, 9 and 10) @sob covers all of these.

Now, to the point about allowed-address, I attempted the following which did work, huzzah:

[admin@MikroTik] > /interface/wireguard/peers/set allowed-address=0.0.0.0/0 0

I think where things went wrong for me is that I misunderstood this page to indicate that allowed-address was considered AFTER any masquerading had taken place. With this incorrect understanding it made sense (at the time) to have that be the post-masquerade remote address. I now see that this is not the case.

I think I am going to continue using an address on the interface and a MASQUERADE rule as this significantly simplifies the script I have written for my specific use-case. The MASQUERADE rule is static so my script only has to check for existence while the address is on the interface so I don’t have to hunt for and update any SRCNAT rules.

Once I have reworked the relevant portions per the feedback in this thread, I can post a write-up with the completed script and instructions in a separate thread if that would be useful to others.

Marking as solved as my specific issue is addressed.

Yes, I am constantly learning as well, at least thats the hope of Sob and Sindy, so that one day I wont keep making a fool of myself in public!!!
Love the reverse engineering, linux is greek to me, without the ouzo.
@Sob, and yes I will get to your post in due time, in due time…