Use my remote location for internet on specific VLAN - Wireguard

Billias · September 2, 2025, 9:02am

Good day,

I have two locations

Local
Remote
Both use Mikrotik routers and both are connected with Wireguard.
For long time now, I have Wireguard configured for these locations and I can access both sides without any issue.

Today I build a VLAN21 which I want to route the Internet connection through my remote location.

What I setup:
Local location:

Route Table (wg)
Routing Mark for all traffic of interface WiredLan
Route for 0.0.0.0/0 to remote location
Allowed Wireguard 0.0.0.0/0

Remote location:

Route from the remote location to the new subnet (through WG)
Allow new subnet 10.10.21.0/24 to be reached by the WG

Everything works! Except HTTPS is slow! I suspect something with clamping. I do not have dual Nat.

Both sides use PPPoE on their fiber setup
Both sides work as should

Local L Relevant Config:

I do not know what causing only https to be really slow. I suspect Clamping. I tried different settings. Nothing fixes it.

Any suggestions?

anav · September 2, 2025, 12:07pm

Provide full config of both
/export file=anynameyouwish (minus router serial number, any public WANIP information, endpoint addresses, or keys )

Assuming both ends get a public IP.

Billias · September 2, 2025, 1:08pm

Both get Public IP.

anav · September 3, 2025, 12:40am

what is the purpose of having two wireguard interfaces ?

Billias · September 3, 2025, 2:44am

Separation of client wireguard devices and my peer to peer.

Does this concern somehow the issue from peer to peer and vlan21?

Billias · September 3, 2025, 6:36am

Found out that FastTrack is causing issues, I removed this lan from Fasttrack and all good now

CGGXANNX · September 3, 2025, 6:41am

If you want to keep fasttrack working, instead of using mark-routing with the mangle rules, use routing rules with interface as condition instead:

/routing rule
add action=lookup min-prefix=0 table=main
add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=VLAN21 table=wg-route-table

(adjust the interface name and the routing table name to match your config).

Billias · September 3, 2025, 6:54am

I get it.
I removed mangle this morning (an hour ago) as I was also looking into the policy! and did this change.
Now works as should. I was also negative on mangle use.

Thank you!

anav · September 3, 2025, 10:31am

CGGANNX why is

add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=VLAN21 table=wg-route-table

preferred over

add action=lookup-only-in-table  src-address=vlansubnet  table=wg-route-table

CGGXANNX · September 3, 2025, 11:09am

It's because the OP removed the previous config export so I don't know what the subnet is. And according to OP, he also used Routing Mark based on source interface in his mangle rules.

As for the reason for dst-address=0.0.0.0/0, it's because the routing rule applies to IPv6 too if you only specify interface without specifing any address in either src-address or dst-address.

If we know the subnet of the VLAN21 interface, then it's perfectly fine to use src-address like you wrote. Although I still prefer interface for these cases because then there would be one less spot to track and modify when you for some reason want to change the subnet address of VLAN21.

anav · September 3, 2025, 11:54am

Nice, the ipv6 angle that is......... Dont care about iPV6, until someone forces me to use it LOL
Logical!!

Billias · September 3, 2025, 12:09pm

the subnet is 10.20.21.0/24 (it is also not the real one)

in the end I routed the interface

add action=lookup-only-in-table comment="Reroute to WG" disabled=no interface=VLAN21 table=wg

Billias · September 3, 2025, 12:21pm

I do not care about IPv6, as my IPv6 in remote location is not working.

For my WG Clients (mobile devices etc) which connect to this location. I do have also IPv6.