WireGuard and mangle routing

Hi everyone,

I absolutely for the life of me cannot get my head around mangle rules. The goal is route everything from the address list, apart from exceptions list, via WIreGuard interface.

Setup: basically defconf hap ac2, fasttrack is disabled. There’s ether1 which’s connected to the ISP modem, local LAN is served via DHCP from the bridge interface, nothing fancy.
There’s a separate routing table for Wireguard and default 0.0.0.0/0 route for that table. Another default 0.0.0.0/0 route is given by ISP modem.

Firewall config:

# 2023-11-11 05:21:51 by RouterOS 7.12
# software id = J6WP-02EH
#
/ip firewall address-list
add address=192.168.33.0/24 list=LAN
add address=192.168.33.0/24 list=WGSOURCE
add address=1.1.1.1  list=WGEXCLUDE

/ip firewall filter
add action=accept chain=input comment="Accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=invalid log=yes log-prefix=drop_invalid
add action=drop chain=input comment="Drop all !LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix=not_from_LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="WireGuard: masquerade" out-interface=wireguard1
/ip firewall mangle
add action=accept chain=prerouting comment="Allow LAN" dst-address-list=LAN src-address-list=LAN
add action=mark-connection chain=prerouting comment="WireGuard mark" connection-mark=no-mark dst-address-list=\
    !WGEXCLUDE dst-address-type=!local new-connection-mark=wireguard passthrough=yes src-address-list=WGSOURCE
add action=mark-routing chain=prerouting comment="WireGuard route" connection-mark=wireguard dst-address-type=!local log-prefix=\
    mark_routing new-routing-mark=wireguard passthrough=yes

This does not work at all unless I remove last rule which adds routing mark.
Let’s say someone from LAN pings 4.2.2.2, I can see replies arrive to the router from WireGuard interface, they already have connection-mark (because they’re a part of NAT connection), and they get thrown away by the last rule which puts them in the tunnel again.

Is it some WireGuard peculiarity or config is utterly broken? In my understanding, proper connection marking should be enough for the last rule that adds routing mark. I’ve tried adding interface restriction to the last rule but no luck.

1. Please show your ip routing rules.
   I think you should add there something like:
   /ip route
   add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard1
   pref-src=“” routing-table=wireguard scope=30 suppress-hw-offload=no
   target-scope=10
2. Your last 2 rules should be mark routing only. Remove conn mark.
3. Show your ip-addresses config. Wireguard requires manually set addresses.
   My config like this:
   /ip address
   add address=10.7.0.2 interface=wireguard1 network=10.7.0.0

For mvp tests disable firewall drops.

My example (you can combine src address as a range 192.168.33.0/24 and exception list as list at a time):
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.33.0/24 new-routing-mark=wireguard passthrough=yes src-address=192.168.33.0/24 src-address-list=!EXCEPTIONS_LIST

Yes,

If you route mark a packet, and then have a routing entry that matches, it WILL use that routing entry.

You could perhaps put an accept rule prior to the route marking rule, where the listed destinations shouldn’t go via
wireguard.

eg. Where the destination IP matches any of the local network IP ranges.

Another option is to go via the routing rules table.

new-routing-mark=wireguard_rule

And make some routing rules (in order) that can be followed.

/routing rule
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup disabled=no dst-address=0.0.0.0/0 routing-mark=wireguard_rule table=wireguard

Not interested unless you post the complete config. Why so smart to only post what you think we need, but asking us what is the problem, seems ironic to me.

/export file=anynameyouwish (minus router serial number, public WANIP information,keys etc.)

Well you’re right of course… here’s full config sans passwords and stuff:

# 2023-11-13 08:04:30 by RouterOS 7.12
# software id = J6WP-02EH
#
# model = RBD52G-5HacD2HnD
/interface bridge
add add-dhcp-option82=yes arp=proxy-arp comment="VLAN bridge" dhcp-snooping=\
    yes igmp-snooping=yes ingress-filtering=no name=bridge1 protocol-mode=\
    none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=Raspberry
set [ find default-name=ether5 ] comment="Switch trunk"
/interface wireguard
add comment="WireGuard main interface" listen-port=18457 mtu=1420 name=\
    wireguard1
/interface vlan
add comment="Main VLAN, data access" interface=bridge1 name=vlan1 vlan-id=33
add comment="Guest VLAN, Internet access only" interface=bridge1 name=vlan2 \
    vlan-id=10
add comment="Work VLAN, maximum isolation" interface=bridge1 name=vlan3 \
    vlan-id=20
/interface list
add name=Wireless
add name=LAN
add name=WAN
add name=Management
add name=WireGuard
add name=External
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=cropp group-ciphers=tkip,aes-ccm \
    mode=dynamic-keys name=profile2 supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment="5 GHz" country=france default-forwarding=no \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=profile2 skip-dfs-channels=all ssid=cropp \
    wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan2 comment="5 GHz"
/interface wireless nstreme
set wlan2 comment="5 GHz"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add comment="Main VLAN pool" name=main_pool ranges=\
    192.168.33.10-192.168.33.254
add comment="Guest VLAN pool" name=guest_pool ranges=\
    192.168.11.11-192.168.11.254
add comment="Work VLAN pool" name=work_pool ranges=\
    192.168.22.10-192.168.22.100
/ip dhcp-server
add address-pool=main_pool interface=vlan1 lease-time=1m name=main_dhcp
add address-pool=guest_pool interface=vlan2 lease-time=1m name=guest_dhcp
add address-pool=work_pool interface=vlan3 lease-time=10m name=work_dhcp
/routing pimsm instance
add disabled=yes name=pim1 vrf=main
/routing table
add fib name=wireguard
/interface bridge port
add bridge=bridge1 comment=Raspberry ingress-filtering=no interface=ether4 \
    pvid=33
add bridge=bridge1 comment="Switch trunk" interface=ether5 pvid=33
add bridge=bridge1 comment="5 GHz" interface=wlan2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge1 comment="Allow VLAN 33" tagged=bridge1,ether5,wlan2 \
    untagged=ether4 vlan-ids=33
add bridge=bridge1 comment="Allow VLAN 10" tagged=bridge1,ether5 untagged=\
    wlan2 vlan-ids=10
add bridge=bridge1 comment="Allow VLAN 20" tagged=bridge1,ether5 \
    vlan-ids=20
/interface list member
add interface=wlan2 list=Wireless
add interface=vlan1 list=LAN
add interface=vlan1 list=Management
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=WireGuard
add interface=ether1 list=External
add interface=wireguard1 list=Management
add interface=wireguard1 list=External
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1.2.3.4 \
    endpoint-port=12345 interface=wireguard1 persistent-keepalive=10s \
    public-key="=somekey="
/ip address
add address=172.16.1.130/24 comment="WireGuard peer" \
    interface=wireguard1 network=172.16.1.0
add address=192.168.33.1/24 comment="Main VLAN" interface=vlan1 network=\
    192.168.33.0
add address=192.168.11.1/24 comment="Guest VLAN" interface=vlan2 network=\
    192.168.11.0
add address=192.168.22.1/24 comment="Work VLAN" interface=vlan3 network=\
    192.168.22.0
/ip dhcp-client
add add-default-route=no comment=WAN interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.11.0/24 comment="Guest network" dns-server=192.168.11.1 \
    gateway=192.168.11.1
add address=192.168.22.0/24 comment="Work network" dns-server=192.168.22.1 \
    gateway=192.168.22.1
add address=192.168.33.0/24 comment="Main network" dns-server=192.168.33.1 \
    gateway=192.168.33.1
/ip dns
set allow-remote-requests=yes doh-max-server-connections=30 \
    max-udp-packet-size=16384 query-total-timeout=5s servers=1.1.1.1
/ip firewall address-list
add address=192.168.33.0/24 list="Main VLAN"
add address=192.168.11.0/24 list="Guest VLAN"
add address=192.168.22.0/24 list="Work VLAN"
add address=192.168.11.0/24 comment="WireGuard: source guest" list=WireGuard
add address=192.168.22.0/24 comment="WireGuard: source work" list=WireGuard
add address=192.168.33.0/24 comment="WireGuard: source main" list=WireGuard
add address=1.1.1.1 comment="WireGuard: exclude from destination" list=\
    WireGuardExclude
add address=192.168.11.0/24 list=LAN
add address=192.168.22.0/24 list=LAN
add address=192.168.33.0/24 list=LAN
add address=172.16.1.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "Accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=\
    invalid log=yes log-prefix=drop_invalid
add action=drop chain=forward comment="Drop invalid input" connection-state=\
    invalid log=yes log-prefix=drop_invalid
add action=accept chain=input comment="Accept ICMP" log=yes protocol=icmp
add action=accept chain=input comment="Allow SSH & WinBox from Management" \
    dst-port=22,8291 in-interface-list=Management protocol=tcp
add action=drop chain=input comment="Drop and log External input" \
    in-interface-list=WAN log=yes log-prefix=drop_input
add action=fasttrack-connection chain=forward comment=\
    "FastTrack established, related" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "Accept established, related, untracked (existing connections)" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop all !LAN" disabled=yes \
    in-interface-list=!LAN log=yes log-prefix=not_from_LAN
add action=drop chain=input comment="Drop Guest->Main: input" \
    dst-address-list="Main VLAN" log=yes log-prefix=drop_guest \
    src-address-list="Guest VLAN"
add action=drop chain=forward comment="Drop Guest->Main: forward" \
    dst-address-list="Main VLAN" log=yes log-prefix=drop_guest \
    src-address-list="Guest VLAN"
add action=drop chain=input comment="Drop Work->Main: input" \
    dst-address-list="Main VLAN" log=yes log-prefix=drop_work \
    src-address-list="Work VLAN"
add action=drop chain=forward comment="Drop Work->Main: forward" \
    dst-address-list="Main VLAN" log=yes log-prefix=drop_work \
    src-address-list="Work VLAN"
add action=drop chain=input comment="Drop Work->Guest: input" \
    dst-address-list="Guest VLAN" log=yes log-prefix=drop_work \
    src-address-list="Work VLAN"
add action=drop chain=forward comment="Drop Work->Guest: forward" \
    dst-address-list="Guest VLAN" log=yes log-prefix=drop_work \
    src-address-list="Work VLAN"
/ip firewall mangle
add action=jump chain=prerouting comment="WireGuard: jump to marking" \
    connection-state=new jump-target=mark-connections
add action=accept chain=prerouting comment=\
    "WireGuard: accept return connections" in-interface=wireguard1
add action=mark-routing chain=prerouting comment="WireGuard: mark routing" \
    connection-mark=wireguard disabled=yes log-prefix=mark_routing \
    new-routing-mark=wireguard passthrough=no
add action=mark-connection chain=mark-connections comment=\
    "WireGuard: mark desired traffic" connection-mark=no-mark \
    dst-address-list=!WireGuardExclude dst-address-type=!local log-prefix=\
    mark_conn new-connection-mark=wireguard passthrough=yes src-address-list=\
    WireGuard
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    out-interface=ether1
add action=masquerade chain=srcnat comment="WireGuard: masquerade" \
    out-interface=wireguard1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Static route to WireGuard peer" disabled=no distance=1 \
    dst-address=1.2.3.4/32 gateway=192.168.79.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="test def route" disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=192.168.79.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="WireGuard: default route @main" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment="WireGuard: default route" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=wireguard scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both host-key-type=ed25519 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=mikrotik
/system logging
add topics=bridge
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

I’ve decided to try approach outlined by @sindy in this post: http://forum.mikrotik.com/t/static-default-route-im-missing-something/119183/30 but still no luck. Basically, for this test, I want my LANs to reach 1.1.1.1 via ISPs gw (192.168.79.1, automatic route by DHCP @ether1), and everything else should go to the WireGuard. What happens now (if I enable defconf masquerade and route): 1.1.1.1 is working fine, WireGuard destinations hang (traceroute stops at the router). Right now I’m solving it by routing everything via WireGuard (see default 0.0.0.0/0 route @main), but I’d like to fully utilize the power of mangle (basically, I want to have address lists, where I can put domains etc). I can make this work with static routes or routing rules, but I want to do it properly via firewall.

Thanks everyone

disable this:
/ip firewall mangle
add action=jump chain=prerouting comment=“WireGuard: jump to marking”
connection-state=new jump-target=mark-connections
add action=accept chain=prerouting comment=
“WireGuard: accept return connections” in-interface=wireguard1
add action=mark-routing chain=prerouting comment=“WireGuard: mark routing”
connection-mark=wireguard disabled=yes log-prefix=mark_routing
new-routing-mark=wireguard passthrough=no
add action=mark-connection chain=mark-connections comment=
“WireGuard: mark desired traffic” connection-mark=no-mark
dst-address-list=!WireGuardExclude dst-address-type=!local log-prefix=
mark_conn new-connection-mark=wireguard passthrough=yes src-address-list=
WireGuard

make this:
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16
dst-address-list=!WireGuardExclude new-routing-mark=wireguard passthrough=yes src-address=
192.168.0.0/16
add action=change-mss chain=forward disabled=no new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn


remove this:
/ip route
add comment=“Static route to WireGuard peer” disabled=no distance=1
dst-address=1.2.3.4/32 gateway=192.168.79.1 pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=“test def route” disabled=yes distance=1 dst-address=0.0.0.0/0
gateway=192.168.79.1 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment=“WireGuard: default route @main” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
add comment=“WireGuard: default route” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=wireguard1 pref-src=“” routing-table=wireguard scope=30
suppress-hw-offload=no target-scope=10

make this:
/ip route
add comment=“WireGuard” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=“” routing-table=wireguard
scope=30 suppress-hw-offload=yes target-scope=10

/ip firewall nat - all correct !
But I noticed you disabled masqarade for ether1.
How do you access Internet?!

firewall - temporarily disable all drops for tests!

if you have your wireguard endpoint as “endpoint-address=1.2.3.4”
add 1.2.3.4 into WireGuardExclude not to mark routing “outer” wireguard traffic:
/ip firewall address-list
add address=1.2.3.4 comment=“WireGuard endpoint” list=
WireGuardExclude

Consider using mikrotik as caching DNS!
This not related to wireguard

Quick question, what are your wireguarding too? Another MT router, a third party VPN provider etc…
If its a third party provider did they give you a DNS to use??
If its a third party provider the extra clamping Mangle rule, provided in the above post is spot on to ensure no MTU issues!!

Is it normal or useful to have such short leases 1m ???
Best to set rp filter loose NOT strict


Your /ip bridge ports and /ip bridge vlan MAKE NO SENSE!!!

The only thing that seems clear is that → ether 4 is an access port connected to a dumb device for vlan33
ether5 is what ( trunk? hybrid? ) connected to a smart device and involves vlans 10,20,33 ( and possibly untagged on one of them??
Its either untagged ( pvid=33 on bridge ports and thus untagged BELOW, or tagged below is incorrect and REMOVE pvid setting in bridge ports!

I suspect that its untagged for 33 and tagged for 10 and 20 and thus this line maybe is the only fix required??
/interface bridge vlan
add bridge=bridge1 comment=“Allow VLAN 33” tagged=bridge1,ether5??,wlan2
untagged=ether4 vlan-ids=33

SEEING that line Reminded Me of the other ERROR, WLAN2. Under bridge ports its an access port for vlan10, but how is it related to vlan20??
add bridge=bridge1 comment=“5 GHz” interface=wlan2 pvid=10

add bridge=bridge1 comment=“Allow VLAN 33” tagged=bridge1,ether5,wlan2
untagged=ether4 vlan-ids=33
add bridge=bridge1 comment=“Allow VLAN 10” tagged=bridge1,ether5 untagged=
wlan2 vlan-ids=10

Far as I know a wlan can only deal with one vlan? Suspect you need to remove the vlan from the first rule.

Dont understand your address 1.1.1.1 its a DNS address, for what purpose is it being used??
Dont understand why you consider the Wireguard subnet as part of the LAN?

Is the wireguard hosting incoming traffic to the LAN? I thought it was a peer heading outbound…???

I dont see the point of naming WHOLE SUBNETS as a firewall list entry.
This should be done under interface lists.

I think what you are saying is that all the subnets should go out internet via wireguard…
Thus I state again, what are you connecting to…
If its third party VPN, they provide you with a DNS that you must use, not a twisted attempt to use 1.1.1.1 on your router???

Your only option in this case is to send a pi -server through WG as well, and inside it of it you put its initial connecting DNS as the one provided by the third party and then the PI connects to its DNS encrypted servers ( be it adguard something else…)

THus before any mangling is done, you need to be crystal clear on the requirements, they are too vague.

Also not clear is what happens if the wireguard connection goes down? Do you want your subnets to be able to use the local WAN for internet??

What has made you set rp-filter to strict under /ip settings?

With this setting, the router silently drops incoming packets if routing indicates that a (potential) response to such an incoming packet would be routed via some other interface than the one through which the incoming packet came in, and it only uses routing table main for this check.

For a home router, rp-filter=loose is usually sufficient. If it doesn’t help either, try just no. If you feel you need the source validation, you have to replace the global rp-filter functionality by some raw or filter rules in firewall.

Thanks for replies guys.

@anav - 1.1.1.1 as an Exlude list member is irrelevant – I just picked it up for smaller traceroutes. Essentially my goal is to add certain websites to Exlude list, so that everything else uses default (not WireGuard) routing. I’m using a 3rd party provider, yes, WireGuard shouldn’t be in the LAN list indeed. Also DNS is not an issue, I can sort it out later… I just want to have routing right.

Didn’t quite get your remark regarding VLANs… so ether4 is a raspberry which should be on VLAN33, and ether5 goes to a switch (it’s a trunk port), and this switch has all kinds of devices plugged into it… wlan2 has to be a bridge member so I can have all kinds of devices there as well. Yes, I know about RADIUS, but for my setup registration list with MACs is fine…

@sas2k – I’ve tried this before, I’d really like to have it with connection marks, so I can enable fasttrack later. As for def masquerade rule disabled, I disable it for testing but yes it should be on for Exclude list to work.

@sindy – I have no idea I suspect it’s from the times I’ve tried to make multicast work between VLANs and it’s a leftover from previous config… Thanks! I removed it

No problem to make fasttrack.
I made it like this, works excellent.
You should realise, you can make fasttrack only normal traffic, not tunneled:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=bridge1 out-interface=ether1
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=ether1 out-interface=bridge1

Oh nice, thank you. Btw why wouldn’t it work for the tunnel? If it’s already connmarked?

I dunno, Im the beginner.
There are many things that I unable to understand.
I failed to get working lots of variants of fasttrack that I tried to study.
You may create your own perfect config and share.
I share what I could get working well enough…
The biggest question that kills me up to this moment - why wireguard upload much slower than ipsec
So I use ipsec, not wireguard.
Much more stable and faster (upload) and no problems with mss clamp to pmtu.

Nice to learn that you have removed it, but I’ve mentioned that because I’ve thought that the strict setting was the reason why the routing-mark “wasn’t working” to send the selected traffic via the tunnel… so did setting to loose or no make it possible to send the traffic via tunnel by means of the routing-mark or not? Or, more exactly, do you get any responses via the tunnel now?

You have made changes, so you say , repost config so we can work from facts/evidence!

The default action=fasttrack-connection rule doesn’t care about packet direction. Packets belonging to a given connection can either be mangled or fasttracked, not both. So no packet of a connection whose traffic needs to be mangled must ever reach the action=fasttrack-connection rule - or, if it reaches it, it must not match it. Once a connection gets fasttracked, most of its packets start bypassing mangle and other stages of packet processing.

That’s indeed weird. Both wireguard and IPsec add some overhead to the payload packets so both should suffer from about the same issues with path MTU discovery.

As for speed, wireguard uses a single cipher that is optimised for software implementation, so on a CPU without an encryption hardware it is normally faster than IPsec if the latter uses a decent cipher (i.e. not DES). On a CPU with encryption hardware it is not surprising that IPsec is faster, I don’t know any Mikrotik model whose CPU would implement the WIreguard cipher in hardware.

But the issue of slow speed may be caused by fasttracking the traffic that needs to be mangled in order to get to the tunnel, so did you compare Wireguard with IPsec with fasttracking disabled?

I don’t what it was, but I definitely suspect that /ip/settings/ip-filter was it. I set it to loose and added another rule in mangle to accept responses from default (non-tunneled) interface. So now mangle looks like this (note rule #3):

/ip firewall mangle
add action=jump chain=prerouting comment="WireGuard: jump to marking" connection-state=new jump-target=mark-connections
add action=accept chain=prerouting comment="WireGuard: accept return connections" in-interface=wireguard1
add action=accept chain=prerouting comment="def: accept return connections" in-interface=ether1
add action=mark-routing chain=prerouting comment="WireGuard: mark routing" connection-mark=wireguard log-prefix=mark_routing new-routing-mark=wireguard \
    passthrough=no
add action=mark-connection chain=mark-connections comment="WireGuard: mark desired traffic" connection-mark=no-mark dst-address-list=!WireGuardExclude \
    dst-address-type=!local log-prefix=mark_conn new-connection-mark=wireguard passthrough=yes src-address-list=WireGuard

I’ve also removed all PIM-SM stuff completely, even if it was disabled… I guess there were some leftovers. THANK YOU EVERYONE!!!

PS. I’ve now noticed an awful lot of “drop_invalid” entries in the log, which stops once I close torrenting clients… I guess that’s how torrent clients are trying to get around my firewall or smth? Relevant rules are:

/ip firewall filter
add action=accept chain=input comment="Accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept established, related, untracked (existing connections)" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=invalid log=yes log-prefix=drop_invalid
add action=drop chain=forward comment="Drop invalid input" connection-state=invalid log=yes log-prefix=drop_invalid

And log is now filled with stuff like

drop_invalid forward: in:vlan1 out:ether1, connection-state:invalid src-mac aa:bb:cc:dd:ee:ff, proto TCP (ACK,FIN,PSH), 192.168.33.181:16241->1.24.50.211:13597, len 76

My two key takeaways while trying to tweak this:

• this /ip/settings/ip-filter DOES NOT WORK with custom routing tables, so it has to be loose or disabled, as sindy said;
• there’s HAVE TO BE a default 0.0.0.0/0 route in @main routing table, even if you’re routing differently. If there’s none, mangle gets very confused

Mangle doesn’t get confused, mangle most likely has nothing to handle.

When a process on the router itself sends a packet, it uses table main first, unless a routing rule says otherwise. Only once a route has been found this way, the packet gets handled by mangle in chain output, and may get a routing-mark; if that happens, it gets routed agai, according to that routing-mark.

So if you ping from the router itself an address that is reachable via the tunnel but no route in table main matches that address, the ping fails because the ping request packet never reaches chain output.

The main table is where the router looks to sort out which routes are active, is my understanding. It doesnt necessarily use that route depending upon admin policies/rules.

I dont know what happens exactly, between router and ISP, in terms of whether or not the route in the main table is required to establish a connection but I suspect so.

I know that for establishing tunnels, initially traffic has to come or go out a WAN and come back on that specific WAN and afterwards traffic is hidden(tunnelled).
I suspect having the route in the main table may also be some sort of pre-requisite for that.