wireguard, mark routing, dns doesn't work

Hello,

firstly, thank you all who will help.


here is the situation:

I have PPTP server and mikrotik as a client. On diagram on the right side

mikrotik is behind Isp router and my router as well.

I have Apple TV connected to it on 192.168.4.36, gw 192.168.4.100, dns 192.168.4.100
on the mikrotik there is script sniffing predefined domains and fills firewall’s address list.
mangle prerouting marks the packets and they are sent to routing table which has its own gw to the pptp VPN. green line.
the rest of the traffic is going to the internet blue line.

this works perfectly.

on the other hand:
I also have (for testing) another mikrotik with another Apple TV on the diagram right side

mikrotik is also behind Isp router and my router as well.

I have Apple TV connected to it on 192.168.4.196, gw 192.168.4.188, dns 192.168.4.188
on the mikrotik there is the same script sniffing predefined domains and fills firewall’s address list.
mangle prerouting marks the packets and they are sent to routing table which has its own gw to the wireguard VPN. (there is no line, because it doesn’t work)
the rest of the traffic is going to the internet, blue line.

I have handshake and I can ping 192.168.100.1, the other side

BUT
as I mentioned all above work only with PPTP, not the testing with wireguard


goal is to make the wireguard run, and then transfer the settings to the first mikrotik (right) router and then turn the pptp off and have (just in case) the settings stored as a backup (because it works)…


thank you all for help

Here is a map:

here are the exports

PPTP

# 2023-10-19 19:50:40 by RouterOS 7.11.2
# software id = xxxx-xxxx
#
# model = RB750Gr3
# serial number = xxxxxxxxx
/interface pptp-client
add connect-to=81.xxx.xxx.xxx disabled=no max-mtu=1400 name=VPN_CZ user=pp31
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/routing table
add fib name=CZ_VPN
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=*9 ingress-filtering=no interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=VPN_CZ list=WAN
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.4.4,8.8.8.8
/ip dns static
add forward-to=192.168.103.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add forward-to=192.168.103.1 regexp=".*\\.iol\\.cz\$" type=FWD
add forward-to=192.168.103.1 regexp=".*\\.ceskatelevize\\.cz\$" type=FWD
add forward-to=192.168.103.1 regexp=".*\\.czech-tv\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.cz\$" type=FWD
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Sortie Voyo" \
    dst-address-list=voyo new-routing-mark=CZ_VPN passthrough=yes \
    src-address=192.168.4.36
add action=mark-routing chain=prerouting comment=ct dst-address-list=ct \
    new-routing-mark=CZ_VPN passthrough=yes src-address=192.168.4.36
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VPN_CZ
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=VPN_CZ routing-table=CZ_VPN
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.103.1 routing-table=CT
/system clock
set time-zone-name=Australia/Brisbane
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=5s name=ct on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"ct\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"ct\" address=\$nouvelleIP timeo\
    ut=00:05:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"ivysilani\";\"ceskatelevize\";\"seznam\";\"stream\"\
    ;\"o2tv\";\"czech-tv\";\"iol\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=5s name=voyo on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=00:05:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\";\"sledovanitv\";\"imedia\";\
    \"sdn\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=45m name=cloudns on-event="/tool fetch url=\"https://ipv4.cloudns\
    .net/api/dynamicURL/\?q=NTE5MjU5NDozNDI5MTQxODY6MWMzMGFiYTZiMjI3ZWIwOTllNj\
    dkOTRjMTM5ZmVkMjlhYjk4NjAwYzQ5MWRiZTRjNzk0YTA3MjIzZDdiMWQ3Mg\" mode=https" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=voyo owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=02:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}"
add dont-require-permissions=no name=cloudns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=\"https://ipv4.cloudns.net/api/dynamicURL/\?q=xxxxxxxxxxx\
    xxxxxxxxxxxxx\" mode=https"

wireguards

# 2023-10-19 19:32:47 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB941-2nD
# serial number = xxxxxxxxx
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=CZ_VPN
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=*9 ingress-filtering=no interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=81.x.x.x endpoint-port=\
    13231 interface=wireguard1 persistent-keepalive=40s public-key=\
    "xxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.100.2/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add interface=bridge1 use-peer-dns=no
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add forward-to=192.168.100.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.iol\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.ceskatelevize\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.czech-tv\\.cz\$" type=FWD
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Sortie Voyo" \
    dst-address-list=voyo new-routing-mark=CZ_VPN passthrough=yes \
    src-address=192.168.4.196
add action=mark-routing chain=prerouting comment=ct dst-address-list=ct \
    new-routing-mark=CZ_VPN passthrough=yes src-address=192.168.4.196
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=CZ_VPN scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Australia/Brisbane
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=5s name=ct on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"ct\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"ct\" address=\$nouvelleIP timeo\
    ut=00:05:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"ivysilani\";\"ceskatelevize\";\"seznam\";\"stream\"\
    ;\"o2tv\";\"czech-tv\";\"iol\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=5s name=voyo on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=00:05:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\";\"sledovanitv\";\"imedia\";\
    \"sdn\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

Your initial explanation is a mess and didnt understand at all.
Please at least draw a network diagram…

updated the original post too, but here is the diagram I made

I am on the end of my knowledge, and would like to find out why it doesn’t work.

thank you for helping

Hi,
can @anav help pls?

Its a tad too complex for me to sort out unfortunately, to many moving parts.
All I can say is that for wireguard to reach each other one side needs to have a reachable public IP or at least can have the listening port forwarded to the server device.
If you have a wireguard connection request coming from a client to server device and the server device has multi-wans, one has to ensure the response will go back on same WAN.
Those are the first big concerns.

On the RB750Gr3, I dont see any wireguard settings???

I gather the RB941-2nD is a wireguard client connecting to some server…
It looks okay.
But why does this device not have any local subnets???
But why does this router not have any WAN, where is internet connection coming from, MISSING information.
I see no firewall rules either…

Hi, thank you for your reaction.

750 is without wireguard, because I just could not make it work so I backrolled to PPTP only for now and set the 941 as a testing MT. but once it work on the testing, I will transfere the settings here.

on 941 I successfully achieved handshake.
no local subnets, only taken from DHCP as a client of the router, it is in the bridge and on 192.168.4.0/24 subnet, the main router is connected through ether1.

I noticed there is an error on the picture I posted. the appleTV 2 has different IP 192.168.4.196 corrected below:

I hope it bring a bit o sense.
as I try to explained above. the MT2 (192.168.4.188) is exact settings clone of MT1 (192.168.4.100) the difference is MT1 has a functional pptp with internet and lan for appleTV1 and Czech content through PPTP and the MT2 has functional internet for appleTV but goes through the wireguard at this stage, shows the app’s videos, but doesn’t start streaming

it looks like, kind of, the server is filter or not passing my packets out

no firewall. it sits behind the router so I guess it doesn’t need any rules except the ones for mangle and srcnat for vpn

I am starting to think, that there was actually all set on my side properly and there might be a problem on the server… firewall and filtering

lets assume my config is alright.

and there is something wrong on the server…

I did a lot of reading of your post recently.

if the picture above is similar to my problem. the people (to biteme) on the right is AppleTV (192.168.4.196), lets assume I have successfully passed all packet suitable to wireguard to the tunnel.

could you point me out, what config, firewall, routes etc should be on the server (on this picture the biteMe)?
I put there obviously input port accept, and nat

 ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.100.0/24 log=no log-prefix="masq"

the nat allowed actually the app to show content, but there must be something more to it…



I will appreciate your help

Perhaps read the network settings off appletv2 and write them down.
Remove appletv2
Plug a laptop in where the appletv2 was, and set it up the same as appletv2.

Do traceroutes, pings to destinations on and off vpn.
See how far they go, does that tell you where they stop, and where to look.

What size pings can get through?
You may need them to be close to 1500 bytes.

so I did,

I took my laptop, disconnected appletv from cable. gave laptop same ip, same gw and same dns

here you can see


so the script and filter does its job.

first ping goes to internet from AU. then the filtr script goes through DNS, fills address list and preroute sends the traffic to the VPN.

and it doesn’t stop. traceroute takes it the right way up to the end. so I don’t know why its not streaming (

but ping and traceroute is different protocol then streaming…


also, I tried to go to the service through website, absolutely the same, I see the content, no stream

Try finding the mtu of the link.
(Apparently netflix checks it)

on windows

ping -f -l 1472 nova.cz

or maybe (linux)

traceroute --mtu nova.cz

Issue with short mtu. (and using ppp to fix it)
http://forum.mikrotik.com/t/v7-12beta-testing-is-released/168851/140

Or you can just set the mtu of your wireguard interfaces to 1500 and see if that helps.
Apparently it will fragment the outside wireguard packets, so they may be unreliable.

For MTU issues, and there is client MT router in the mix.
Add this mangle rule on the client MT router.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

Thank you very much for your help.

it looks that something might have worked what you advised.

it really started to work the second I flushed DNS on the server… god know why, but it started to work…

I also managed to transfer the WG to the main router, still work and also I reduced the script filling the destination address to just one only.


the only think I have problem right now. fine tuning is. when I stream netfix, obviously I want to go out locally. which there is 4K stream 25to40 Mbps from the internet.

BUT, there is also 2Mbps for approximately 2-3 minutes stream. not sure what it could be and why.