Wireguard multiple tunnels on different interfaces

CrazYViruS · June 17, 2025, 3:17am

Hello

Got it.

Two WANs
Two Wireguard Client Peers
2.1 Wireguard Peers are separated by interfaces and ports, but only a common server !

Need to
Release each Wireguard Peer to its own WAN
One WG Peer = WAN1 (ether2)
Second WG Peer = WAN2 (ether4)

I have tried this by labeling the traffic
Using mangles and routing tables

#     DST-ADDRESS         GATEWAY         DISTANCE
  D d 0.0.0.0/0           10.102.2.1           2
  DAd 0.0.0.0/0           10.101.1.1         1
  DAc 10.100.102.0/24     GW1-1            0
  DAc 10.100.103.0/24     GW1-2            0
  DAc 10.192.88.0/24      ether4                 0
  DAc 100.70.200.0/24     ether2                 0
  DAc 192.168.201.0/24    bridge                 0
1  As 0.0.0.0/0           10.102.2.1           1
2  As 10.200.1.1/32  10.102.2.1           1
3  As 0.0.0.0/0           10.101.1.1         1
4  As 10.200.1.1/32  10.101.1.1         1

/ip route

/ip route
add disabled=no distance=1 dst-address=10.200.1.1/32 gateway=10.102.2.1\
    routing-table=rtab-1-ether2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.200.1.1/32 gateway=10.101.1.1 \
    routing-table=rtab-2-ether4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.102.2.1 routing-table=\
    rtab-1-ether2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.101.1.1 \
    routing-table=rtab-2-ether4 scope=30 suppress-hw-offload=no target-scope=10

/ip firewall mangle

/ip firewall mangle
add action=mark-connection chain=output disabled=yes dst-address=10.200.1.1 \
    dst-port=13232 new-connection-mark=wg1_conn protocol=udp
add action=mark-routing chain=output connection-mark=wg1_conn disabled=yes \
    new-routing-mark=rtab-1-ether2
add action=mark-routing chain=prerouting connection-mark=wg1_conn disabled=yes \
    in-interface=ether2 new-routing-mark=rtab-1-ether2 passthrough=no
add action=mark-connection chain=output disabled=yes dst-address=10.200.1.1 \
    dst-port=13233 new-connection-mark=wg2_conn protocol=udp
add action=mark-routing chain=output connection-mark=wg2_conn disabled=yes \
    new-routing-mark=rtab-2-ether4
add action=mark-routing chain=prerouting connection-mark=wg2_conn disabled=yes \
    in-interface=ether4 new-routing-mark=rtab-2-ether4 passthrough=no

But with this configuration I get the following

With two interfaces enabled - ping to the internal network on both WG peers is going on and the mangles counters are growing
When disabling one of the interfaces - the ping to the internal network on both WG peers goes and the counters of one of the mangles grows - and one of the peers should fall off, but ok I can solve it with RAW rule but
2.1. When disconnecting one of the interfaces - ping to the internal network on one of the peers can start to go unstable - ~10 packets go 20 timeout - it looks like a jump to another interface

rplant · June 17, 2025, 7:09am

This link might be helpful:
https://forum.mikrotik.com/viewtopic.php?p=1136226#p1136226

Also, If one link goes down, it will likely try to reply from the other link to the peer, but unless the peer has an appropriate rule to allow the wireguard port, the peer will drop the packets. (Also the peer probably can’t be behind a NAT)

anav · June 17, 2025, 5:20pm

Your scenario is not clear to me. Are you hosting a wireguard server via the MT router OR are you connecting to another server ( third party, VPS etc.)??
Why do you need two tunnels at the same time?