Hello. I am quite new to mikrotik but I was able to make a configuration that we could say “successful”

The router is a CCR2004-16G-2S+ (version 7.2.3)

Successfully implement a wireguard “server” with client connections from pc, cell phones, etc and also “lan<->lan”

I have 2 internet connections with public IPs by DHCP.

For wireguard to work assign different distances like 5 and 6 for wan1 and wan2

The problem, to be specific, is that I want wireguard to listen to both wans and respond correctly according to the wan connection for which I entered the request.

I was able to determine through the log that wireguard attends to both wans but the tunnel does not finish establishing itself in both. In the search for a solution, I left both WANs with identical distances, I marked connections and then routes and finally routing rules. All this without success.

The question in summary is:

Has anyone managed to configure with multiple wan connections where Wireguard attends and responds correctly according to the “wan” through which I enter?

I could not find practical examples on the Internet to take as a reference and then adapt it to my scenario.

I feel like I may be attempting something impossible to accomplish with a single router and would like your opinion if I am attempting an impossible configuration.

Thank you in advance for your time and any comments on the matter will be welcome.

Hi,
I am facing this problem too.
As I got the problem is I cannot make traffic to go through the desired wan.

I add incoming client ip to an address list

action=add-src-to-address-list address-list=wireguard_in_wan1 address-list-timeout=1m chain=input comment=“Wireguard mark source addr” dst-port=11111 in-interface=pppoe-out-ont-1 protocol=udp
action=add-src-to-address-list address-list=wireguard_in_wan2 address-list-timeout=1m chain=input comment=“Wireguard mark source addr” dst-port=11111 in-interface=pppoe-out-ont-2 protocol=udp


I mark incoming connection to reply then through same interface

action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe-out-ont-1 new-connection-mark=from_wan1 passthrough=yes
action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe-out-ont-2 new-connection-mark=from_wan2 passthrough=yes
action=mark-routing chain=output connection-mark=from_wan1 new-routing-mark=to_wan1 passthrough=yes
action=mark-routing chain=output connection-mark=from_wan2 new-routing-mark=to_wan2 passthrough=yes


I even tried to make mark routing to incoming IPs by mangle in addition by not usable…

action=mark-routing chain=output dst-address-list=wireguard_in_wan1 new-routing-mark=to_wan1
action=mark-routing chain=output dst-address-list=wireguard_in_wan2 new-routing-mark=to_wan2


my routing tables is

D v 0.0.0.0/0 pppoe-out-ont-1 2
DAv 0.0.0.0/0 pppoe-out-ont-2 1
DAc + 2.176.192.1/32 pppoe-out-ont-1 0
DAc + 2.176.192.1/32 pppoe-out-ont-2 0
26 As 0.0.0.0/0 pppoe-out-ont-1 1
30 As 0.0.0.0/0 pppoe-out-ont-2 1


I think the problem is wireguard tries to send replies from default routing not marked one, I got it when i changed my mobile client address to the default gateway of mikrotik then works but I cannot connect to other wan.
if any idea thanks in advance.

Same situation with dual wan. Maybe somebody achieve possibility to connect to WireGuard server with dual wan and working network access?

Lets deal with one person at a time please it gets too confusing otherwise.
YOu need to state the requirements that make sense in terms of not what you want, but what should the users be able to do.

Identify users/groups of users and what they should be able to do and not be able to do. (also detail separately the admin).
Provide a network diagram so we have context of what MT devices or not are involved and the type of WANIP (public/private, static, dynamic) etc, without the actual real numbers of course.

Provide th FULL config of any MT devices involved at both ends.]
/export minus public WANIP info and serial numbers.

Then we can start to make think about a config that makes sense.

Reality check, the initiator of the connection is responsible for contacting and connecting to the receiver.
I dont think its possible for the receiver to do what is being asked.

If you want WAN1 to respond to wireguard interface A at port XXXXX
If you want WAN2 to respond to wireguard interface B at port YYYYY

Then I dont see why it shouldnt work,as the initiial connection will work and traffic will flow??
Firewall rules and IP routes take care of the rest.

input chain rule
add chain=input action=accept dst-port=xxxxx protocol=udp in-interface=ether1
add chain=input action=accept dst-port=yyyyy protocol=udp in-interface=ether2

Forward chain rules LAN traffic - strictly deal with entering the wg interface from the LAN and exiting the wg interface going to the LAN. Just ensure you have enough detail on the firewall rules to identify the source traffic and destination traffic etc, so the router can keep track of where the traffic originated.

Thus we are left with the IP routes issue.
Again, remote traffic to subnets returning to the tunnel simply requiire a route to the wg interface.

NOTE OTHER CASE: Primary-Failover (single dydns name with two records so when one goes down the dyndns name is stiill valid for the other record) - you still need two wireguard interfaces
++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thus I fail to see the problem yet, please show me where the errors will occur??

( the use cases from the user perspective that wont work).

Give me an accurate scenario to work with…

A. Dual WAN with PCC
B. Dual WAN with primary and failover
C. Dual WAN vlans 1-5 go through WAN1, vlans6-10 go through WAN2 (both active and with or without failover to other WAN).
D. Dual WAN with Primary WAN1 /Failover WAN2, where one subnet should always use WAN2

Without specifics the question is too vague.
Then you need to DEFINE< how you want users to access the Receiving router.
Is it by DYDNSNAME:port number ( does your dyndns have access to two records aka WAN1 and WAN2 )
Is it by TWO DYNDNS names (1/2 users got to WAN1 and 1/2 users go to WAN2)
Is it by DYNDNSNAME whiich is the IP Cloud name ??

ON wireguard,
How many interfaces do you want to use for this…assumign one wireguard interface.
What are the needs of the remote users (access servers, or internet).
What are the needs of the local users (access servers at remote sites, internet at remote sites, for the admin to access config at remote sites)???

I believe I have a similar issue. Let me explain.

I have 2 WAN connections:

1. pppoe connection without public IP (X.X.X.X) to which local IP is assigned (Xl.Xl.Xl.Xl) from the range 172.16.0.0/24
2. DHCP-client connection with public IP (Y.Y.Y.Y) to which local IP is assigned (Yl.Yl.Yl.Yl) from the range 10.0.0.0/24

I have a remote client that would like to connect to WAN2 over wireguard so it tries to connect to Y.Y.Y.Y on port 33677 (as in example). It enters fine and the communication goes well throught the whole firewall rules. I assign the connection-mark WAN2_to_router with a mangle rule to identify the connection later.

As soon as the incoming communication is processed on IP Yl.Yl.Yl.Yl, the outgoing (src) communication goes from another interface on IP Xl.Xl.Xl.Xl. Even though it could have, I still assigned the WAN2_to:router connection mark previously but it got stripped so I cannot force it to assing a new routing-mark WAN2.

This is the log from firewall which I hope clears it up a little bit. I simply cannot force the outgoing communication to continue with the same src address as the incoming communication. I also looked at the packet flow but still cannot find a way to force the packets leave on the same interface.

Something “a bit similar” like this one no ?
This should be possible I would think, “same interface out” as where the packets arrived.

http://forum.mikrotik.com/t/pbr-ensure-traffic-leaves-the-same-interface-it-arrives-on/75060/1

I have similar mangle rules applied. Basically I need to:

1. mark connection on mangle input with a connection mark
2. route connection on mangle output with a routing mark

What happens though is that within routing decision the dst address 10.27.11.139 on eth01 (WAN2) is changed to src address 172.28.168.20 on pppoe (WAN1). For some reason it switches the outgoing interface and drops the connection mark anyways so it behaves as if it was a completely new connection. Also it set the connection-state to new, as if it was not replying.

This is what I can see in the Firewall connections, which shows incoming and outgoing communications.

I have a similar setup and am seeing the same issue. The connection comes in one WAN interface but for some reason the reply source is a different WAN interface.

that may be true jkaufman its because your config is screwy, same with all others reporting here.
Network diagram
full configs
otherwise its all conjecture, and a waste of time

My two cents.

I use this config with OpenVPN and works well, but with WireGuard I got this same problem: the connection gets the connection-mark based on the eth input, but the reply goes always by the default route (eth1 in my case), checked in the ROS sniffer. In the firewall connections list there’s no reply, just the incoming data so looks like the reply of the WireGuard is done in a different connection and so the routing-mark is not present.

and posters continue to post Garbage.
An opinion without the fact of a the complete config at both ends is as good as pile of gato mierda.

That’s the config of the peers I’m using.

As I said, OVPN works fine with inputs from eth1 and eth2, but WireGuard just from eth1 as the reply packages get new connection status and lost the connection mark of eth2.

The VPN range is 10.8.1.0/24 and the LAN is 192.168.10.0/24.

The VPN is intended for traffic only LAN related, not all internet traffic so the client is configured according.

The client uses ddns.net for both address as in myoffice1.ddns.net and myoffice2.ddns.net. In OVPN both are used too.

dec/28/2022 08:51:05 by RouterOS 7.6

software id =

model = RB750Gr3

serial number =

/interface ethernet
set [ find default-name=ether1 ] name=ether1-claro
set [ find default-name=ether2 ] name=ether2-zetanet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] arp=proxy-arp name=ether5-lan
/interface ovpn-server
add name=ovpn-in1 user=“”
/interface wireguard
add listen-port=14232 mtu=1420 name=wireguard1
/interface list
add name=wan
add name=lan
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn-pool ranges=192.168.10.61-192.168.10.69
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.2 name=vpn-profile remote-address=vpn-pool
/queue simple
add dst=ether1-claro max-limit=600M/600M name=eth1 queue=default/default
target=“”
add limit-at=30M/30M max-limit=100M/100M name=eth1-voip packet-marks=
voip-packet parent=eth1 priority=1/1 queue=default/default target=“”
add max-limit=300M/300M name=eth1-general parent=eth1 queue=
pcq-upload-default/pcq-download-default target=“”
add dst=ether2-zetanet max-limit=100M/100M name=eth2 queue=default/default
target=“”
add limit-at=30M/30M max-limit=50M/50M name=eth2-voip packet-marks=
voip-packet parent=eth2 priority=1/1 queue=default/default target=“”
add max-limit=80M/80M name=eth2-geral parent=eth2 queue=
pcq-upload-default/pcq-download-default target=“”
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=voip
add fib name=to-eth1
add fib name=to-eth2
add fib name=tv
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-claro list=wan
add interface=ether2-zetanet list=wan
add interface=ether5-lan list=lan
add interface=wireguard1 list=lan
/interface ovpn-server server
set auth=sha256 certificate=server cipher=aes256 enabled=yes port=14231
protocol=udp require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.8.1.100/32 comment=max interface=wireguard1
public-key=“…”
/ip address
add address=192.168.10.2/24 interface=ether5-lan network=192.168.10.0
add address=10.1.1.92/24 interface=ether1-claro network=10.1.1.0
add address=10.1.2.2/24 interface=ether2-zetanet network=10.1.2.0
add address=10.8.1.1/24 interface=wireguard1 network=10.8.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=…com.br list=voip
/ip firewall filter
add action=accept chain=input comment=
“aceita conexoes estabelecidas e relacionadas” connection-state=
established,related
add action=drop chain=input comment=“descarta conexoes invalidas”
connection-state=invalid
add action=accept chain=input comment=“aceita openvpn” dst-port=14231
protocol=udp
add action=accept chain=input comment=“aceita wireguard vpn” dst-port=14232
protocol=udp
add action=add-src-to-address-list address-list=port-scan
address-list-timeout=1w chain=input comment=“deteccao de port scan”
in-interface-list=wan log=yes log-prefix=port-scan protocol=tcp psd=
21,3s,3,1
add action=drop chain=input comment=“descarte geral dos links”
in-interface-list=wan
add action=drop chain=forward comment=“descarta conexoes invalidas”
connection-state=invalid
add action=drop chain=forward comment=
“descarta conexoes vindas da internet que nao tenham base no nat”
connection-nat-state=!dstnat connection-state=new in-interface-list=wan
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“voip connection-mark”
connection-state=new dst-address-list=voip new-connection-mark=
voip-connection passthrough=yes
add action=mark-routing chain=prerouting comment=“voip routing-mark”
connection-mark=voip-connection in-interface-list=lan new-routing-mark=
voip passthrough=yes
add action=mark-packet chain=forward comment=“voip packet-mark (qos)”
connection-mark=voip-connection new-packet-mark=voip-packet passthrough=
no
add action=mark-routing chain=prerouting comment=
“teamviewer tcp routing-mark” dst-port=5938 new-routing-mark=tv
passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=
“teamviewer udp routing-mark” dst-port=5938 new-routing-mark=tv
passthrough=no protocol=udp
add action=mark-routing chain=prerouting comment=
“forca conexoes TS externas na eth2 onde temos IP fixo” dst-port=3389
in-interface=ether5-lan new-routing-mark=to-eth2 packet-mark=no-mark
passthrough=no protocol=tcp tcp-flags=“”
add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 1” connection-state=new in-interface=
ether1-claro new-connection-mark=eth1-conn passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 1” connection-mark=
eth1-conn new-routing-mark=to-eth1 passthrough=no
add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 2” connection-state=new in-interface=
ether2-zetanet new-connection-mark=eth2-conn passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 2” connection-mark=
eth2-conn new-routing-mark=to-eth2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
/ip firewall raw
add action=drop chain=prerouting comment=“bloqueio de port scan detectado”
src-address-list=port-scan
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip route
add comment=“rota geral (ether1-netwatch)” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment=“rota geral (ether2-netwatch)” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota principal para voip (ether2-netwatch)” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
add comment=“garante rota de saida no mesmo link de entrada” disabled=no
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=to-eth1
add comment=“garante rota de saida no mesmo link de entrada” disabled=no
dst-address=0.0.0.0/0 gateway=10.1.2.1 routing-table=to-eth2
add comment=“rota principal para TeamViewer (ether2-netwatch)” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota fixa para teste de eth2 com netwatch” disabled=no distance=
1 dst-address=192.203.230.10/32 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota fixa para teste de eth1 com netwatch” disabled=no distance=
1 dst-address=192.5.5.241/32 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota alternativa para TeamViewer (ether1-netwatch)” disabled=no
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota alternativa para voip (ether1-netwatch)” disabled=no
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ppp secret
add name=max profile=vpn-profile service=ovpn
add name=ivo profile=vpn-profile service=ovpn
add name=cassiano profile=vpn-profile service=ovpn
add name=anelise profile=vpn-profile service=ovpn
add name=paulo profile=vpn-profile service=ovpn
add name=lorenzo profile=vpn-profile service=ovpn
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=lan-router
/system package update
set channel=testing
/tool e-mail
set address=… from=“…”
port=587 user=…
/tool netwatch
add comment=“monitora o link ether1-claro” disabled=no down-script=“/ip route
disable [find comment~"ether1-netwatch"]\r
\n/log error "Link Claro Down"\r
\n/delay 2000ms\r
\n/tool e-mail send to="…" subject="Link Claro Down"”
host=192.5.5.241 http-codes=“” interval=30s test-script=“” type=simple
up-script=“/ip route enable [find comment~"ether1-netwatch"]\r
\n/tool e-mail send to="…" subject="Link Claro Up"”
add comment=“monitora o link ether2-zetanet” disabled=no down-script=“/ip rout
e disable [find comment~"ether2-netwatch"]\r
\n/log error "Link Zetanet Down"\r
\n/delay 2000ms\r
\n/tool e-mail send to="…" subject="Link Zetanet Down"”
host=192.203.230.10 http-codes=“” interval=30s test-script=“” type=simple
up-script=“/ip route enable [find comment~"ether2-netwatch"]\r
\n/tool e-mail send to="…" subject="Link Zetanet Up"”
/tool sniffer
set filter-port=14232

The client is a Windows 10 with the current version of WireGuard.

[Interface]
PrivateKey = …
Address = 10.8.1.100/24

[Peer]
PublicKey = …
AllowedIPs = 10.8.1.0/24, 192.168.10.0/24
Endpoint = …:14232

HEX

Overall cannot see anything that would be stopping wireguard traffic.

(1) I would put in an explicit allow rule just to be sure on the forward chain
FROM
add action=drop chain=forward comment=
“descarta conexoes vindas da internet que nao tenham base no nat”
connection-nat-state=!dstnat connection-state=new in-interface-list=wan
TO:
add action=accept chain=forward in-interface=wireguard1 out-interface-list=LAN
add action=drop chain=forward comment=
“descarta conexoes vindas da internet que nao tenham base no nat”
connection-nat-state=!dstnat connection-state=new in-interface-list=wan

WINDOWS CLIENT

(2) Client Address incorrect
FROM:
10.8.1.100/24
TO:
10.8.1.100/32