Hi,
I'm configuring WireGuard according to the official instructions:
https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard#WireGuard-Configurationexample
Unfortunately, it's not working. When a connection comes in on the primary WAN, everything is fine. However, when a connection comes in on the secondary WAN, Mikrotik sends responses (handshake) through the default (i.e., first) connection. WireGuard isn't established.
It seems to me that Mikrotik is ignoring the entries in the IP/Mangle. I should add that I configured the rules exactly as instructed on the page above.
I should add that I also use PPP connections. They work correctly on both connections. Similarly, I have external access to Mikrotik, and it works regardless of the connection (WAN1 or WAN2).
Is this a Mikrotik error or does the manual on the official website contain incorrect information?
Read @lurker888 posts (and also the linked threads) for explanation:
Follow those threads for the workarounds too.
The upcoming 7.21 (currently rc2) update to RouterOS will simplify the workaround because VRF will be supported, as an example: Wireguard VRF Issues - #19 by CGGXANNX.
My config:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="WAN1 Orange" \
connection-mark=no-mark in-interface=ether1-Orange new-connection-mark=\
isp-1-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp-1-conn \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
vrf-lacze1 passthrough=no
add action=mark-routing chain=output connection-mark=isp-1-conn \
dst-address-type=!local new-routing-mark=vrf-lacze1 passthrough=no
add action=mark-connection chain=prerouting comment="WAN2 UPC" \
connection-mark=no-mark in-interface=ether2-UPC new-connection-mark=\
isp-2-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp-2-conn \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
vrf-lacze2 passthrough=no
add action=mark-routing chain=output connection-mark=isp-2-conn \
dst-address-type=!local new-routing-mark=vrf-lacze2 passthrough=no
add action=mark-connection chain=prerouting comment="WAN3 T-Mobile" \
connection-mark=no-mark disabled=no in-interface=ether3-T-Mobile \
new-connection-mark=isp-3-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp-3-conn disabled=\
yes dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
vrf-lacze3 passthrough=no
add action=mark-routing chain=output connection-mark=isp-3-conn disabled=yes \
dst-address-type=!local new-routing-mark=vrf-lacze3 passthrough=no
/ip route
add comment="lacze1" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=XXX.XXX.XXX.XXX routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="lacze2" disabled=yes distance=2 dst-address=\
0.0.0.0/0 gateway=YYY.YYY.YYY.YYY routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="lacze3" disabled=yes distance=3 dst-address=\
0.0.0.0/0 gateway=ZZZZ.ZZZ.ZZZ.ZZZ routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.XXX routing-table=vrf-lacze1 \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=YYY.YYY.YYY.YYY routing-table=vrf-lacze2 \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=\
1 dst-address=0.0.0.0/0 gateway=ZZZZ.ZZZ.ZZZ.ZZZ routing-table=vrf-lacze3 \
scope=30 suppress-hw-offload=no target-scope=10
PPP works correctly. Accessing Mikrotik via WinBox or www (set in the ip/filerwall/filter rules in the input chain) works fine for each connection. Wireguard only works on the default incoming connection.
This is my config. I have WAN 1 and WAN 2 with public IP. Wireguard works when connection comes to WAN1, does not work when connection comes to WAN2. RouterOS 7.20.6.
/interface bridge
add name=bridge
add name=bridge-empty-emergency
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="WAN 1"
set [ find default-name=ether2 ] comment="WAN 2"
/interface wireguard
add listen-port=12345 mtu=1420 name=wg1-test
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.59.220-192.168.59.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool interface=bridge name=dhcp
/ip vrf
add interfaces=none name=vrf-lacze1
add interfaces=none name=vrf-lacze2
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=bridge list=LAN
/interface ovpn-server server
add mac-address=FE:42:XX:XX:XX:XX name=ovpn-server1
/interface wireguard peers
add allowed-address=172.16.111.2/32 client-address=172.16.111.2/32 \
client-dns=8.8.8.8 client-endpoint=XXX.XXX.XXX.XXX client-keepalive=25s \
client-listen-port=12345 interface=wg1-test name=peer-wg-test \
persistent-keepalive=25s private-key=\
"KEYKEYKEYKEY=" public-key=\
"KEYKEYKEYKEY=" responder=yes
/ip address
add address=192.168.59.1/24 interface=bridge network=192.168.59.0
add address=192.168.0.100/24 interface=ether2 network=192.168.0.0
add address=172.16.111.1/24 interface=wg1-test network=172.16.111.0
/ip dhcp-client
add add-default-route=no default-route-tables=main interface=ether1 \
use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.59.0/24 dns-server=192.168.59.1 gateway=192.168.59.1 \
ntp-server=192.168.59.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="WG" dst-port=12345 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
"Accept established,related,untracked connections" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"www" dst-port=XXXXXX \
in-interface-list=WAN protocol=tcp src-address-list=security
add action=accept chain=input comment=\
"Winbox" dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=security
add action=drop chain=input comment="Drop all not coming from LAN" \
connection-state="" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=isp-1-conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=isp-2-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp-1-conn \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
vrf-lacze1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp-2-conn \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
vrf-lacze2 passthrough=no
add action=mark-routing chain=output connection-mark=isp-1-conn \
dst-address-type=!local new-routing-mark=vrf-lacze1 passthrough=no
add action=mark-routing chain=output connection-mark=isp-2-conn \
dst-address-type=!local new-routing-mark=vrf-lacze2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip firewall raw
add action=add-src-to-address-list address-list=temporary \
address-list-timeout=15s chain=prerouting comment=\
"Knock knock - security" dst-port=XXXXXX protocol=tcp
add action=add-src-to-address-list address-list=security \
address-list-timeout=3h chain=prerouting dst-port=XXXXX protocol=tcp \
src-address-list=temporary
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="wan_monitoring: lacze1" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=192.168.88.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="wan_monitoring: lacze2" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=192.168.0.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.88.1 routing-table=vrf-lacze1 scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.0.1 routing-table=vrf-lacze2 scope=30 suppress-hw-offload=no \
target-scope=10
add comment="Route emergency" \
disabled=no distance=254 dst-address=0.0.0.0/0 gateway=\
bridge-empty-emergency routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set api disabled=yes
set api-ssl disabled=yes
set www port=XXXXX
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system ntp client servers
add address=time.google.com