Hello All,
I have some strange and weird behavior with wireguard VPN on my mikrotik hAP AX3.
Setup is probably mess for you, but this is as I use 3 public WAN IPs via DHCP over single port with vvrp. In this way i can get 3 public IPs.

Almost everything works as expected, except wireguard from road warrior clients, connected over wifi.
If I use cellular on phone or cellular hotspot from my phone to laptop, everything is working.
wireguard is set to respond on WAN-IP-02

If I disable PCC mangle rules, reboot the router, wireguard from road warrior clients is working most of the times.
So, it seems something in PCC or other rule breaks the configuration and affects handshake between server and road warrior clients.
I’m not so in deep to find myself where issues are. Read a lot of post and tried with set, change, test, but cannot resolve this.

Is it possible for someone to review and advise where the fault can be?
config.txt (11.7 KB)

So is the mikrotik AX3 not the server for your wireguard network???

If it is, which I conclude as you have the input chain rule to accept the handshake, then your allowed IPs are incorrect.
Each road warrior needs their specific config line. Its peer to peer VPN, thus one rule for all makes no sense.
Also the allowed IPs describe two things EITHER:
a. the remote addresses local folks are trying to reach be it subnets on another router or the internet via the other router
OR
b. the remote addresses coming in to reach your local subnets etc..
HINT: No local addresses are defined!!

Finally what the heck is 10.10.200.0/24 subnet?? If one of your Wireguard peers is a router then put it in the comments and don’t claim all are road warriors..

Should be:
add allowed-address=10.11.100.2/32 comment=“WG Rosen” interface=WG-Site1-Sofia " public-key=“-----” comment=“WG rw-Rosen”
add allowed-address=10.11.100.10/32,10.10.200.0/24,10.11.200.0/24 interface=WG-Site1-Sofia public-key="*" comment=“WG router-Yarlovci”


Firewall rules are a disorganized mess. Put like chain rules together, then it would be readable.
where are the main table routes for WAN1, WAN2, WAN3???
Where is WAN3 on bridge WAN-IP-01?

Confirm the goals are
a. wireguard through wan2
b. PCC all LAN traffic via wans 1,2,3
c. ANY SERVERS on the LAN?
If so are there
i. internal users via direct LANIP
ii. internal users via URL (dyndns name)
iii. external users via URL (dyndns name) and if YES via which WAN ?

I am not familiar with VRRP etc… but this doesnt seem right to me.
add action=masquerade chain=srcnat comment=“Masquerade WAN” ipsec-policy=
out,none out-interface=WAN-IP-01

I would certainly be more comfortable with
add action=masquerade chain=srcnat comment=“Masquerade WAN” ipsec-policy=
out,none out-interface-list=WAN

++++++++++++++++++++++++++++++++++++++++++++++
Once the questions above are answered, changes made including the firewall rules are put in at least within chains, post the config again and will have a look.

Hi anav,

I will try to explain the setup, but it is also complected to me . There are too may workarounds due to missing functionality on the router are required. Probably it will be more easy to have 3 static IPs, but provider does not have such options.

"So is the mikrotik AX3 not the server for your wireguard network???" - The mikrotik AX3 is the router and also the wireguard server.

Also the allowed IPs describe two things EITHER:
a. the remote addresses local folks are trying to reach be it subnets on another router or the internet via the other router
OR
b. the remote addresses coming in to reach your local subnets etc..

This are rules for site to site VPN to allow access to and from remote site 10.10.100.0/24 <----> 10.10.200.0/24

=============
HINT: No local addresses are defined!! - Not sure what this should mean. I'm using DHCP and external DNS in local lan. Not need local address and dns via mikrotik.

_where are the main table routes for WAN1, WAN2, WAN3???

Routes are there but not listed in export.

[routeradm@BGSF01RT01] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

DAd+ 0.0.0.0/0 46.10.48.1 1
DAd+ 0.0.0.0/0 77.85.24.1 1
DAd+ 0.0.0.0/0 79.100.176.1 1
DAc 10.10.100.0/24 LAN-Bridge 0
0 As 10.10.200.0/24 WG-Site1-Sofia 1
DAc 10.11.100.0/24 WG-Site1-Sofia 0
1 As 10.11.200.0/24 WG-Site1-Sofia 1
DAc 46.10.48.0/20 WAN-IP-03 0
DAc 77.85.24.0/21 WAN-IP-02 0
DAc 79.100.176.0/21 WAN-IP-01 0
DAc 127.0.0.2/32 WAN-IP-02 0
DAc 127.0.0.3/32 WAN-IP-03 0
;;; WAN-IP-01
2 As 0.0.0.0/0 79.100.176.1 1
;;; WAN-IP-02
3 As 0.0.0.0/0 77.85.24.1 1
;;; WAN-IP-03
4 As 0.0.0.0/0 46.10.48.1 1

Where is WAN3 on bridge WAN-IP-01?

Attached picture of WAN1 and 2 more on top of it.

==========

So is the mikrotik AX3 not the server for your wireguard network???

If it is, which I conclude as you have the input chain rule to accept the handshake, then your allowed IPs are incorrect.
Each road warrior needs their specific config line. Its peer to peer VPN, thus one rule for all makes no sense.
Also the allowed IPs describe two things EITHER:
a. the remote addresses local folks are trying to reach be it subnets on another router or the internet via the other router
OR
b. the remote addresses coming in to reach your local subnets etc..
HINT: No local addresses are defined!!

Finally what the heck is 10.10.200.0/24 subnet?? If one of your Wireguard peers is a router then put it in the comments and don't claim all are road warriors..

Should be: - corrected this.
add allowed-address=10.11.100.2/32 comment="WG Rosen" interface=WG-Site1-Sofia " public-key="-----" comment="WG rw-Rosen"
add allowed-address=10.11.100.10/32,10.10.200.0/24,10.11.200.0/24 interface=WG-Site1-Sofia public-key="*****" comment="WG router-Yarlovci"


Firewall rules are a disorganized mess. Put like chain rules together, then it would be readable.
where are the main table routes for WAN1, WAN2, WAN3???
Where is WAN3 on bridge WAN-IP-01?

Confirm the goals are
a. wireguard through wan2 - yes
b. PCC all LAN traffic via wans 1,2,3 - yes
c. ANY SERVERS on the LAN? - Yes
If so are there
i. internal users via direct LAN IP - yes
ii. internal users via URL (dyndns name) - yes
iii. external users via URL (dyndns name) and if YES via which WAN ?

I have local domain with several servers behind router with nginx and nat on wan1,wan2, wan3
ddns is a must as wan IPs are provided via DHCP
wan1 - serve several sites, email, plax, owncloud
wan2 - is for external access via wireguard and openvpn
wan3 - virtual cloud isolated lab

10.10.100.0/24 - Local LAN
10.10.200.0/24 - Remote Site LAN
10.11.100.0/24 - Wireguard - site to site and road warrior which is not working
10.12.100.0/24 - OpenVPN - works with road warrior_

1.png435×270 8.08 KB

Tried again with some modification, but what i can see is that:

1. over wifi handshake is send and accepted on WAN-IP-02, but replay handshake is send via WAN-IP-03 - wireguard not working
   
2. over phone cellular handshake is send and accepted on WAN-IP-02 , replay handshake is send again via WAN-IP-03 - but wireguard is working
   
   If i disable WAN-IP-03 wireguard start working normally, but why mangle output is not captured and routed to proper wan WAN-IP-02 is mystery?
   /

To assist,
you need to detail all the requirements clearly since there is a lot going on
a. identify each user/device, groups of users/devices including admin and external users
b. identify what traffic they need to accomplish.

Discuss what each WAN is expected to be used for.
Part of PCC group of WANs
Connected TO for vpn,
Pass incoming server traffic to LAN (if so to which device).

Also latest config…

Hello anav,

It seem mission imposible for me to resolve this over forum with my very basic knowage is in mikrotik.
All that learned was from post, but this days there a lot if materials, in it is very easy to got confused. One tick can ruine everiting.

Will try i future to play again with this, but until then, i will switch everiting via one IP where all is fine.

Anyway thanks for support.