So I am in the process of changing my setup. I’ve already changed RB1100AHx4Dude for RB5009, I am working on creating a proper guest network (I have Cisco Wireless - WLC + WAPs) with proper VLANs, etc. But now I want to move out from IPSec to Wireguard.
Presently I have 4 always on tunnels - 3 to different countries (Poland, Germany, UK) and one dedicated for one of my VMs at home). I am controlling country sites with IP lists. See my config (with some redactions ) BackupWireGuard.rsc (22.6 KB)
Question: how I can do the same with WG instead of IPSec. I have some knowledge but if you could create it “for dummies” I would appreciate
It shouldn’t be difficult. Add new WG interfaces (e.g. wgPL, wgDE, wgUK), configure them according to provider’s instructions, and then you should need something like:
Awesome what about code for dedicated connection? So lets say WG interface wg-ded-US (another from my provider). This will send entire traffic for IP: 10.20.30.250 to that tunnel without mangle
What I have now are IPSec tunnels 3 mangeled to countries, 1 dedicated for an one IP
Sometimes I have to send entire traffic of another device (which usually is a part mangled) to that country which already has tunel, and I am doing this by creating dedicated tunnel for that list
So normally IP 16 or 17 are going through mangle, but when I enable them at Own-VPN list and get them new tunnel they are going exclusively over there. Probably there is a smarter way to do it without the need for new tunnel.
Is there a similar way of doing this via wg through lists? Or should I use routing rules?
This way you can do anything. Priority depends on the order of rules. If you need other exceptions, just add them before these. Don’t forget connection-mark=no-mark, to avoid re-marking already marked connection.
@anav: AFAIK address lists and routes live in completely different part of Linux kernel, so it may not be easy to link them together.
It’s another condition. When you have rules with passthrough=yes (and you need that), it means that processing won’t stop there, but will continue with following rules. Let’s say that with the six rules in my last post the first one matches (because source is in local-pl list), but the last one matches too (because destination is in VPN-IP-UK list). So first the connection gets VPN-IP-PL mark, but if there wasn’t connection-mark=no-mark, then a moment later it would get VPN-IP-UK mark.
On that I have the question if there is in all the routing options in v7 something like /ip/route/rules that routes based on the connection-mark depending up or downstream?
Now in Mangle, you have put x-number of connections markers lines and the the same number of mark markers lines to be able to select which route has to be used. I mostly put those blocks in an own Chain and a Jump that filters first if traffic should be handled by that dedicated Chain.
I’m not sure what you mean, try to describe it in more detail. But generally I wouldn’t say that router sees upstream and downstream as anything special, it just has some routes.
Lets assume that these are my mangle rules.
IP 200 (in local-pl list) - based on this mangle entire traffic is sent through vpnPL (regardless if destination IP suggest another tunnel)
IP 201 (in local-uk list) - based on this mangle entire traffic is sent through vpnUK (regardless if destination IP suggest another tunnel)
IP 202 (in local-us list) - based on this mangle entire traffic is sent through vpnUS (regardless if destination IP suggest another tunnel)
IP 203 (in local-de list) - based on this mangle entire traffic is sent through vpnDE (regardless if destination IP suggest another tunnel)
IP 204 (in no local-* lists) - based on this mangle traffic goes to vpnPL when requested IP is in VPN-IP-Poland, to vpnUK when requested IP is in VPN-IP-UK, to WAN when IP is not in VPN-IP-* lists
IP 205 (in no local-* lists) - based on this mangle traffic goes to WAN (destination IP not in any list VPN-IP-* lists - i.e. 1.1.1.1)
IP 206 (in local-us list) - based on this mangle traffic goes to vpnUS (same destination address as IP205 - i.e 1.1.1.1)
I mention upstream because it makes a difference in which direction you route. Connection marking lives in connection tracking and looks solely at the connection…in any direction.
Searching docs, I did not find connection/routing mark being mentioned, other then in Mangle.
@pawlisko: If 206 is in local-us, then it will be the same as 202, i.e. third rule will match and it will get connection mark from it. It’s simple whatever matches first will be used.
@msatter: Unless I’m misundertanding you, router doesn’t care about direction, it has routes and uses them. Yes, default one covers more addresses than others, but I wouldn’t say that router is moved by that very much.
I know that all wireguard connections are set up properly, but there is some sort of error in mangles and basically, connections are timing out. If I disable mangles then I can do dedicated from 10.20.30.56 (see /routing rule) and it works like charm (confirmed with different IP checkers. I checked on other computers and it is only affecting IP-Country lists. Anything else works perfectly with WAN connection.
It’s those rules with action=mark-routing, they currently work for both directions, but you want them only for outgoing traffic from LAN, so add in-interface=LAN to them. And they can also have passthrough=no (which will speed up processing by 0.000something%, so nothing to really care about, but passthrough=yes is useless for them; but only for these four).
First of all - huge thank you. It is working now as designed.
Second - I didn’t do any speed comparison testing with IPSec but will report back whenever I will do it. My IPSec tunnels (AES-256-GCM) @600Mbps were drawing about 45% CPU usage.
Last but not least - is there a way to create IP lists made of other lists?
I need this to create one firewall filter instead of a few.
Example: I have lists: local-pl, local-uk, local-p2p - is there a way to create a single list i.e. “locals” that consist of all those lists so I can put it in a single firewall filter instead of creating multiple lists?
Unfortunately, there’s no list of lists so far. The sad part is that Linux (which RouterOS is based on) supports it, together with other useful list types, but they are not exposed in RouterOS. Hopefully one day…
So let me ask you even crazier question - do you know how to create list with MAC addresses?
I need to do list with IPv6 and I have stateless address allocation. So the only way to limit connectivity is through a MAC address. Any idea how to do it there?
)