V7.10
Wan 1 – Static
Wan 2 – LTE (backup)
I have setup wg between site A & B, this is working fine, how do I ensure that wg at site A uses Wan 2 only ?
All traffic currently goes through Wan 1 , Wan 2 (LTE) is for failover, I need to make sure that wg only uses Wan 2 to connect to its wg server at site B.
Thank you in advance for any advice
Yes the initial handshake must go out WAN2 and establish the tunnel over WAN2.
Does the server have a fixed/static WANIP address (aka site A)?
Is it one only one user, or an entire subnet that uses WG?
here is the export from wireguard:
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-SITE-A
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment=WG-SITE-B
endpoint-address=XXX.XXX.XXX.XXX endpoint-port=13231 interface=WG-SITE-A persistent-keepalive=25s public-key=\
"XXXXXXXXXX"
Site A:
WAN-1 - Static WANIP - Ether1
WAN-2 - LTE - Dynamic (carrier grade nat) Ether2
Site B
WAN-1 - Static WANIP
Does the server have a fixed/static WANIP address (aka site A)? YES
Is it one only one user, or an entire subnet that uses WG? Entire Subnet
So from doing further reading, I believe I need to:
1:create a table in Routing/Tables for wg: Export Config
/routing table
add disabled=no fib name=TO_WG
2: under Routing/Rules - create a rule to use wg table for the endpoint ip for site B: Export Config
/routing rule
add action=lookup-only-in-table disabled=no dst-address=XXX.XXX.XXX.XXX/32 interface=ether2 table=TO_WG
3: finally under IP/Routes create a route for WAN-2 to use routing table wg: Export Config
/ip route
add comment="monitor host via ISP-1" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=XXX.XXX.XXX.XX pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Default Route - ISP-1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.XX pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add comment=ISP2-LTE distance=1 dst-address=8.8.8.8 gateway=10.56.XXX.XXX scope=30 target-scope=10
add check-gateway=ping comment=ISP2-LTE disabled=no distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=30
add check-gateway=ping comment=ISP2-WG disabled=no distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=TO_WG scope=30 suppress-hw-offload=no target-scope=30
so to recap
Site A WAN-2 only to connect to Site B, Site A is the peer Site B is the Server, I want all traffic over WAN2 to use wg at all times
I hope i have provided enough information to above, that it all makes sense, once gain thanks in advance for all your help
There are a few ways this can be accomlished, just trying to find the most efficient method.
What concerns me is identifying the LTE gateway IP as its not static correct?
There are two concerns that you have well captured
a. ensuring initial handshake goes out WAN2
b. ensure subnet goes out wireguard.
Can you confirm address of wireguard on MT is 192.168.100.1/24 and at site B the server address is 192.168.100.2/24
Typically the client router (siteA) should use 192.168.100.0/24 for allowed IP on its peer settings to site B.
At the server Site B 192.168.100.1/32 is the correct entry for the peer settings for the client MT but also the subnet.
192.168.100.1/32,subnetA
What concerns me is identifying the LTE gateway IP as its not static correct?
I do this by using this bit of code
/ip dhcp-client
add add-default-route=no interface=ether2 script=":if (\$bound=1) do={\r\
\n\t/ip route add distance=1 gateway=\$\"gateway-address\" dst-address=\"8.8.8.8\" scope=30 target-scope=10 comment=\"ISP2-LTE\"\r\
\n /ip route add distance=2 gateway=\"8.8.8.8\" check-gateway=ping scope=30 target-scope=30 comment=\"ISP2-LTE\"\r\
\n} else={\r\
\n\t/ip route remove [/ip route find comment=\"ISP2-LTE\"]\r\
\n}" use-peer-dns=no use-peer-ntp=no
Can you confirm address of wireguard on MT is 192.168.100.1/24 and at site B the server address is 192.168.100.2/24
Yes this is correct and I did this as I set Site B to connect back to Site A
I was experimenting first by getting the wg up between site A & B and didn’t really give consideration the whole subnet, these are not set in stone and can be changes to accomplish the end goal 
Can you post your full config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc._
Also a gif or print out of IP routes but ensuring no public IP info exposed.
…this is the way I am doing it:
Hominadea,
I believe based on the Script by the user, that he also wants the subnet and wireguard associated subnet to go out wireguard regardless.
Thus if WAN2 is not available, he wants wireguard to be established and go over WAN1. SHould not be a problem as the server site and probably doable.
Thus I would not mangle traffic.
I am more interested in finding out if LTE2 is backup why does he
a. check through 8.8.8.8 recursively, ( if Primary is down, the only alternative is LTE2 )
b. why is the distance different in the two rules on the script.
Completely agree with script concept but I would make it ( for WAN2):
:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$“iface” ] gateway ]
/ip route set [ find comment=“ISP2-LTE” gateway!=$gw ] gateway=$gw
/ip route set [ find comment=“ISP2-LTE1” gateway!=$gw ] gateway=$gw
/ip route set [ find comment="ISP2-LTE2" gateway!=$gw ] gateway=$gw
}
Then in my routes at Site A.
add dst-address=0.0.0.0 gateway=8.8.8.8. distance=5 check-gateway=ping scope=10 target-scope=12
add dst–address=8.8.8.8 gateway=staticWANIP distance=5 scope=10 target-scope=11
add dst-address=0.0.0.0 gateway=current LTE IPgateway address distance=10 comment=“IS2P-LTE”
Then for wireguard transport packets
add dst-address=STATICWANIP-ServerB gatewy=current LTE IPgateway routing table=main distance=5 comment=“ISP-LTE1”
Then for wireguard payload traffic
add dst-address=0.0.0.0 gateway=current LTE IPgateway address routing-table=use4WG comment=“ISP-LTE2”
Add table
add fib name=use4WG
Add routing rule
add src-address=subnet action=lookup table=use4WG
+++++++++++++++++++++++++++++++++++++++++++
In this manner, the gateway is updated as required, the initial handshake goes out the main table via ISP LTE and the subnet goes out Wireguard for all traffic.
In both cases if WAN2 fails, the router will choose wan1 for the handshake and the WG traffic will then be routed out the available WAN one ( since we used action=lookup ).
The only caution is that the subnet will not be able to originate or return traffic to any other subnets on the Site A router unless we add more routing rules,
Thanks for the info, but I still don’t see the reason why not.
I use the mangle rule only for directing the WG peer connection through the respective, outgoing WAN-if, not the “normal” traffic that is going to be passed through the tunnel once it is established.
Hence, both WG connections (Site A, WAN1 and WAN2 to Site B, WAN1) are active at the same time.
“Failover” of traffic between Sites A and B is done via respective routes and gateway IPs of the transfer-nets that are associated with each WG endpoint/tunnel in the main table…no mangling there. Actually I plan to use ospf for that someday…just too busy atm.
Files requested attached, to avoid any confusion I only require wg to go via WAN2 at all times, not concerned if it goes down
MK-5009-SITE A.rsc (26.3 KB)
Sorry but that is an incomplete stated requirement.
A. You wish an entire subnet to go out wireguard for internet or to access another device … via WAN2
B. If the wireguard tunnel is down, then what do you want to happen with your subnet.
Acccording to your own script you want to it to then go out the wireguard tunnel via WAN1 if WAN2 is not available.
So one can conclude that you NEVER want that subnet going out your local WAN for internet, only wireguard??
and it doesnt matter which WAN is used?
Perhaps your requirement is:
SUBNETX can ONLY to reach the internet through wireguard, preferably via WAN2, but WAN1 is acceptable if the only WAN available.
mangling affects router performance and only should be used if more efficient in some other way or un avoidable.
A. You wish an entire subnet to go out wireguard for internet or to access another device … via WAN2
B. If the wireguard tunnel is down, then what do you want to happen with your subnet.
- since it cannot go out wireguard on WAN2, do you want the traffic dropped?
- since it cannot go out wireguard do you want it to go out local WAN for internet for example.
A: Wish an entire subnet to go out wireguard just for the internet
B: If it cannot go out via wireguard then NO i don’t want it to go out via local WAN
Ok let me try and explain why the strange setup, everything goes out via WAN1 this is in fact a lease line, very stable and seldom goes down, so great, but when it does then WAN2 obviously takes over, this is in fact a LTE connection via a LHG LTE18 Kit, running thru a carrier grade NAT, this in fact causes problems for one particular subnet the voip phones, the ISP for the LTE is blocking voip traffic, therefore I need the voip phones to go thru the wireguard to site B and out the other end, this hopefully will solve major issue, that is the voip server in the dc knows the static WANIP at site-B and won’t block the voip phones registering from site-A, via the LTE connection the voip server blocks the cgnat WANIP.
So that is method of the madness
am more interested in finding out if LTE2 is backup why does he
a. check through 8.8.8.8 recursively, ( if Primary is down, the only alternative is LTE2 )
b. why is the distance different in the two rules on the script.
a: originally when I was testing I used two LTE connections load balancing, and copied the script from another user
b: once again just copied from another user
I am no way an expert in Mikrotik, just an avid enthusiast and learner