Wireguard VPN on dual WAN

haianh · December 21, 2024, 6:13am

Hello guys,

I want to setup wireguard VPN Site-to-Site on dual WAN on 2 Site, running OS v7.16.2
Site A: WAN1 primary PPPoE, WAN2 ILL backup, both are static IP
Site B: WAN1 primary PPPoE, WAN2 ILL backup, both are static IP
I want to make Wireguard traffic go throught WAN2, just give me sample configuration.
I have searched in forum but no scenario match with my case,
Thank you all,

sindy · December 21, 2024, 10:00am

If all you want is that the site-to-site Wireguard between A and B would use WAN 2 at both sites, and if you don’t plan on any other traffic among the public addresses of Site A and Site B, just add static routes:

Site A:
dst-address=ip.of.siteB.wan2/32 gateway=ip.or.siteA.wan2-gw

Site B:
dst-address=ip.of.siteA.wan2/32 gateway=ip.or.siteB.wan2-gw

For any more complicated scenario, you’ll need policy routing in its full complexity, including special provisions for the specific behavior of Wireguard.

panisk0 · December 21, 2024, 10:22am

this takes several steps, start with the correct configuration of the policy routing:

/routing table
add disabled=no fib name=to_WAN_main
add disabled=no fib name=to_WAN_bkp

/routing rule
add action=lookup disabled=no src-address=1.1.1.0/30 table=to_WAN_main
add action=lookup disabled=no routing-mark=to_WAN_main table=to_WAN_main
add action=lookup disabled=no src-address=2.2.2.0/30 table=to_WAN_bkp
add action=lookup disabled=no routing-mark=to_WAN_bkp table=to_WAN_bkp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=1.1.1.2 routing-table=main
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=2.2.2.1 pref-src=2.2.2.2 routing-table=main
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=1.1.1.2 routing-table=to_WAN_main
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 pref-src=2.2.2.2 routing-table=to_WAN_bkp

check it by ping:
/ping address=8.8.8.8 src-address=1.1.1.2
/ping address=8.8.8.8 src-address=2.2.2.2

If it works, I will in step 2 write you the Wireguard configuration

haianh · December 21, 2024, 12:04pm

Thank you for the advice, the WAN2 is the backup when WAN1 down, so it also need to access the internet.

haianh · December 21, 2024, 12:36pm

this takes several steps, start with the correct configuration of the policy routing:

/routing table
add disabled=no fib name=to_WAN_main
add disabled=no fib name=to_WAN_bkp

/routing rule
add action=lookup disabled=no src-address=1.1.1.0/30 table=to_WAN_main
add action=lookup disabled=no routing-mark=to_WAN_main table=to_WAN_main
add action=lookup disabled=no src-address=2.2.2.0/30 table=to_WAN_bkp
add action=lookup disabled=no routing-mark=to_WAN_bkp table=to_WAN_bkp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=1.1.1.2 routing-table=main
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=2.2.2.1 pref-src=2.2.2.2 routing-table=main
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=1.1.1.2 routing-table=to_WAN_main
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 pref-src=2.2.2.2 routing-table=to_WAN_bkp

check it by ping:
/ping address=8.8.8.8 src-address=1.1.1.2
/ping address=8.8.8.8 src-address=2.2.2.2

If it works, I will in step 2 write you the Wireguard configuration

thank you for the instruction, I’m sorry that forgot to inform WAN1 is PPPoE, not static, so the config is different ?

anav · December 21, 2024, 1:22pm

Before replying… Is there any port forwarding going on (aka external users) or just VPN coming in externally?

Both WAN1s are static PPPOE addresses, so confirm
a. they dont change
b. they are indeed public not private IP addresses.

Both WAN2s are ???
a. static or private IP addresses???
b. public or private IP addresses??

There is also a bug with Wireguard when coming in on WAN2 while its the secondary WAN.

anav · December 21, 2024, 2:06pm

MAIN ROUTER A ( server peer for wireguard handshake )
/routing table
add disabled=no fib name=use-WAN2

/ip route ( minimum )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

/ip route ( better - recursive - checks connection to internet is actually up, not just connection to ISP )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=pppoe-out1 scope=10 target-scope=11
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

Now all traffic will go to WAN1, and if WAN1 is not available traffic will move to WAN2 and will go back to WAN1 when it is functional.
Ensure you use the standard masquerade sourcenat rule as well.

/ip firewall mangle ( to ensure traffic coming in on WAN2 goes back out WAN2 )
add chain=input action=mark-connection connection-mark=no-mark
in-interface=WAN2 new-connection-mark=incomingWAN2 passthrough=yes
add chain=output action=mark-routing connection-mark=incomingWAN2
new-routing-mark=use-WAN2 passthrough=no

Ensure on the forward chain fasttrack rule you add the following:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related connection=mark=no-mark

Finally to deal with the bug, we need a trick destination nat rule to ensure wireguard traffic does NOT go back out WAN1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dstnat chain=dst-nat in-interface=WAN2 dst-address-type=local dst-port=wireguardport protocol=udp to-address=staticWAN1-ip

The idea being, the router will assume all wireguard traffic that wants to exit WAN1, will be un-detinatted to wan2…

+++++++++++++++++++++

Basically the same for Router B.
Main differences - no need for input chain rule for handshake.
Allowed peers need endpoint address of WAN2 on router A, and wireguard port and persistent keep alive set.
Would add another mangle rule on router B as first rule to ensure MTU handling…
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

++++++++++++
Best bet is to post complete config for review after an attempt to incorporate method of choice.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

haianh · December 21, 2024, 11:43pm

MAIN ROUTER A ( server peer for wireguard handshake )
/routing table
add disabled=no fib name=use-WAN2

/ip route ( minimum )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

/ip route ( better - recursive - checks connection to internet is actually up, not just connection to ISP )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=pppoe-out1 scope=10 target-scope=11
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

Now all traffic will go to WAN1, and if WAN1 is not available traffic will move to WAN2 and will go back to WAN1 when it is functional.
Ensure you use the standard masquerade sourcenat rule as well.

/ip firewall mangle ( to ensure traffic coming in on WAN2 goes back out WAN2 )
add chain=input action=mark-connection connection-mark=no-mark
in-interface=WAN2 new-connection-mark=incomingWAN2 passthrough=yes
add chain=output action=mark-routing connection-mark=incomingWAN2
new-routing-mark=use-WAN2 passthrough=no

Ensure on the forward chain fasttrack rule you add the following:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related connection=mark=no-mark

Finally to deal with the bug, we need a trick destination nat rule to ensure wireguard traffic does NOT go back out WAN1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dstnat chain=dst-nat in-interface=WAN2 dst-address-type=local dst-port=wireguardport protocol=udp to-address=staticWAN1-ip

The idea being, the router will assume all wireguard traffic that wants to exit WAN1, will be un-detinatted to wan2…

+++++++++++++++++++++

Basically the same for Router B.
Main differences - no need for input chain rule for handshake.
Allowed peers need endpoint address of WAN2 on router A, and wireguard port and persistent keep alive set.
Would add another mangle rule on router B as first rule to ensure MTU handling…
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

++++++++++++
Best bet is to post complete config for review after an attempt to incorporate method of choice.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

The command:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related connection=mark=no-mark
need to correct with:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related connection-mark=no-mark

After I followed your config, Wireguard traffic still go on WAN1, I will give you my current configuration.

haianh · December 21, 2024, 11:48pm

When it’s fixed, do I need the config you give me ?

haianh · December 22, 2024, 12:47am

MAIN ROUTER A ( server peer for wireguard handshake )
/routing table
add disabled=no fib name=use-WAN2

/ip route ( minimum )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

/ip route ( better - recursive - checks connection to internet is actually up, not just connection to ISP )
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=pppoe-out1 scope=10 target-scope=11
add distance=4 dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip
add dst-address=0.0.0.0/0 gateway=WAN2-gateway-ip routing-table=use-WAN2

Now all traffic will go to WAN1, and if WAN1 is not available traffic will move to WAN2 and will go back to WAN1 when it is functional.
Ensure you use the standard masquerade sourcenat rule as well.

/ip firewall mangle ( to ensure traffic coming in on WAN2 goes back out WAN2 )
add chain=input action=mark-connection connection-mark=no-mark
in-interface=WAN2 new-connection-mark=incomingWAN2 passthrough=yes
add chain=output action=mark-routing connection-mark=incomingWAN2
new-routing-mark=use-WAN2 passthrough=no

Ensure on the forward chain fasttrack rule you add the following:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related connection=mark=no-mark

Finally to deal with the bug, we need a trick destination nat rule to ensure wireguard traffic does NOT go back out WAN1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dstnat chain=dst-nat in-interface=WAN2 dst-address-type=local dst-port=wireguardport protocol=udp to-address=staticWAN1-ip

The idea being, the router will assume all wireguard traffic that wants to exit WAN1, will be un-detinatted to wan2........

+++++++++++++++++++++

Basically the same for Router B.
Main differences - no need for input chain rule for handshake.
Allowed peers need endpoint address of WAN2 on router A, and wireguard port and persistent keep alive set.
Would add another mangle rule on router B as first rule to ensure MTU handling....
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

++++++++++++
Best bet is to post complete config for review after an attempt to incorporate method of choice.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Site A:

2024-12-22 07:27:56 by RouterOS 7.16.2

software id = 9931-M8FK

model = CCR1016-12G

serial number =

/interface bridge
add name=guest-lan
add name=py1-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=WAN-FTTH user=netnam_manipy
/interface wireguard
add listen-port=51248 mtu=1420 name=WG-VPN-To-PY2
add listen-port=12677 mtu=1420 name=WG-client-to-site-PY1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.255.1-10.0.255.253
add name=dhcp_pool1 ranges=10.22.10.10-10.22.10.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=1d name=guest-dhcp
add address-pool=dhcp_pool1 interface=py1-lan lease-time=8h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=FTTH-table
add disabled=no fib name=ILL-table
/interface bridge port
add bridge=py1-lan interface=ether11
add bridge=py1-lan interface=ether12
add bridge=guest-lan interface=ether8
add bridge=py1-lan interface=ether9
add bridge=py1-lan interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=guest-lan list=LAN
add interface=py1-lan list=LAN
add interface=WAN-FTTH list=WAN
add interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=172.25.0.0/16 endpoint-address=SiteB-WAN2-IP
endpoint-port=51248 interface=WG-VPN-To-PY2 name=vpn-to-PY2 public-key=
""
add allowed-address=10.22.19.2/32 interface=WG-client-to-site-PY1 name=
hangmmh public-key=""
add allowed-address=10.22.19.1/32 interface=WG-client-to-site-PY1 name=bh.anh
public-key=""
add allowed-address=10.22.19.3/32 interface=WG-client-to-site-PY1 name=
ngocmmh public-key=""
add allowed-address=10.22.19.4/32 interface=WG-client-to-site-PY1 name=
damhammh public-key=""
add allowed-address=10.22.19.5/32 interface=WG-client-to-site-PY1 name=
hung.bravo public-key=""
add allowed-address=10.22.19.6/32 interface=WG-client-to-site-PY1 name=
hoangbravo public-key=""
add allowed-address=10.22.19.7/32 interface=WG-client-to-site-PY1 name=
bh.anh2 public-key=""
add allowed-address=10.22.19.8/32 interface=WG-client-to-site-PY1 name=
bh.anh3 public-key=""
add allowed-address=10.22.19.9/32 interface=WG-client-to-site-PY1 name=
lanbravo public-key=""
add allowed-address=10.22.19.10/32 interface=WG-client-to-site-PY1 name=
nm.hung public-key=""
/ip address
add address=10.22.10.254/24 interface=py1-lan network=10.22.10.0
add address=10.0.255.254/24 interface=guest-lan network=10.0.255.0
add address=202.151.163.46/30 interface=ether2 network=202.151.163.44
add address=10.22.0.254/30 interface=WG-VPN-To-PY2 network=10.22.0.252
add address=10.22.19.254/24 interface=WG-client-to-site-PY1 network=
10.22.19.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.255.0/24 gateway=10.0.255.254
add address=10.22.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.22.10.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.20.0.0/16 list=LAN
add address=10.0.255.0/24 list=LAN
add address=10.22.10.0/24 list=LAN
add address=thuedientu.gdt.gov.vn list=traffic-via-ILL
add address=172.25.0.0/16 list=VPN
add address=tracuunnt.gdt.gov.vn list=traffic-via-ILL
add address=vieclamthainguyen.gov.vn list=traffic-via-ILL
add address=sn.mynetname.net list=WAN
add address=dichvucong.thainguyen.gov.vn list=traffic-via-ILL
add address=hoadondientu.gdt.gov.vn list=traffic-via-ILL
add address=www.gdt.gov.vn list=traffic-via-ILL
add address=thainguyen.gov.vn list=traffic-via-ILL
add address=canhan.gdt.gov.vn list=traffic-via-ILL
add address=kcn.thainguyen.gov.vn list=traffic-via-ILL
add address=speedtest.vn list=traffic-via-ILL
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=12677
protocol=udp
add action=accept chain=input src-address=10.22.19.0/24
add action=accept chain=input dst-port=51248 protocol=udp src-address=
SiteB-WAN1-IP
add action=accept chain=input dst-port=51248 protocol=udp src-address=
SiteB-WAN2-IP
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WAN1-IP dst-port=443
protocol=tcp to-addresses=10.22.10.253 to-ports=443
add action=dst-nat chain=dstnat dst-address=WAN2-IP dst-port=443
protocol=tcp to-addresses=10.22.10.253 to-ports=443
add action=masquerade chain=srcnat out-interface=WAN-FTTH to-addresses=
WAN1-IP
add action=masquerade chain=srcnat out-interface=ether2 to-addresses=
WAN2-IP
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=10.22.10.253
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.25.0.0/16 gateway=WG-VPN-To-PY2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.22.20.0/24 gateway=10.22.0.253
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=
WAN2-Gateway-IP routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
WAN2-Gateway-IP routing-table=ILL-table scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
WAN1-Gateway-IP routing-table=FTTH-table scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
8.8.8.8 routing-table=main scope=10 suppress-hw-offload=no target-scope=
12
add check-gateway=ping disabled=no distance=2 dst-address=8.8.8.8/32 gateway=
WAN1-Gateway-IP routing-table=main scope=10 suppress-hw-offload=no
target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY1-router-mikrotik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/tool e-mail
set from=1@gmail.com port=465 server=smtp.gmail.com tls=yes user=
1@gmail.com

Site B:

2024-12-22 07:29:16 by RouterOS 7.16.2

software id = 2M0R-ULGQ

model = CCR2004-16G-2S+

serial number =

/interface bridge
add name=guest-lan
add name=py2-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=netnam-ftth user=netnam_manitn2
/interface wireguard
add listen-port=51248 mtu=1420 name=WG-VPN-To-PY1
add listen-port=35359 mtu=1420 name=wg-vpn-client-to-PY2
/interface list
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=10.255.255.1-10.255.255.250
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=8h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=FTTH-table
add disabled=no fib name=ILL-table
/interface bridge port
add bridge=py2-lan interface=ether16
add bridge=py2-lan interface=ether15
add bridge=py2-lan interface=ether14
add bridge=py2-lan interface=ether13
add bridge=guest-lan interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=guest-lan list=LAN
add interface=py2-lan list=LAN
/interface wireguard peers
add allowed-address=172.20.0.0/16 endpoint-address=SiteB-WAN2-IP
endpoint-port=51248 interface=WG-VPN-To-PY1 name=vpn-to-PY1 public-key=
""
add allowed-address=10.22.29.1/24 interface=wg-vpn-client-to-PY2 name=bh.anh
public-key=""
/ip address
add address=10.22.20.254/24 interface=py2-lan network=10.22.20.0
add address=10.255.255.254/24 interface=guest-lan network=10.255.255.0
add address=101.96.76.126/30 interface=ether2 network=101.96.76.124
add address=10.22.0.253/30 interface=WG-VPN-To-PY1 network=10.22.0.252
add address=10.22.29.254/24 interface=wg-vpn-client-to-PY2 network=10.22.29.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.25.0.0/16 list=LAN
add address=10.255.255.0/24 list=LAN
add address=10.22.20.0/24 list=LAN
add address=10.22.29.0/24 list=VPN
add address=172.20.0.0/16 list=VPN
/ip firewall filter
add action=accept chain=input dst-port=35359 protocol=udp
add action=accept chain=input src-address=10.22.29.0/24
add action=accept chain=input dst-port=51248 protocol=udp src-address=
SiteA-WAN1-IP
add action=accept chain=input dst-port=51248 protocol=udp src-address=
SiteA-WAN2-IP
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WAN2-IP dst-port=443
protocol=tcp to-addresses=10.22.20.253 to-ports=443
add action=dst-nat chain=dstnat dst-address=WAN1-IP dst-port=443
protocol=tcp to-addresses=10.22.20.253 to-ports=443
add action=masquerade chain=srcnat out-interface=netnam-ftth to-addresses=
WAN1-IP
add action=masquerade chain=srcnat out-interface=ether2 to-addresses=
WAN2-IP
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=
WAN2-Gateway-IP routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=4 dst-address=10.22.10.0/24 gateway=10.22.0.254
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
WAN1-Gateway-IP routing-table=FTTH-table scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
WAN2-Gateway-IP routing-table=ILL-table scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
8.8.8.8 routing-table=main scope=10 suppress-hw-offload=no target-scope=
12
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=WG-VPN-To-PY1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=172.25.0.0/16 gateway=10.22.20.253 routing-table=
main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=8.8.8.8/32 gateway=
WAN1-Gateway-IP routing-table=main scope=10 suppress-hw-offload=no
target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY2-Mikrotik-Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key

anav · December 22, 2024, 12:53am

Before I get two into it…
You never mentioned two wireguard networks, what is the purpose please.
I dont see any value in dual connections between the same two routers, if one router has an isssue, 50 wireguard networks between the two will still not be fruitful.
Also is the intention for Router A or Router B to be the client server for handshake.
I thought it was Router A…

CGGXANNX · December 22, 2024, 4:02am

@sindy already gave you the best and simplest answer to your needs. Did you really try to apply it at all?

anav · December 22, 2024, 2:52pm

Okay, I see what Sindy means now… possible due to all static public IP addresses…
Further its simply router to router connectivity no need to go out internet of the other…

Thus Router B being peer client will send wireguard handshake and due to SIndys rule go out its WAN2 ( heading for WAN2 of Router A)
Router A will respond to the handshake and using its static route ensure the reply goes out its WAN2.
+++++++++++++++++++

Thus we avoid mangling rules or routing rules altogether and also getting rid of two Wireguard interfaces, when only one is required.
Simplify where possible is a decent MT motto.
Also in your config, besides some allowed IPs missing the wireguard address (site to site) you have some weird non-existant IPs in the mix 172.25.xx AND 172.20.xx
What I did do is create two subnets for the single wireguard interface separating remote warrior access to Router A and the site to site between Router A and Router B, for some clarity.
Simplified dstnat rules and masquerade rules.

Site A:
…

# 2024-12-22 07:27:56 by RouterOS 7.16.2
# software id = 9931-M8FK
#
# model = CCR1016-12G
# serial number =
/interface bridge
add name=guest-lan
add name=py1-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=WAN-FTTH user=netnam_manipy
/interface wireguard
add listen-port=51248 mtu=1420 name=WG-RouterA
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.255.1-10.0.255.253
add name=dhcp_pool1 ranges=10.22.10.10-10.22.10.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=1d name=guest-dhcp
add address-pool=dhcp_pool1 interface=py1-lan lease-time=8h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=guest-lan interface=ether8
add bridge=py1-lan interface=ether9
add bridge=py1-lan interface=ether10
add bridge=py1-lan interface=ether11
add bridge=py1-lan interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=WAN-FTTH list=WAN
add interface=ether2 list=WAN
add interface=guest-lan list=LAN
add interface=py1-lan list=LAN
add interface=WG-RouterA list=LAN
add interface=py1-lan list=TRUSTED
add interface=WG-RouterA list=TRUSTED
/interface wireguard peers
add allowed-address=10.22.0.2/32,10.22.20.0/24  interface=WG-RouterA  public-key="--"  comment="site to site"
add allowed-address=10.22.19.1/32 interface=WG-RouterA  name=bh.anh public-key=""
add allowed-address=10.22.19.2/32 interface=WG-RouterA  name=hangmmh public-key=""
add allowed-address=10.22.19.3/32 interface=WG-RouterA  name=ngocmmh public-key=""
add allowed-address=10.22.19.4/32 interface=WG-RouterA  name=damhammh public-key=""
add allowed-address=10.22.19.5/32 interface=WG-RouterA  name=hung.bravo public-key=""
add allowed-address=10.22.19.6/32 interface=WG-RouterA  name=hoangbravo public-key=""
add allowed-address=10.22.19.7/32 interface=WG-RouterA name=bh.anh2 public-key=""
add allowed-address=10.22.19.8/32 interface=WG-RouterA name=bh.anh3 public-key=""
add allowed-address=10.22.19.9/32 interface=WG-RouterA name=lanbravo public-key=""
add allowed-address=10.22.19.10/32 interface=WG-RouterA name=nm.hung public-key=""
/ip address
add address=202.151.163.46/30 interface=ether2 network=202.151.163.44
add address=10.22.10.254/24 interface=py1-lan network=10.22.10.0
add address=10.0.255.254/24 interface=guest-lan network=10.0.255.0
add address=10.22.0.1/30 interface=WG-RouterA network=10.22.0.0 comment="site to site"
add address=10.22.19.254/24 interface=WG-RouterA network=10.22.19.0 comment="remote users"
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.255.0/24 gateway=10.0.255.254
add address=10.22.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.22.10.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.22.10.XX  list=AUTHORIZED  comment="local admin pc"
add address=10.22.10.YY list=AUTHORIZED comment="local admin device2"
add address=10.22.19.AB list=AUTHORIZED comment="remote wg admin laptop"
add address=10.22.19.CD list=AUTHORIZED comment="remote wg admin smartphone/ipad"
add address=10.22.20.EF  list=AUTHORIZED comment="admin local IP at RouterB"
add address=10.22.20.GH  list=AUTHORIZED comment="admin local IP at RouterB device 2"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake" dst-port=51248
add action=accept chain=input comment="admin access" src-address=list=AUTHORIZED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"  { make this rule last }
+++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward commeint="RB to RA" in-interface=WG-RouterA src-address=10.22.20.0/24 dst-address=10.22.10.0/24
add action=accept chain=forward comment="RA to RB" out-interface=WG-RouterA src-address=10.22.10.0/24 dst-address=10.22.20.0/24
add action=accept chain=forward comment="remote users to RA" in-interface=WG-RouterA src-address=10.22.19.0/24 dst-address=10.22.10.0/24
add action=accept chain=forward comment="relay remote to RB" in-interface=WG-RouterA src-address=10.22.19.0/24 out-interface=WG-RouterA
add action=accept chain=forward comment="admin access" src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-FTTH 
add action=masquerade chain=srcnat out-interface=ether2 
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=443 protocol=tcp to-addresses=10.22.10.253
/ip route
{ Main routes for backup }
add  check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add  dst-address=1.0.0.1/32 gateway=WAN1-Gateway-IP routing-table=main scope=10 target-scope=11
++++++++++++++++
add check-gateway=ping  distance=2 dst-address=0.0.0.0/0 gateway=WAN2-Gateway-IP routing-table=main
++++++++++++++++
{ to ensure traffic to Router B subnet }
add dst-address=10.22.20.0/24 gateway=WG-RouterA  routing-table=main
+++++++++++++++
{ special route for wireguard to wan2 }
add dst-address=ip.of.siteB.wan2/32 gateway=ip.or.siteA.wan2-gw
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY1-router-mikrotik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool e-mail
set from=1@gmail.com port=465 server=smtp.gmail.com tls=yes user=\
1@gmail.com

…

Missing pool for main lan???
Missing interface list entries???

Site B:
…

# 2024-12-22 07:29:16 by RouterOS 7.16.2
# software id = 2M0R-ULGQ
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=guest-lan
add name=py2-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=netnam-ftth user=netnam_manitn2
/interface wireguard
add listen-port=35359 mtu=1420 name=WG-RouterB
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/ip pool
add name=dhcp_pool0 ranges=10.255.255.1-10.255.255.250
add name=dhcp_pool2 ranges=10.22.20.1-10.22.20.250
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=8h name=dhcp1
add address-pool=dhcp_pool2 interface=py2-lan lease-time=8h name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=py2-lan interface=ether16
add bridge=py2-lan interface=ether15
add bridge=py2-lan interface=ether14
add bridge=py2-lan interface=ether13
add bridge=guest-lan interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface=netnam-ftth list=WAN
add interface=ether2 list=WAN
add interface=guest-lan list=LAN
add interface=py2-lan list=LAN
add interface=py2-lan list=TRUSTED
add interface=WG-RouterB list=TRUSTED
/interface wireguard peers
add allowed-address=10.22.0.1/32, 10.22.19.0/24,10.22.10.0/24 endpoint-address=SiteB-WAN2-IP \
endpoint-port=51248 interface=WG-RouterB  persistent-keep-alive=25s  public-key="----"
/ip address
add address=10.22.20.254/24 interface=py2-lan network=10.22.20.0
add address=10.255.255.254/24 interface=guest-lan network=10.255.255.0
add address=101.96.76.126/30 interface=ether2 network=101.96.76.124
add address=10.22.0.2/30 interface=WG-RouterB network=10.22.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.254
add address=10.22.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.22.20.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.22.10.XX  list=AUTHORIZED  comment="admin local IP at RouterA"
add address=10.22.10.YY list=AUTHORIZED comment="admin local IP at RouterA device2"
add address=10.22.19.AB list=AUTHORIZED comment="remote wg admin laptop"
add address=10.22.19.CD list=AUTHORIZED comment="remote wg admin smartphone/ipad"
add address=10.22.20.EF  list=AUTHORIZED comment="local admin IP"
add address=10.22.20.GH  list=AUTHORIZED comment="local admin IP device 2"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address=list=AUTHORIZED
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"  make this rule last 
+++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward commeint="RA to RB"  in-interface=WG-RouterB  src-address=10.22.10.0/24  dst-address=10.22.20.0/24
add action=accept chain=forward comment="RB to RB"  out-interface=WG-RouterB  src-address=10.22.20.0/24  dst-address=10.22.10.0/24
add action=accept chain=forward comment="remote users to RB"  in-interface=WG-RouterB src-address=10.22.19.0/24 dst-address=10.22.20.0/24
add action=accept chain=forward comment="admin access"  src-address-list=AUTHORIZED out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=443 protocol=tcp to-addresses=10.22.20.253
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=WG-RouterB passthrough=yes protocol=tcp tcp-flags=syn
/ip route
{ Main routes for backup }
add  check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add  dst-address=1.1.1.1/32 gateway=WAN1-Gateway-IP routing-table=main scope=10 target-scope=11
++++++++++++++++
add check-gateway=ping  distance=2 dst-address=0.0.0.0/0 gateway=WAN2-Gateway-IP routing-table=main
++++++++++++++++
{ to ensure traffic to Router A subnet }
add dst-address=10.22.10.0/24 gateway=WG-RouterA  routing-table=main
{ to ensure return traffic for remote wg users }
add dst-address=10.22.19.0/24  gateway=WG-RouterB  routing-table=main
+++++++++++++++
{ special route for wireguard to wan2 }
add dst-address=ip.of.siteA.wan2/32 gateway=ip.or.siteB.wan2-gw
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY2-Mikrotik-Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system routerboard settings
set enter-setup-on=delete-key

haianh · December 23, 2024, 5:41am

Hello guys,

Thank you for you kindy support,
I just add iproute in 2 router to my current config, re-enable wireguard, and traffic goes on wan2 on 2 site,

Site A:
dst-address=ip.of.siteB.wan2/32 gateway=ip.or.siteA.wan2-gw

Site B:
dst-address=ip.of.siteA.wan2/32 gateway=ip.or.siteB.wan2-gw

According to sindy:
If all you want is that the site-to-site Wireguard between A and B would use WAN 2 at both sites, and if you don’t plan on any other traffic among the public addresses of Site A and Site B, just add static routes:

Site A:
dst-address=ip.of.siteB.wan2/32 gateway=ip.or.siteA.wan2-gw

Site B:
dst-address=ip.of.siteA.wan2/32 gateway=ip.or.siteB.wan2-gw

For any more complicated scenario, you’ll need policy routing in its full complexity, including special provisions for the specific behavior of Wireguard.

I wonder when wan1 is down, can I access the internet through wan2 ?

CGGXANNX · December 23, 2024, 6:09am

Yes. If WAN1 is down, the route with destination 0.0.0.0/0 distance=2 gateway=WAN2-Gateway-IP in the main table will take over.

haianh · December 23, 2024, 6:27am

Thank you for the information, that’s all I need now.

Thank you all, again.

haianh · December 23, 2024, 6:59am

Hello guys,

Me again, sorry to bother you,
I have some client connect to 2 site via wireguard but still using wan1, any suggestion to make all wireguard traffic on wan2?

sindy · December 23, 2024, 8:21am

And here we go

It was simple right until this point. As soon as you want the router to always use WAN2 not just for a single remote address known in advance, regardless what kind of packet it is and if it is a response, via which WAN has the matching request come, you need the complete setup with multiple routing tables, connection marking, and special treatment of Wireguard’s special behavior.

So by adding this requirement into the mix, you have embarked the same boat like many other forum members, and there are at least five similar topics here.

For roaming clients that connect from “random” (as in “unknown in advance”) addresses, you cannot use dedicated routes in routing table main to make the router send traffic to the addresses of these clients no matter what. You have to assign a connection-mark to each transport Wireguard connection when handling its very first packet, and let the router route the packets it sends itself within these connections via WAN2, by means of “translating” that connection-mark to a routing-mark that tells the routing to use another table, which contains a single default route via the gateway reachable via WAN2. Plus, since it is Wireguard with its special behavior, you must use a dst-nat rule to make the Wireguard process see even packets that have actually arrived to the IP address of WAN2 as if they arrived to the IP address of WAN1. The background is that Wireguard, unlike normal services, does not respond from the same IP address to which the request being responded has arrived, but sends the response as an independent packet, so it uses routing table main, which tells it to send it via the gateway reachable through WAN1 and thus use the IP address of WAN1 as the source one of the packet. In the next step, a mangle rule in chain output tells the router to actually use the alternative routing table, so the packet gets routed again but its source address remains unchanged. And in the next step, the connection tracking finds out that the packet belongs to a known connection and “un-dst-nats” it, i.e. it replaces its current source address (WAN1) by the one to which the matching request has initially arrived - WAN2. If it wasn’t for that, the response would still be routed via WAN 2, but it would bear a source address belonging to WAN 1, so if the WAN 2 ISP would not filter it out, the remote Wireguard peer would switch to talking to that IP and therefore via WAN 1 (in your case, even on both ends).

If you want a list of commands to apply to implement the above, post the current export of the configuration of the router that should be modified this way first.

haianh · December 23, 2024, 8:59am

Sound likes complicated, @anav said that is a bug with wireguard on secondary WAN, I wonder when does it fixed? The current config I will give you tomorrow.

sindy · December 23, 2024, 10:02am

I am afraid it is an intentional behavior, not a bug. Wireguard is written that way for a reason (to allow connections to adapt to address changes at both peers) and trying to “fix” it would break other things. Also, it would further increase the workload of Mikrotik developers if they had to maintain their own fork of the Wireguard code.

However, it does not really matter what I or @anav say, as neither of us is a Mikrotik developer or even Jason A. Donenfeld. So what we say regarding this are just assumptions.