Community discussions

MikroTik App
 
melwinek
just joined
Topic Author
Posts: 3
Joined: Fri Mar 27, 2020 8:23 pm

Problem with Wireguard on 2xWAN

Thu Sep 23, 2021 4:13 pm

I have a problem with Wireguard on 2xWAN. It only works if I disable routing to one of the WANs. What could be wrong?
/interface bridge add name=bridgelan
/interface ethernet set [ find default-name=ether5 ] comment=LAN mtu=1504
/interface ethernet set [ find default-name=ether1 ] name=wan1
/interface ethernet set [ find default-name=ether2 ] name=wan2
/interface wireguard add listen-port=13241 mtu=1420 name=wireguard1
/ip pool add name=dhcp_pool0 ranges=192.168.2.226-192.168.2.233
/ip dhcp-server add add-arp=yes address-pool=dhcp_pool0 bootp-support=none interface=bridgelan lease-time=15m name=dhcp1
/routing table add disabled=no name=to_wan2
/routing table add disabled=no name=to_wan1
/interface bridge port add bridge=bridgelan ingress-filtering=no interface=ether5
/interface wireguard peers add allowed-address=10.0.0.2/32 interface=wireguard1 public-key="KLUCZPUBLICZNYKLIENTA"
/ip address add address=192.168.2.11/24 interface=bridgelan network=192.168.2.0
/ip address add address=XXX.XXX.XXX.138/29 interface=wan2 network=XXX.XXX.XXX.136
/ip address add address=192.168.0.33/24 interface=wan1 network=192.168.0.0
/ip address add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
/ip dns set allow-remote-requests=yes cache-size=512KiB servers=8.8.8.8
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=forward connection-state=established,related,new in-interface=bridgelan out-interface=wan1 src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=forward connection-state=established,related,new in-interface=bridgelan out-interface=wan2 src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat
/ip firewall filter add action=accept chain=forward in-interface=wireguard1 out-interface=bridgelan
/ip firewall filter add action=drop chain=forward log=yes
/ip firewall filter add action=accept chain=output
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input icmp-options=8:0-255 protocol=icmp
/ip firewall filter add action=accept chain=input icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=input connection-state=established,related,new dst-address=192.168.2.11 dst-port=53 in-interface=bridgelan protocol=udp src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=input connection-state=established,related,new dst-address=192.168.2.11 dst-port=53 in-interface=bridgelan protocol=tcp src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.2.11 dst-port=8291 in-interface=bridgelan protocol=tcp src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=input dst-address=XXX.XXX.XXX.138 dst-port=13241 in-interface=wan2 protocol=udp
/ip firewall filter add action=drop chain=input
/ip firewall mangle add action=mark-connection chain=input in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=input in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan1_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan2_conn passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat out-interface=wan1
/ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall nat add action=masquerade chain=srcnat out-interface=wan2
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" routing-table=to_wan1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.137 pref-src="" routing-table=to_wan2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.137 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with Wireguard on 2xWAN

Thu Sep 23, 2021 5:07 pm

That depends................
What is your plan with wireguard.
Is the router acting as a client or a server?
Is the wireguard supposed to come in on or go out one particular WAN.
Posting the config is good but also need to hear you requirements/setup.

As for your config, its a bloated mess.
I would go back to defaults and start fresh with a minimal and clean approach and build from there
starting with wireguard so you can see more plainly what is going on.

I do have one question, what is the purpose of the mangling in your setup??
You only have one LAN subnet??
...
 
melwinek
just joined
Topic Author
Posts: 3
Joined: Fri Mar 27, 2020 8:23 pm

Re: Problem with Wireguard on 2xWAN

Fri Sep 24, 2021 2:23 pm

> What is your plan with wireguard.
Access from outside to the local network. From WIndows client.

> Is the router acting as a client or a server?
Server

> Is the wireguard supposed to come in on or go out one particular WAN.
Access from both WANs

> I do have one question, what is the purpose of the mangling in your setup??
To mark packets that came in over WAN1 to come out over WAN1.
These are these lines:
/ip firewall mangle add action=mark-connection chain=input in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=input in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan1_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan2_conn passthrough=yes
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" 
routing-table=to_wan1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" 
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.137 pref-src="" 
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.137 pref-src="" 
routing-table=to_wan2 scope=30 suppress-hw-offload=no target-scope=10
> You only have one LAN subnet??
Yes

I put the config here because the forum truncates long lines:
https://pastebin.com/xk35eUD0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with Wireguard on 2xWAN

Fri Sep 24, 2021 5:06 pm

Hi there, not convinced you need any mangling at this point.

(1) I would have two wireguard server configs and two wireguard peer configs (one for each WAN). Name WG-WAN1 and WG-WAN2

(2) I would have two separate input chain rules for two different listening ports (udp) to accept incoming initial establishment of the connection.

(3) You need an IP route for both to ensure traffic from LAN gets routed back through tunnel, MAIN table entries not anything funky.

(4) I would add the following interface list member
/interface list members
add interface=wan1 list=WAN
add interface=wan2 list=WAN
add interface=bridge list=LAN
add interface=WG-WAN1 list=LAN
add interface=WG-WAN2 list=LAN

The rest depends upon what your firewall forward rules look like.
Default ones will allow lan subnet to lan subnet traffic
Drop all last rule requires rules be added to allow traffic.

Who is online

Users browsing this forum: sybadi and 32 guests