External IP from VPS through Wireguard - answers on wrong interface

Kl0GG · Fri Oct 21, 2022 11:07 am

Hey guys. I have a problem with the routing of my wireguard. Let me show you the configs:

# oct/21/2022 09:26:16 by RouterOS 7.6
# software id = W809-WKMN
#
# model = RB2011UiAS
# serial number = 
/interface bridge
add admin-mac=64:D1:54:13:88:1C auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireguard
add comment=Wireguard listen-port=13235 mtu=1420 name=wg99
/interface vlan
add comment=GUEST interface=bridge name=GUEST vlan-id=3
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] name=GUEST
/ip pool
add comment=LAN name=dhcp ranges=172.16.1.1-172.16.1.200
add comment=GUEST name=DHCP-GUEST ranges=192.168.0.100-192.168.0.150
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=DHCP-LAN
add address-pool=DHCP-GUEST interface=GUEST name=DHCP-GUEST
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes name=OVPN-client only-one=yes use-encryption=required use-mpls=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
add addresses=0.0.0.0/0,::/0 authentication-protocol=SHA1 encryption-protocol=AES name=monitoring security=private write-access=yes
/user group
add name=homeassistant policy=read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!reboot,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=FIRST.EXTERNAL.VPN.IP endpoint-port=51820 interface=wg99 persistent-keepalive=25s public-key="[REDACTED]"
/ip address
add address=172.16.0.1/22 comment=LAN interface=bridge network=172.16.0.0
add address=192.168.0.1/24 comment=GUEST interface=GUEST network=192.168.0.0
add address=172.16.1.1 comment=PIA-OpenVPN-Gateway disabled=yes interface=bridge network=172.16.1.1
add address=EXTERNAL.VPN.IP.HERE comment=Wireguard interface=wg99 network=EXTERNAL.VPN.IP.HERE
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.16.1.200 client-id=1:34:2:86:b3:26:c1 mac-address=34:02:86:B3:26:C1 server=DHCP-LAN
add address=172.16.1.105 client-id=1:60:6d:c7:1e:7c:f7 comment="Sony Bravia TV" mac-address=60:6D:C7:1E:7C:F7 server=DHCP-LAN
add address=172.16.0.30 comment="HP T620" mac-address=7C:D3:0A:10:9B:8B server=DHCP-LAN
add address=172.16.3.10 client-id=1:ec:71:db:6b:d0:99 mac-address=EC:71:DB:6B:D0:99 server=DHCP-LAN
add address=172.16.3.50 comment="Tuya WiFi Kotlownia" disabled=yes mac-address=84:E3:42:4E:34:34 server=DHCP-LAN
add address=172.16.3.100 client-id=1:50:eb:f6:5:98:89 comment="Wideodomofon - Client AP" mac-address=50:EB:F6:05:98:89 server=DHCP-LAN
add address=172.16.3.101 client-id=1:72:91:41:23:3d:56 comment="Wideodomofon - Tuya" mac-address=72:91:41:23:3D:56 server=DHCP-LAN
/ip dhcp-server network
add address=172.16.0.0/22 comment=LAN dns-server=172.16.0.2,172.16.0.3 domain=my-domain.ovh gateway=172.16.0.1 netmask=22
add address=192.168.0.0/24 comment=GUEST dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=120 max-concurrent-tcp-sessions=30 servers=172.16.0.2
/ip dns static
add address=172.16.0.1 name=mikrotik.lan
add address=172.16.1.200 name=uBox.lan
add address=172.16.0.30 disabled=yes regexp="^(.*\\.my-domain\\.ovh)\$"
add address=172.16.0.30 name=hp.srv
add address=172.16.0.2 name=raspberry.lan
add address=172.16.0.10 name=switch.lan
add address=172.16.0.20 name=ubiquiti1.lan
add address=172.16.0.20 name=ubiquiti2.lan
add address=172.16.0.99 name=printer.lan
add address=192.168.8.1 name=lte.lan
add address=172.16.0.40 name=pve.my-domain.ovh
/ip firewall address-list
add address=172.16.0.0/12 list=LAN
add address=192.168.0.0/16 list=LAN
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=SNMP dst-port=161 in-interface=bridge protocol=udp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment="DMZ to Photon" disabled=yes dst-address=EXTERNAL.VPN.IP.HERE dst-port=80,443 protocol=tcp to-addresses=172.16.0.42
add action=dst-nat chain=dstnat disabled=yes dst-address=EXTERNAL.VPN.IP.HERE protocol=icmp to-addresses=172.16.0.42
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.0.0/24
/ip service
set telnet address=172.16.0.0/22
set ftp address=172.16.0.0/22
set www address=172.16.0.0/22
set ssh address=172.16.0.0/22
set www-ssl address=172.16.0.0/22 disabled=no
set api address=172.16.0.0/22 disabled=yes
set winbox address=172.16.0.0/22
set api-ssl address=172.16.0.0/22 certificate="Self-signed API certificate"
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set time-interval=weekly
/routing rule
add action=lookup-only-in-table disabled=no dst-address=172.16.0.0/22 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.8.0/30 table=main
/snmp
set contact=Upgreydd enabled=yes location=Rack trap-version=3
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-ip-address=EXTERNAL.VPN.IP.HERE/32

SERVER SIDE Wireguard Config:
[Interface]
Address = 10.200.200.1
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -t nat -A PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i mikrotik -o enp4s0 -j ACCEPT; iptables -A FORWARD -i enp4s0 -o mikrotik -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i mikrotik -o enp4s0 -j ACCEPT; iptables -D FORWARD -i enp4s0 -o mikrotik -j ACCEPT

# Mikrotik router
[Peer]
PublicKey = [REDACTED]
AllowedIPs = EXTERNAL.VPN.IP.HERE/32
PersistentKeepalive = 25

I have a server with 2 external IPs, first IP is used for services, and the second one is detached from eth and I wanna use it as external IP for my Mikrotik (I can't have external IP from my ISP). So when I tcpdump 'mikrotik' (my name for wireguard interface in server) interface in server and ping it from another server I see incoming packets. I see ICMP packets in IP>Firewall>Connections, but when I did a package sniffing I saw it receives on wg99 and responds on ether1 (WAN). How can I fix that? Thank you in advance

Kl0GG · Fri Oct 21, 2022 8:43 pm

Thanks to `drmessano` from IRC I'll update unclear parts. The idea is to have access to a few servers in my LAN (DMZ) from outside, for example, 172.16.0.42 - WWW server - ports 80,443. The idea is to keep all networking via the default ISP network and handle only VPS external IP connections to specific IPs in LAN. Servers in LAN for usual networking, updates, etc. should operate on ISP internet.
Additionally I forgot to say on VPS server I've activated forwarding and proxy_arp in sysctl.
Connections made by command `ping 8.8.8.8 interface=wg99` from mikrotik routed are correctly routed in both sides (wg99 as in/out interface). Connections made from outside to external IP are received by wg99 and responded by ether1.

I've tried add mark-connection, mark-route and put it to routing table but it still doesn't work as expected

Kl0GG · Sun Oct 23, 2022 10:44 pm

None have any idea? Seriously can't jump over that

Sob · Sun Oct 23, 2022 11:59 pm

There's no trace of any marking in posted config. If you try to do something and it doesn't work correctly, show the thing you did. It's easier for someone else to just point out the mistake, than to explain everything from beginning, without knowing what exactly you had problem with. Even worse here, you have the right idea what to do, so explaining everything is for most part wasted effort, and can still miss some detail you need.

So for now, just quick hint, you can find the right marking rules here: https://wiki.mikrotik.com/wiki/Manual:PCC (the example as whole is primarily about something else) If it doesn't help, see the first paragraph.

Kl0GG · Mon Oct 24, 2022 10:22 am

@Sob thanks for the reply. The thing is I'm not sure that trace is correct way to resolve that issue. But let me update config in minutes

# oct/24/2022 09:24:56 by RouterOS 7.6
# software id = W809-WKMN
#
# model = RB2011UiAS
# serial number = 763107CFDDAF
/interface bridge
add admin-mac=64:D1:54:13:88:1C auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireguard
add listen-port=13231 mtu=1420 name=wg99
/interface vlan
add comment=GUEST interface=bridge name=GUEST vlan-id=3
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] name=GUEST
/ip pool
add comment=LAN name=dhcp ranges=172.16.1.1-172.16.1.200
add comment=GUEST name=DHCP-GUEST ranges=192.168.0.100-192.168.0.150
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=DHCP-LAN
add address-pool=DHCP-GUEST interface=GUEST name=DHCP-GUEST
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment=Wireguard disabled=no fib name=wg-table
/snmp community
add addresses=0.0.0.0/0,::/0 authentication-protocol=SHA1 encryption-protocol=AES name=monitoring security=private write-access=yes
/user group
add name=homeassistant policy=read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!reboot,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=domain.com endpoint-address=EXTERNAL.IP.FOR.CONNECT endpoint-port=51820 interface=wg99 persistent-keepalive=25s public-key="[REDACTED]"
/ip address
add address=172.16.0.1/22 comment=LAN interface=bridge network=172.16.0.0
add address=192.168.0.1/24 comment=GUEST interface=GUEST network=192.168.0.0
add address=EXTERNAL.IP.FOR.TUNNEL comment="Wireguard routed IP" interface=wg99 network=EXTERNAL.IP.FOR.TUNNEL
add address=172.16.1.1 comment=PIA-OpenVPN-Gateway disabled=yes interface=bridge network=172.16.1.1
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.16.1.200 client-id=1:34:2:86:b3:26:c1 mac-address=34:02:86:B3:26:C1 server=DHCP-LAN
add address=172.16.1.105 client-id=1:60:6d:c7:1e:7c:f7 comment="Sony Bravia TV" mac-address=60:6D:C7:1E:7C:F7 server=DHCP-LAN
add address=172.16.0.30 comment="HP T620" mac-address=7C:D3:0A:10:9B:8B server=DHCP-LAN
add address=172.16.3.10 client-id=1:ec:71:db:6b:d0:99 mac-address=EC:71:DB:6B:D0:99 server=DHCP-LAN
add address=172.16.3.50 comment="Tuya WiFi Kotlownia" disabled=yes mac-address=84:E3:42:4E:34:34 server=DHCP-LAN
add address=172.16.3.100 client-id=1:50:eb:f6:5:98:89 comment="Wideodomofon - Client AP" mac-address=50:EB:F6:05:98:89 server=DHCP-LAN
add address=172.16.3.101 client-id=1:72:91:41:23:3d:56 comment="Wideodomofon - Tuya" mac-address=72:91:41:23:3D:56 server=DHCP-LAN
add address=172.16.3.102 comment="Tasmota OpenThermGW" mac-address=C8:C9:A3:5D:EC:0C server=DHCP-LAN
add address=172.16.0.99 client-id=1:b0:52:16:60:4d:8c mac-address=B0:52:16:60:4D:8C server=DHCP-LAN
/ip dhcp-server network
add address=172.16.0.0/22 comment=LAN dns-server=172.16.0.2,172.16.0.3 domain=domain.com gateway=172.16.0.1 netmask=22
add address=192.168.0.0/24 comment=GUEST dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=120 max-concurrent-tcp-sessions=30 servers=172.16.0.2
/ip dns static
add address=172.16.0.1 name=mikrotik.lan
add address=172.16.1.200 name=uBox.lan
add address=172.16.0.30 disabled=yes regexp="^(.*\\.domain\\.com)\$"
add address=172.16.0.30 name=hp.srv
add address=172.16.0.2 name=raspberry.lan
add address=172.16.0.10 name=switch.lan
add address=172.16.0.20 name=ubiquiti1.lan
add address=172.16.0.20 name=ubiquiti2.lan
add address=172.16.0.99 name=printer.lan
add address=192.168.8.1 name=lte.lan
add address=172.16.0.40 name=pve.domain.com
/ip firewall address-list
add address=172.16.0.0/12 list=local_traffic
add address=192.168.0.0/16 list=local_traffic
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=SNMP dst-port=161 in-interface=bridge protocol=udp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=accept chain=forward disabled=yes in-interface=ether1 out-interface=wg99
add action=accept chain=forward disabled=yes in-interface=wg99 out-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wg99 new-connection-mark=wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wg-conn new-routing-mark=wg-table passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment="DMZ to Photon" dst-port=80,443 protocol=tcp routing-mark=wg-table to-addresses=172.16.0.42
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=wg99 routing-mark=wg-table
/ip service
set telnet address=172.16.0.0/22
set ftp address=172.16.0.0/22
set www address=172.16.0.0/22
set ssh address=172.16.0.0/22
set www-ssl address=172.16.0.0/22 disabled=no
set api address=172.16.0.0/22 disabled=yes
set winbox address=172.16.0.0/22
set api-ssl address=172.16.0.0/22 certificate="Self-signed API certificate"
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set time-interval=weekly
/routing rule
add action=lookup-only-in-table disabled=no dst-address=172.16.0.0/22 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.8.0/30 table=main
/snmp
set contact=Upgreydd enabled=yes location=Rack trap-version=3
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-ip-address=8.8.8.8/32

Sob · Mon Oct 24, 2022 2:30 pm

What you have would almost work with older RouterOS, but not with current one, because they made some changes in how routing marks and rules are handled. Routing rules can no longer override routing marks, so you need to mark routing only for outgoing packets:

/ip firewall mangle
add chain=prerouting in-interface=bridge connection-mark=wg-conn action=mark-routing new-routing-mark=wg-table

If you'd want to access router itself:

/ip firewall mangle
add chain=output connection-mark=wg-conn action=mark-routing new-routing-mark=wg-table

And you're also missing route:

/ip route
add dst-address=0.0.0.0/0 gateway=wg99 routing-table=wg-table

Routing table can't do much when it's empty. You also don't need any routing-mark=wg-table in NAT rules. Dstnat should have dst-address=EXTERNAL.IP.FOR.TUNNEL. And that should be all.

Kl0GG · Mon Oct 24, 2022 4:07 pm

Thank you @Sob for help. It all works as you said. Is there an option to simply debug routing? The weird thing I'm facing is connection speed. In real VPS have 1gbit/1gbit, my local is 120mbit/40mbit, and things load ~ 3000-5000ms from the web server. I think they should be faster.

Sob · Mon Oct 24, 2022 4:34 pm

It's FastTrack. Find the rule in firewall filter and add connection-mark=no-mark to it.

Kl0GG · Mon Oct 24, 2022 4:43 pm

It's FastTrack. Find the rule in firewall filter and add connection-mark=no-mark to it.

Thank you!

All works great now

You made my day

External IP from VPS through Wireguard - answers on wrong interface [SOLVED]

External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface [SOLVED]

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Re: External IP from VPS through Wireguard - answers on wrong interface

Who is online