Travel router - Dual WIFI - WireGuard

mariusz102102 · Thu Mar 20, 2025 8:50 pm

Hi,
Could you help me set up my WIFI router so that it accepts WIFI as a WLAN (for example from a hotel) and then distribute it to all LAN devices?
LAN devices can be connected through ether2,ether3,ether4 or WIFI. NATed devices should have access through WireGuard in other NAT.
I have a WireGuard connection between "home router" and "travel router".

Below my hardware configuration
MikroTik E50UG, hEX - home router
MikroTik hAP ax2 - travel router

So far I have a working setup with internet-connected WLAN ether1.

In this post, you can find my current configuration for the "travel router" with WAN connected to ether1 and "home router"
viewtopic.php?t=215574#p1134248

Below are exports from my "travel router" and "home router". I think that only "travel router" router config should be updated

"travel router"

# 2025-03-19 21:20:18 by RouterOS 7.18.2
# software id = MH37-7DRH
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxx
/interface bridge
add admin-mac=F4:1E:57:38:84:AB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-3884AF disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-3884AF disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.38.10-192.168.38.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=useWG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=OffBridge5 list=LAN
/interface ovpn-server server
add mac-address=FE:54:ED:3B:76:34 name=ovpn-server1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxx.sn.mynetname.net endpoint-port=13231 interface=wireguard1 name=peer1 persistent-keepalive=25s public-key=\
    "xxxx"
/ip address
add address=192.168.38.1/24 comment=defconf interface=bridge network=192.168.38.0
add address=192.168.100.2/24 interface=wireguard1 network=192.168.100.0
add address=192.168.77.0/30 interface=OffBridge5 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.38.0/24 comment=defconf dns-server=192.168.38.1 gateway=192.168.38.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.38.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg to home router" in-interface-list=LAN out-interface=wireguard1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG
add check-gateway=ping dst-address=192.168.100.1 gateway=wireguard1 routing-table=main
/routing rule
add action=lookup-only-in-table min-prefix=0 routing-mark=main
add action=lookup src-address=192.168.38.0/24 table=useWG
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

"home router"

# 2025-03-19 21:30:47 by RouterOS 7.18.2
# software id = DW34-FEJY
#
# model = E50UG
# serial number = XXXX
/interface bridge
add admin-mac=F4:1E:57:6A:59:D3 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
add mac-address=FE:44:B6:D4:3C:E4 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.38.0/24 interface=wireguard1 name=peer1 public-key="XXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.178.0/24 list=Authorized
add address=192.168.100.2 comment="admin remote travel router" list=Authorized
add address=192.168.38.0/24 comment="admin remote travel subnet" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg to LAN" dst-address=192.168.88.0/24 in-interface=wireguard1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=192.168.38.0/24 gateway=wireguard1 routing-table=main
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Diagram. What is missing is Public Wifi connection

diag1.jpg

mariusz102102 · Sat Mar 22, 2025 12:42 am

Wifi1 - it is 5Ghz
Wifi2 - it is 2GHz

The question is how to setup wifi2 as a client.
1. I removed wifi2 from the bridge
2. add wifi2 to WAN
3. added dhcp-client to interface wifi2
4. configuration.mode=station
But did not succeded to connect to WIFI. Any one can help with configuration to properly setup WIFI client

-add bridge=bridge comment=defconf interface=wifi2
+add interface=wifi2 list=WAN

 /ip dhcp-client
 add comment=defconf interface=ether1
+# Interface not active
+add interface=wifi2

Travel router - Dual WIFI - WireGuard

Travel router - Dual WIFI - WireGuard

Re: Travel router - Dual WIFI - WireGuard