Community discussions

MikroTik App
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Wireguard Mikrotik - Route all traffic

Mon Apr 04, 2022 10:48 pm

I just recently got a small little map lite that i would like to use whenever im traveling or working just with the intention to quicly either log into network i set up tunnels with or to route all my traffic over it. I have been able to establish a tunnel but now im having an issue routing all my traffic over it using my office PFsense router I believe i have everything set up right on the pfsense side since ive done this before. Would anyone be able to check out my config and maybe let me know what im doing wrong.









  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.1.5 (c) 1999-2022       https://www.mikrotik.com/

Press F1 for help



[admin@MikroTik] > export hide-sensitive 
# apr/04/2022 15:45:48 by RouterOS 7.1.5
# software id = FTHJ-YLS5
#
# model = RBmAP2nD
# serial number = DE500F5EF7D9
/interface bridge
add admin-mac=DC:2C:6E:39:54:CE auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
    disabled=no distance=indoors frequency=2462 installation=indoor mode=\
    ap-bridge ssid=JoshMikro-Tik vlan-id=200 vlan-mode=use-tag
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=wlan1 name=VLAN200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=Wireguard
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.55.124.0/24 endpoint-address=12.x.,X.CC:45785 \
    endpoint-port=45785 interface=wireguard1 persistent-keepalive=25s \
    public-key="4nEOvxvvsisboidoifniwerjfp23je9fj2oeipfj923jopfp2jk8="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.200.1.1/24 interface=VLAN200 network=10.200.1.0
add address=10.55.124.2/24 interface=wireguard1 network=10.55.124.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.200.1.0/24 dns-server=8.8.8.8,4.2.2.2 gateway=10.200.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=AllowFromWifi src-address=10.200.1.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat out-interface=wireguard1 realm=1024 src-address=\
    10.200.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.55.124.1 pref-src=\
    0.0.0.0 routing-table=Wireguard scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
[admin@MikroTik] > 
Last edited by joshhboss on Mon Apr 04, 2022 11:36 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard Mikrotik - Route all traffic

Mon Apr 04, 2022 11:18 pm

If you want to route all traffic, you'll need to allow more than just 10.55.124.0/24, i.e. you want allowed-address=0.0.0.0/0.
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Re: Wireguard Mikrotik - Route all traffic

Mon Apr 04, 2022 11:29 pm

If you want to route all traffic, you'll need to allow more than just 10.55.124.0/24, i.e. you want allowed-address=0.0.0.0/0.
I just made that change and i am still not getting out.. besides that is there anything that looks off with the routes? or nat?

thanks for helping by the way
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Re: Wireguard Mikrotik - Route all traffic

Mon Apr 04, 2022 11:45 pm

Found this
/routing table add fib name=via-wg
/ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.88.200 new-routing-mark=via-wg
/ip firewall nat add action=masquerade chain=srcnat out-interface=10.13.13.3 // my local wireguard IP
/ip route add gateway=10.13.13.1@main routing-table=via-wg  // remote wireguard IP
on another post that you were on and i actually followed it using what im doing and it worked out..

Im going to read it over slowly and really try and understand how each command works.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard Mikrotik - Route all traffic

Tue Apr 05, 2022 12:17 am

You got me, I stopped at the first obvious mistake and didn't notice that you were missing additional stuff. You can also use routing rule instead of mangle rule:
/ip route rule
add dst-address=192.168.88.0/24 action=lookup-only-in-table table=via-wg
Or yet another way to route everything via WG, there are different ones.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Mikrotik - Route all traffic

Tue Apr 05, 2022 12:43 am

Sorry but I am going to go a completely different direction from SOB, his approach sucks! :-0 ;-) ;-PP
I need to understand the config and requirements better before attempting to fix the mess.


So let me get this straight, you use this device when you travel away from home. So its mobile?
Presumably you connect via WIFI wherever you are staying to connect to the internet via

Why do you assign vlan200 to the WAN side.............. reason?
Why is there powerline for a mobile setup?

No clue as to why you do this.
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50 {get rid of this one serves no purpose}
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254


Not sure why you have two bridges either!

This is not correct, vlans are not bridge ports.
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200


You seem to have two primary subnets.
192.168.88.0/24 for which I presume you want to use the regular internet whenever you are connected at a location.
10.200..1/0/24 for which I presume you want to use or send over wireguard to your office PF sense device (THE WG SERVER) for the initial connection.

What is the WIreguard Interface address on the PFS server?

Last questions
- what subnet will you be reaching at the office
- did you want to access internet through the wireguard connection (aka use the internet at the office location).
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Aug 01, 2019 2:13 pm

Re: Wireguard Mikrotik - Route all traffic

Tue Apr 05, 2022 3:05 pm

Sorry but I am going to go a completely different direction from SOB, his approach sucks! :-0 ;-) ;-PP
I need to understand the config and requirements better before attempting to fix the mess.




Why do you assign vlan200 to the WAN side.............. reason? - I did Not realize i did this.
Why is there powerline for a mobile setup? I do not know what a powerline is :(

No clue as to why you do this.
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.50 {get rid of this one serves no purpose}
add name=dhcp_pool2 ranges=10.200.1.2-10.200.1.254
I'm new to mikrotik and i was just trying to get dhcp to work and i was having a hard time. was probably overlooked

Not sure why you have two bridges either! - This is a MAP mikrotik wifi device. and in every video i watched about using vlans with these types of devices made me feel as if i need to do this. just followed the videos. Ive set up VLANs on crs3XX series and i enjoyed that much more, but I always hear about different models need to be configured differently so i just blindly followed the videos.

This is not correct, vlans are not bridge ports.
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=VLAN200
--- Couldnt get different networks to broadcast on different wifis any other way.

You seem to have two primary subnets.
192.168.88.0/24 for which I presume you want to use the regular internet whenever you are connected at a location. - correct
10.200..1/0/24 for which I presume you want to use or send over wireguard to your office PF sense device (THE WG SERVER) for the initial connection. - correct

What is the WIreguard Interface address on the PFS server? 10.55.124.1/24

Last questions
- what subnet will you be reaching at the office - the subnet at the office is 192.168.2.0/24
- did you want to access internet through the wireguard connection (aka use the internet at the office location). - Yes I did, one ssid for using the existing internet, and the other to use for all traffic over the wireguard connection
Answered all the questions above and ill be adding the new config i did, since i completely reset the device and started over
[admin@MikroTik] > export hide-sensitive 
# apr/05/2022 08:04:41 by RouterOS 7.1.5
# software id = FTHJ-YLS5
#
# model = RBmAP2nD
# serial number = DE500F5EF7D9
/interface bridge
add admin-mac=DC:2C:6E:39:54:CE auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-3954D0 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=josh \
    supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:39:54:D0 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=josh ssid=Josh-Mik-WG wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.200.1.2-10.200.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=Wireguard
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge1 interface=200
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=wlan1,bridge vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=dfhgertge \
    endpoint-port=45785 interface=wireguard1 public-key=\
    "4nEOahDsdfgsdfgvsergsdfgbsertbsedrfbsertbss="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.200.1.1/24 interface=bridge1 network=10.200.1.0
add address=10.55.124.2/30 interface=wireguard1 network=10.55.124.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.200.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.200.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1 src-address=\
    10.200.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.55.124.1 pref-src=\
    0.0.0.0 routing-table=Wireguard scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=10.200.1.0/24 \
    table=Wireguard
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Mikrotik - Route all traffic

Tue Apr 05, 2022 3:41 pm

Yeah blindly following things is not the way to go. Far more important to learn what the config means and what the commands do, in the long run.

As for power line,I saw that on your config on the bridge ports??
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1

As for vlan200 to the wan side, how could you not know you did this?
I am starting to think you didnt originally configure this device, so good idea to start fresh!!

Okay the difficulty on this requirement is that you have split your internet access requirements at the mikrotik.
However this is a solvable thing!
The allowed IPs between set on the Mikrotik will have to be 0.0.0.0/0 which will include the subnet at the pFSENSE.

At the PFSENSE you will need firewall rules allowing the incoming mikrotik traffic to reach the server ( with source address of the right subnet from MT) and traffic to reach the internet (with source address of the right subnet on the MT ). Cannot help you with pfsense settings though.

POST the new config when its ready!
 
User avatar
452
just joined
Posts: 5
Joined: Sun May 01, 2022 10:41 am
Location: Ukraine/Kovel/Kyiv

Re: Wireguard Mikrotik - Route all traffic

Sun May 01, 2022 10:50 am

This is a configuration example of how to route all traffic to a VPN service with Internet access
Also you can read more viewtopic.php?t=182340
/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
    preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
/ip address add address=xxx.xxx.xxx.xxx/32 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add connection speed limit if CPU load 100%, depends from mikrotik hardware
# /queue simple add max-limit=0/4500k name=queue-vpn target=wireguard-inet
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router
Last edited by 452 on Mon May 02, 2022 4:26 pm, edited 4 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Wireguard Mikrotik - Route all traffic

Sun May 01, 2022 4:28 pm

0.0.0.0/1 ???
half internet.... from 1.0.0.0 to 126.255.255.255... (useless 0.x , 10.x, 127.x , and the others)
and the rest from 128.0.0.0 to 223.255.255.255?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Mikrotik - Route all traffic

Sun May 01, 2022 4:49 pm

Set your IP address for the wireguard interface as so.......
/ip address
add address=10.101.121.122/24 interface=wireguard-inet network=10.101.121.122
(Assuming the allowed IP at the pfsense or server site for your mobile device is 10.101.121.122/32)

Not sure on your IP route.......... you do need internet first
Not sure how you do this but lets assume you have a default route from the provider in IP DHCP........
Thus need an additional route to force users out WG.

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet table=useWG

/routing rule add src-address=LANsubnet action=lookup table=useWG
/routing table add name=useWG fib

( if you dont want to be able to access normal internet through the provider your mobile device is using, if WG is down, then use action=lookup-only-in-table )

Depending upon firewall rule structure you may need a forward chain rule
add chain=forward action=accept in-interface-list=LAN (or src-address=subnet) out-interface=wireguard-inet

PS showing a truncated config, is not helpful...........
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard Mikrotik - Route all traffic

Sun May 01, 2022 5:25 pm

0.0.0.0/1 ???
If you're not ready for whole internet and want to start slow. :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Mikrotik - Route all traffic

Sun May 01, 2022 6:15 pm

Well with haplite wifi, one has to be careful of saturating the wifi capacity. ;-)
 
User avatar
452
just joined
Posts: 5
Joined: Sun May 01, 2022 10:41 am
Location: Ukraine/Kovel/Kyiv

Re: Wireguard Mikrotik - Route all traffic

Mon May 02, 2022 1:19 pm

0.0.0.0/1 ???
half internet.... from 1.0.0.0 to 126.255.255.255... (useless 0.x , 10.x, 127.x , and the others)
and the rest from 128.0.0.0 to 223.255.255.255?
Yes you absolutely right it's my mistake because I newbie)))

I made updated my post please review it again
 
User avatar
452
just joined
Posts: 5
Joined: Sun May 01, 2022 10:41 am
Location: Ukraine/Kovel/Kyiv

Re: Wireguard Mikrotik - Route all traffic

Mon May 02, 2022 1:35 pm

/ip address
add address=10.101.121.122/24 interface=wireguard-inet network=10.101.121.122
Thus need an additional route to force users out WG.
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet table=useWG
/routing rule add src-address=LANsubnet action=lookup table=useWG
/routing table add name=useWG fib
Thank you it's helped me, works
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Mikrotik - Route all traffic

Mon May 02, 2022 2:19 pm

Take the time to read the parts that interest you.
viewtopic.php?t=182340
 
User avatar
452
just joined
Posts: 5
Joined: Sun May 01, 2022 10:41 am
Location: Ukraine/Kovel/Kyiv

Re: Wireguard Mikrotik - Route all traffic

Mon May 02, 2022 4:42 pm

Take the time to read the parts that interest you.
viewtopic.php?t=182340
also, in my configuration added
/queue simple add max-limit=0/4500k name=queue-vpn target=wireguard-inet
it's because I have a lot of syn traffic and CPU load is 100%, and I have lags and logouts from winbox(ethernet port connected to PC link down -> link up restart)

with speed limitations, CPU load is around 97-99% without internet lags(Internet works mostly correct)
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: baragoon, BinaryTB, raphaps, rplant and 66 guests