Community discussions

MikroTik App
 
NoLink
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 3:49 pm

How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 11:46 am

Hello,

I have trouble to understand how to route the following scenario:

The Device (CRS326-24G-2S+) with RouterOS 7.2.3 is behind a Firewall and used as a Wireguard VPN-Appliance only.

Because there is already a firewall between RouterOS and Internet, the Firewall on RouterOS is empty and not used.

The Wireguard Connection itself works well, this was tested with a test setup which used NAT.

But for the final setup, I want to route all Wireguard Peers which are connected to RouterOS routed via ether4. The IP Range, which is used for the "client" peers: 100.64.44.0/24. Each peer gets an IP like 100.64.44.5/32. The Firewall has a Gateway on 100.64.44.1. (VLAN 44 on Firewall, untagged, defined per Port)

Ether 1-3 are used for management puposes (access to RouterOS etc.) and bridged (Name: Bridge_55). The IP of RouterOS itself is 192.168.55.2. The Firewall has a Gateway on 192.168.55.1, too. (VLAN 55 on Firewall, untagged, defined per Port)

No further Ports are used.

Adress List:
Adress 100.64.44.2/24 - Network 100.64.44.0 - Interface ether4
Adress 192.168.55.2 - Network 192.168.55.0 - Interface ether2

Route List:
Dst. Adress 0.0.0.0/0 - Gateway 192.168.55.1
Dst. Adress 100.64.44.0/24 - Gateway ether4
Dst. Adress 192.168.55.0/24 - Gateway Bridge_55

Accessing/Pinging RouterOS via VLAN 44 and 55 is working fine.

But I don't get it how to route a peer correctly to ether4 without bridging (WG works on a different layer, I know).

Lets say a Wiregurard "Client" Peer has got 100.64.44.5/32 assigned as an IP. Then routing the complete 100.64.44.0/24 range to ether4 is wrong, because 100.64.44.5/32 has Gateway VPN_ACC (the name of WG interface). Because that, I added a static route to routes list: Dst. Adress 100.64.44.5/32 - Gateway VPN_ACC

But I can't ping anything from the WG "client" peer when connected, for example the Gateway 100.64.44.1.

How do I have to set the routing table?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 3:10 pm

Very confusing explanation, can you provide a diagram. THe MT is very much capable of doing what is required to get this working!
I imagine the firewall ahead of the MT is a router where you have at least access to forward ports. Assuming so, is it capable of static routes as well??
 
NoLink
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 3:49 pm

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 4:03 pm

explanation_MT.jpg
I simplified the network structure a little bit. I hope it will be clearer now, what I want to achieve. I'm not a native english speaker, so please ask if something is not clear.

Made a Mistake in the lower left text, should be: "Because I can assign in Address List 100.64.44.2..." Sorry
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 4:23 pm

Nice! if you can provide the current complete config, I can start dissecting it.
/export file=anynameyouwish
 
NoLink
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 3:49 pm

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 4:56 pm

Hello,

I will send you the config next monday. Here in Germany we have a long holiday weekend now and I can't access the systems now. (yeah, thats it without VPN access :lol: )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Wed May 25, 2022 6:49 pm

Jajajaja well then having WG will allow you to work on holidays :-) :-)
 
NoLink
just joined
Topic Author
Posts: 6
Joined: Sat Aug 19, 2017 3:49 pm

Re: How to Route Wireguard Peers IPs to certain Ethernet Port

Fri May 27, 2022 3:06 pm

Jajajaja well then having WG will allow you to work on holidays :-) :-)
No no, I won't work on holidays, but dumping some configs shouldn't take that long.

However, IT stuff and networking is a hobby as well. I tried a spontaneous flash of inspiration with my private mikrotik hardware. And well, it does now what I intended.

For the next one, who is desperate and want to know how VLAN tagging IP, IP Ranges can be done:

1. Don't try to VLAN tag some packets and some not. It makes things complicated. VLAN tag all packets with their correct VLAN ID.
2. Create a virtual VLAN network interface with the necessary VLAN ID and assign it to the matching ethernet port (where is the other device you want to communicate with connected).
3. Create a bridge and assign to bridge the virtual VLAN network interface which you created in the previous step. I also assign to bridge the matching VLAN ID which i want to use for tagging as well.
4. Assign to the bridge an IP address.
4. Add mangle rule for marking all connections from your wireguard interface.
5. Do a CGNAT where you route the marked connections in the previous step to the IP of the bridge that you created during this instruction.

Who is online

Users browsing this forum: Ahrefs [Bot], baragoon, bertus, BoraHorza, ivicask, sinisa, tuiespacecorp and 85 guests