Hello,
I have trouble to understand how to route the following scenario:
The Device (CRS326-24G-2S+) with RouterOS 7.2.3 is behind a Firewall and used as a Wireguard VPN-Appliance only.
Because there is already a firewall between RouterOS and Internet, the Firewall on RouterOS is empty and not used.
The Wireguard Connection itself works well, this was tested with a test setup which used NAT.
But for the final setup, I want to route all Wireguard Peers which are connected to RouterOS routed via ether4. The IP Range, which is used for the "client" peers: 100.64.44.0/24. Each peer gets an IP like 100.64.44.5/32. The Firewall has a Gateway on 100.64.44.1. (VLAN 44 on Firewall, untagged, defined per Port)
Ether 1-3 are used for management puposes (access to RouterOS etc.) and bridged (Name: Bridge_55). The IP of RouterOS itself is 192.168.55.2. The Firewall has a Gateway on 192.168.55.1, too. (VLAN 55 on Firewall, untagged, defined per Port)
No further Ports are used.
Adress List:
Adress 100.64.44.2/24 - Network 100.64.44.0 - Interface ether4
Adress 192.168.55.2 - Network 192.168.55.0 - Interface ether2
Route List:
Dst. Adress 0.0.0.0/0 - Gateway 192.168.55.1
Dst. Adress 100.64.44.0/24 - Gateway ether4
Dst. Adress 192.168.55.0/24 - Gateway Bridge_55
Accessing/Pinging RouterOS via VLAN 44 and 55 is working fine.
But I don't get it how to route a peer correctly to ether4 without bridging (WG works on a different layer, I know).
Lets say a Wiregurard "Client" Peer has got 100.64.44.5/32 assigned as an IP. Then routing the complete 100.64.44.0/24 range to ether4 is wrong, because 100.64.44.5/32 has Gateway VPN_ACC (the name of WG interface). Because that, I added a static route to routes list: Dst. Adress 100.64.44.5/32 - Gateway VPN_ACC
But I can't ping anything from the WG "client" peer when connected, for example the Gateway 100.64.44.1.
How do I have to set the routing table?