Community discussions

MikroTik App
 
canth1
just joined
Topic Author
Posts: 1
Joined: Wed Jun 15, 2022 8:18 pm

Help With Wireless + Wireguard

Wed Jun 15, 2022 8:36 pm

Hello,

I've searched the forums for a possible solution to my problem, but I haven't been able to find exactly what I'm looking for.

What I'm looking to do is to use my hAP ac2, and create two wireless networks. One wireless network will route internet traffic to/over my regular ISP, but the second wireless network will have all traffic routed to/over the Wireguard interface.

I should mention that I'm very familiar with Wireguard, and I already have a Wireguard server on a virtual machine in a datacenter, so I only need some direction on the MikroTik config. Also, I have a similar setup already on a Raspberry Pi, where I configured it as a WiFi hotspot, and all traffic from the wireless interface is forwarded over the ethernet/Wireguard interface, and the Raspberry Pi ethernet interface is connected directly to my router. With this config, the Raspberry Pi is essentially a VPN WiFi hotspot.

So, I'm essentially looking to integrate this functionality on my MikroTik router, as its WiFi signal and speed is significantly better than the Raspberry Pi's.

Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help With Wireless + Wireguard

Wed Jun 15, 2022 9:18 pm

It's not clear to me with which part of the overall setup you need assistatnce.

The steps are the following:
  • create one "physical" wireless interface per band (2.4/5 GHz) with one SSID, and one "virtual" wireless interface per each of the physical ones, with another SSID.
  • create a bridge for each of the two networks, and make the corresponding wireless interfaces member ports of the respectiev bridges. Or you can use a single bridge with VLANs instead and add a corresponding /interface vlan row for one of the networks, no idea which of the two approaches uses less CPU.
  • create a vrf and make the wireguard interface and one of the wireless bridges (or VLANs) its member interfaces. Assign Mikrotik's own IP address to each bridge or VLAN, attach a DHCP server to each; don't forget that the VPN SSID must not use the Mikrotik as a router,
  • add a default route via the Wireguard interface to the routing table of the VRF
Instead of VRF, you can use routing rules or mangle rules assigning routing marks, but that's more work and higher risk of traffic leakage if the vPN goes down.
 
kurio
newbie
Posts: 25
Joined: Sun Dec 22, 2013 6:15 pm

Re: Help With Wireless + Wireguard

Wed Jul 26, 2023 11:29 am

Hello,
I have different type of VPN, but the question is the same. I have set up a different bridge for this VPN, it gives out different subnet IPs using its DHCP to the wireless clients. But the clients can only ping that second bridge IP. So, marks, rules and tables did not work for me.

Your answers are of very high level. I don't know how to implement them.
Right at the beginning when i look for default VRF (main), it contains ALL interfaces. There are about 20 different interfaces.
Should i leave it like this on the main VRF and create a second VRF with only 2 interfaces (bridge2 and vpn)?
Should i leave ip/firewall/nat rule (masquerade) for the subnet which has to go to the VPN?
"VPN SSID must not use the Mikrotik as a router" - where in winbox do i find and set it? In the wireless interfaces i don't see any "router" or "mikrotik" options.
Could you, please, elaborate on this?
Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help With Wireless + Wireguard

Wed Jul 26, 2023 2:40 pm

viewtopic.php?t=182340

Read, digest, learn, ask better questions and provide network diagram and configs.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], eworm, h1ghrise and 78 guests