I've attached it as a file in an email to you. It contains so much rubbish not related to the issue in hand like ipsec settings (not now used), scripts, wireless settings etc etc that it would drive most readers here crazyNot crazy LOL, just needed to understand the why.
Waiting on sindy to comment on wireguard IP address structure for two different wireguard interfaces and a third party vendor that insists on giving you the same IP at their end..................
In the meantime, can you post your complete config on the MT
/export (less the serial number and any actual public IP info (wanip gateway ip etc.)
Oh, so it is a "dialect" issue. In the command line dialect, there is an /ip address table and an /ip firewall address-list table; in the Winbox dialect, the former one is titled Address List (I'm not the one to ask why).Both now have live connections, but without an address list: 10.14.0.2/16 network 10.14.0.0 interface [WireGuard interface] I can't get the VPN to work.
Oh, so it is a "dialect" issue. In the command line dialect, there is an /ip address table and an /ip firewall address-list table; in the Winbox dialect, the former one is titled Address List (I'm not the one to ask why).Both now have live connections, but without an address list: 10.14.0.2/16 network 10.14.0.0 interface [WireGuard interface] I can't get the VPN to work.
So when someone mentions an "address list", all command-line folks understand it as the latter, which is usually used to match traffic in firewall rules.
Since you actually have in mind the IP address as your post shows, go ahead and assign exactly the same IP address and mask to both the WG interfaces. Or, if doing so would cause headache to you, you may not assign that address to any of the WG interfaces, and just use an action=srcnat to-addresses=10.14.0.2 instead of action=masquerade in chain srcnat of /ip firewall nat for traffic outgoing via those WG interfaces.
Me, too, I think we are actually sane, and do not have the same mental block, but all those that accept and like to use the same IP address for different interfaces are insane Regardless if its perfectly legitimate LOL.
Glad you got it working!!
Pertty please show us the two DAC routes created by such a monstrous approach.
presuming
<dac> 10.14.0.0/24 gwy=wireguard1 table=main
<dac> 10.14.0.0/24 gwy=wireguard2 table=main
That's really strange, looks like the IP address of the "Serbian" host is actually not 192.168.99.64 but something else in 192.168.99.0/24. If you add any address with a prefix length other than 32 to an address-list, it is automatically converted to a network address:I originally had the address in the list (yes, the address list this time ) set as 192.168.99.64 ... I had to change the single ip address to include the network mask as well, ie 192.168.99.64/24, then everything was fine.
Oh, so it is a "dialect" issue. In the command line dialect, there is an /ip address table and an /ip firewall address-list table; in the Winbox dialect, the former one is titled Address List (I'm not the one to ask why).
So when someone mentions an "address list", all command-line folks understand it as the latter, which is usually used to match traffic in firewall rules.
Since you actually have in mind the IP address as your post shows, go ahead and assign exactly the same IP address and mask to both the WG interfaces. Or, if doing so would cause headache to you, you may not assign that address to any of the WG interfaces, and just use an action=srcnat to-addresses=10.14.0.2 instead of action=masquerade in chain srcnat of /ip firewall nat for traffic outgoing via those WG interfaces.
Yes, you're right. I've been using WinBox so much and reading the title "Address List" when it's really a table of addresses, that I've confused most readers. I also had a mental block about assigning two interfaces to one one address, but this is actually okay.
So assigning the two interfaces to one ip address, 10.14.0.2/16, has solved the problem. I now have a LAN here linked to a UK VPN and one device on the network linked to a non-UK, non-EU (Serbian) VPN. All seems to be working.
Many, many thanks @sindy and @anav for all your time and help. I've learnt alot with this issue. Just an overblown amateur here really
Hi anav I always saw your replies on the forum which always helped me, can I ask for help with this one same scenario and same problem, but i cant assign same ip address to both of my wireguard interface the other always turn red and it says invalid. how can i replicate his success. ThanksYup the IP address for each wireguard interface should be fully setup, in order for the router to work its magic.
IP address=W.X.Y.Z/24 gwy=wireguardinterface_name
Thats all you need to do the router will fill in the rest.....
Hi sindy I cannot replicate what solved the problem Im facing the same scenario and same problem but everytime i try to assign same ip to my 2 wireguard interface the other turns red and says invalid. Please helpOh, so it is a "dialect" issue. In the command line dialect, there is an /ip address table and an /ip firewall address-list table; in the Winbox dialect, the former one is titled Address List (I'm not the one to ask why).Both now have live connections, but without an address list: 10.14.0.2/16 network 10.14.0.0 interface [WireGuard interface] I can't get the VPN to work.
So when someone mentions an "address list", all command-line folks understand it as the latter, which is usually used to match traffic in firewall rules.
Since you actually have in mind the IP address as your post shows, go ahead and assign exactly the same IP address and mask to both the WG interfaces. Or, if doing so would cause headache to you, you may not assign that address to any of the WG interfaces, and just use an action=srcnat to-addresses=10.14.0.2 instead of action=masquerade in chain srcnat of /ip firewall nat for traffic outgoing via those WG interfaces.
Something else must be wrong or you are running a strange version of RouterOS:Hi im facing same problem can you elaborate how did you made it work, because when i try to assign same ip to 2 wireguard interface the other turns red and invalid
[me@myTik] > ip address/print where interface~"w"
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
...
2 192.168.144.1/24 192.168.144.0 wg-wst-srv
3 192.168.144.1/24 192.168.144.0 wg1
Hi thanks for the response Im running v7.9.2Something else must be wrong or you are running a strange version of RouterOS:Hi im facing same problem can you elaborate how did you made it work, because when i try to assign same ip to 2 wireguard interface the other turns red and invalid
Nothing red, no complaints, not even in Winbox. RouterOS 7.12.Code: Select all[me@myTik] > ip address/print where interface~"w" Columns: ADDRESS, NETWORK, INTERFACE # ADDRESS NETWORK INTERFACE ... 2 192.168.144.1/24 192.168.144.0 wg-wst-srv 3 192.168.144.1/24 192.168.144.0 wg1
Show your export.
I did not ask for a screenshot, I do believe you when you say it is red, no need to prove it to me by a screenshot. I asked for an export to see what is wrong in the configuration.heres a screenshot
Yeah thanks I made it work in other thread someone said the fix is with listening port and it works for me. There is one question that is away from this topic. now that i have 2 surfshark wireguard vpn running, how can i theoretically make wireguard1 use only ISP1, and and wireguard2 use only ISP2? or is it possible?I did not ask for a screenshot, I do believe you when you say it is red, no need to prove it to me by a screenshot. I asked for an export to see what is wrong in the configuration.heres a screenshot
So you had two interfaces listening on the same port? If so, one of them must have been showing an error too, so the inactive address associated to it was just a consequence.in other thread someone said the fix is with listening port
I don't know how dynamic the addresses of the two Wireguard servers are - if you describe the peers as IP addresses, they may be static, if you describe them as FQDNs, they are likely dynamic.now that i have 2 surfshark wireguard vpn running, how can i theoretically make wireguard1 use only ISP1, and and wireguard2 use only ISP2? or is it possible?
hereto make recommendations for the two WG, need to see config
/export file=anynameyouwish ( minus router serial #, any publicWANIP information, keys, long dhcp lease lists etc..)
I need to route all the browsing ports because our isp is throttling our speed except for gaming, gaming doesn't seem to be affected but our browsing are. about the vlan yeah i meant to delete that just forgot about it it used to be used on for sfp but sfp broke so i relocated it to other etherQuick Look Config
1. Listening port settings for the interface, on the client device, can be anything and do not have to match the ENDPOINT listening port and are basically random. In your case highly recommend to make them different.
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
add listen-port=51820 mtu=1420 name=wireguard2
TO
add listen-port=51821 mtu=1420 name=wireguard1
add listen-port=51822 mtu=1420 name=wireguard2[/i]
2. I must admit, over my head how they can assign you the same IP twice, which is bad enough, but doable, but then give you the same
endpoint port for both as well............ I am not sure how that works, but someone else probably does.....
I suppose on your end its not so bad to keep separation by using the different wireguard interface name and on the third party end,
the separation is managed by private/public key matching.
3. Confused by your VLAN nomenclature.............
/interface vlan
add interface=ether7 name="vlan10 eth" vlan-id=10
add interface=sfp-sfpplus1 name="vlan10 sfp" vlan-id=10
I understand its possible to put vlan10 to multiple interfaces...........
What I dont understand is the purpose of a different name. I dont think thats helpful as the traffic is the same vlan.
If you want a different vlan then use a different number along with diff name.\
4. I will confess I do not have a hope in heck of understanding what you are doing at all both externally WANS, and internally PPP servers etc..
Hopefully others with more knowledge can help.