Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

setup Wireguard in Two ISP environment

Sat Jan 21, 2023 10:43 am

Hello for all ..
so i have RB2011iL-RM and i have a wireguard on it, previously when i have one ISP -(one WAN connection)- the wireguard connection is working fine, but when i add another ISP -(so now two WANconnected to my RB2011iL-RM0- the wireguard is not working any more, so i had to disable the ether2 in order to make my wireguard connection working again, so is there is any rule that i have to add in order to make my wireguard working with two ISP environment ..?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: setup Wireguard in Two ISP environment

Sat Jan 21, 2023 1:51 pm

Send me a magic crystal ball and all will be resolved, you know the drill , wakeup........
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: setup Wireguard in Two ISP environment

Sat Jan 21, 2023 2:52 pm

Send me a magic crystal ball and all will be resolved, you know the drill , wakeup........
lol.. your right
so if that is the case here is my config, you will notice that i have load balancing in PCC level.however, i disabled all the LB mangle rules but with no avail.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: setup Wireguard in Two ISP environment

Sat Jan 21, 2023 10:09 pm

Before I look at the config, is it acting as a Server for initial handshake (road warriors connecting to the RB2011 and if so, for what purposes.
OR
Is the RB2011 a client as in connecting to a third party VPN and if so which subnets need to go out it etc......
Thats the kind of additional info that puts some context on the scenario.
 
korzus
just joined
Posts: 3
Joined: Mon Oct 13, 2014 2:18 am

Re: setup Wireguard in Two ISP environment

Sun Jan 22, 2023 3:53 am

If your .rsc is the real configuration, you are using public range on yours wireguard networks.
Use class a, b or c, but use the private range.
The only valid private range you created is the wireguard2. The others wireguard ifaces are public.
You dont need create one wireguard interface to every remote user. Just create 1 interface and add the peers you need to that wireguard interface.

Your mikrotik is missing mangle rules. I didnt locate the mark connection rules for the incoming packets from your wans, for example.
I think your route section config is missing something too.

For optimization, add the ether2 to the WAN interface list and change one of the mascarade nat rules to that list, removing the interface. The other mascarade rule, you can delete.

I will check my config tomorrrow and reply here.
Send me a magic crystal ball and all will be resolved, you know the drill , wakeup........
lol.. your right
so if that is the case here is my config, you will notice that i have load balancing in PCC level.however, i disabled all the LB mangle rules but with no avail.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: setup Wireguard in Two ISP environment

Sun Jan 22, 2023 4:17 am

Use class a, b or c, but use the private range.
Class A, B or C???
Just obsoleted on 1993...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: setup Wireguard in Two ISP environment

Sun Jan 22, 2023 4:54 pm

Before I look at the config, is it acting as a Server for initial handshake (road warriors connecting to the RB2011 and if so, for what purposes.
OR
Is the RB2011 a client as in connecting to a third party VPN and if so which subnets need to go out it etc......
Thats the kind of additional info that puts some context on the scenario.

Finally not sure one can make wireguard work with one interface, especially missing the info above client or server??

ANy reason why you have a gazillion wg interfaces ????
What is mob?

++++++++++++++++++++++++

Why?
/ip address
/ip address
add address=192.168.0.1/24 comment=LAN interface=ether3 network=192.168.0.0
add address=192.168.2.1/24 comment=WiFi interface=ether4 network=192.168.2.0
add address=192.168.2.1/24 comment=CCTV interface=ether5 network=192.168.2.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.21,8.8.8.8 domain=\
192.168.0.21 gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1

++++++++++++++++++++++++

okay as server........
firewall rules are weak but nothing blocking that I see.

Okay mangling aside, need clarity on expectations. requirements...........

If you have mangling doing PCC, you have to first figure out which ISP will be used for wireguard and that means.
a. the initial handshake ( and the tunnel will then exist over that ISP )

One approach to simplify is to use the MT IP Cloud, mynetname to a specific WAN which will make it easy for remote users to set in their client settings for endpoint.
I believe that solves half the problem.

So is the public IP dynamic or static? The one you want to use for wireguard traffic ( where all users will be coming in on for initial handshake )
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: setup Wireguard in Two ISP environment

Sun Jan 22, 2023 8:41 pm

Why do you quote whole preceding post? Does it help you to answer? Do you repeat what your interlocutor says when you discuss face to face? Just use "Post Reply" button.
Hello anav..!
mob related to mobile, so its a mobile interface
"If you have mangling doing PCC, you have to first figure out which ISP will be used for wireguard and that means.
a he initial handshake ( and the tunnel will then exist over that ISP )"

yes your are right that is my main problem, for this case i change the mangle Load Balancing Rules with LB rule based on Bandwidth
you can check kirnak method here "https://mum.mikrotik.com/presentations/US12/tomas.pdf"
so it seems that i didnt know how to make the wireguard connection go through ether-1 even if i reboot my router...!?

One approach to simplify is to use the MT IP Cloud
didnt understand what you mean by that..?
the public is static.
Last edited by BartoszP on Sun Jan 22, 2023 9:17 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: setup Wireguard in Two ISP environment

Mon Jan 23, 2023 3:57 am

We can move forward when you address context especially WG, a network diagram would help.
Also did you fix the IP address error etc.......
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: setup Wireguard in Two ISP environment

Tue Jan 24, 2023 8:58 am

We can move forward when you address context especially WG, a network diagram would help.
Also did you fix the IP address error etc.......
Hello Mr. Anav..!
so i fixed the ip address error also i replaced the load balancing Based PCC rules with this rule -(LB based on bandwidth)-
0 chain=prerouting action=accept src-address-list=connected
dst-address-list=connected log=no log-prefix=""

1 ;;; Router Marking
chain=input action=mark-connection new-connection-mark=WAN1-to-ROS
passthrough=yes connection-mark=no-mark in-interface=ether1 log=no
log-prefix=""

2 chain=input action=mark-connection new-connection-mark=WAN2-to-ROS
passthrough=yes connection-mark=no-mark in-interface=ether2 log=no
log-prefix=""

3 chain=output action=mark-routing new-routing-mark=to-WAN-1 passthrough=yes
connection-mark=WAN1-to-ROS log=no log-prefix=""

4 chain=output action=mark-routing new-routing-mark=to-WAN-2 passthrough=yes
connection-mark=WAN2-to-ROS log=no log-prefix=""

5 chain=forward action=mark-connection new-connection-mark=WAN2-to-LAN
passthrough=yes connection-mark=no-mark in-interface=ether2 log=no
log-prefix=""

6 ;;; LAN Marking
chain=forward action=mark-connection new-connection-mark=WAN1-to-LAN
passthrough=yes connection-mark=no-mark in-interface=ether1 log=no
log-prefix=""

7 chain=prerouting action=mark-routing new-routing-mark=to-WAN-1
passthrough=yes src-address-list=LAN connection-mark=WAN1-to-LAN log=no
log-prefix=""

8 chain=prerouting action=mark-routing new-routing-mark=to-WAN-2
passthrough=yes dst-address-type=!local src-address-list=LAN
connection-mark=WAN2-to-LAN per-connection-classifier=src-address:2/1
log=no log-prefix=""

9 ;;; LAN->WAN
chain=prerouting action=mark-connection new-connection-mark=LAN-to-WAN
passthrough=yes dst-address-type=!local src-address-list=LAN
dst-address-list=!connected connection-mark=no-mark log=no log-prefix=""

10 ;;; Load-Balance Here
chain=prerouting action=mark-routing new-routing-mark=to-WAN-1
passthrough=yes src-address-list=LAN dst-address-list=!connected
connection-mark=LAN-to-WAN log=no log-prefix=""

11 ;;; Sticku Connection
chain=prerouting action=mark-connection new-connection-mark=Sticky-ISP1
passthrough=yes connection-mark=LAN-to-WAN routing-mark=to-WAN-1 log=no
log-prefix=""

12 chain=prerouting action=mark-connection new-connection-mark=Sticky-ISP2
passthrough=yes connection-mark=LAN-to-WAN routing-mark=to-WAN-2 log=no
log-prefix=""

13 chain=prerouting action=mark-routing new-routing-mark=to-WAN-1
passthrough=yes src-address-list=LAN connection-mark=Sticky-ISP1 log=no
log-prefix=""

14 chain=prerouting action=mark-routing new-routing-mark=to-WAN-2
passthrough=yes src-address-list=LAN connection-mark=Sticky-ISP2 log=no
log-prefix=""


but i encounter the same problem, so when the traffic switched to the ether-2 the wireguard connection is switching off, so from your experience is there is away to
keep wireguard traffic on only one interface..?

Who is online

Users browsing this forum: No registered users and 20 guests