I am trying to route all traffic through the wireguard interface.
Device: mikrotik hex s
Configuration:
Code: Select all
# dec/21/2021 21:26:00 by RouterOS 7.1
# software id = B44A-P90U
#
# model = RB760iGS
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] l2mtu=2026 mtu=2026
set [ find default-name=ether2 ] l2mtu=2026 mtu=2026
set [ find default-name=ether3 ] l2mtu=2026 mtu=2026
set [ find default-name=ether4 ] l2mtu=2026 mtu=2026
set [ find default-name=ether5 ] l2mtu=2026 mtu=2026
set [ find default-name=sfp1 ] disabled=yes l2mtu=2026 mtu=2026
/interface wireguard
add listen-port=13231 mtu=2026 name=wg0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=via-wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=77.zz.xx.yy endpoint-port=\
63665 interface=wg0 persistent-keepalive=3s public-key=\
"some_public_key="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.0.1.3/24 interface=wg0 network=10.0.1.0
/ip dhcp-client
add default-route-distance=10 interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.9.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
routing-table=via-wg scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe
10.0.1.3 the ip of my router for wg0 interface;
10.0.1.1 the ip of my remote host for wg0 interface;
192.168.9.1 the ip of default geteway from the ISP.
the wg interface is working as expected ( i can ping the remote host from the router )
Routes:
Code: Select all
admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 192.168.9.1 10
DAc 10.0.1.0/24 wg0 0
DAc 192.168.1.0/24 bridge1 0
DAc 192.168.9.0/24 ether1 0
1 As 0.0.0.0/0 wg0 1
[code]
Symptoms:
1. IF I add a route "0.0.0.0/0 wg0" with default table main then i can't ping 8.8.8.8 host
2. IF I add a route "0.0.0.0/0 wg0" with table "via-wg" then I can't ping 8.8.8.8 host
Question: Could someone explain what should be done in order to route all traffic via wg tunnel?
NB: I've already read several posts on this forum and it looks like I should use routing table. But I don't have a full understanding how exactly it should be done - not a network engineer.
Thank for any help in advance.