I have properly working IPv4 and IPv6 networks. IPv4 is NATed, IPv6 /64 prefix comes from WAN (PPPoE) via DHCPv6 PD and it is then Router Advertised to my LAN.
I wan't to route some of the outgoing traffic via a WireGuard VPN using NAT. To do that I've:
- created a new routing table;
- added the 0.0.0.0/0 and ::/0 routes via the VPN interface to this new routing table;
- added the nat rules;
- added the mangle rules to do the mark-routing.
I can see the mangle firewall rule increasing the packets counter, but this is not working for IPv6. The marked IPv6 traffic is still going directly to the Internet, not via the VPN.
Interestingly, this same configuration is working fine for IPv4.
Am I doing anything wrong here? Or is it a bug with RouterOS v7?
Here are the relevant parts of my config:
Code: Select all
/interface wireguard
add listen-port=51820 mtu=1432 name=vpn
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 interface=vpn
/ip address
add address=172.16.0.2 interface=vpn network=172.16.0.2
/ipv6 address
add address=fd00:a:b:c:d:e:f:1234/128 advertise=no interface=vpn
/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=vpn routing-table=vpn
/ipv6 route
add dst-address=::/0 gateway=vpn routing-table=vpn
/ipv6 firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=no src-mac-address=AA:BB:CC:DD:EE:FF
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn
I also discovered by accident that if I mess with /routing/rule/ (like add and then remove some rules) the marked traffic will start going through the VPN, even after removing all rules in there. This makes me guess it is something related to routing cache?
Thanks in advance.