Hello everyone!

I'm quite a newer for MikroTik, so I'd be so pleased if somebody help me in correct configuring of my home router. My model is RB4011igs+5hacq2hnd-in working on RouterOS 7.1.3.

I added my admire home networking diagram in attached files, but simply I'd like to setup two VPN-clients on my router for getting into private working net (A.A.A.A/19*, 10.0.0.0/8, 192.168.0.0/16 using my company OVPN) and into all other Internet resources (0.0.0.0/0 using third-party WireGuard). Basically I get WAN-connection from ISP using DHCP-client on eth1 and DHCP-server (172.16.0.0/24) with NAT on router for all home devices, which are connecting by wlan1 and wlan2.

Actually I have already configured something and it seems to work almost fine, but the main problem is about some domains and applications load through WireGuard very slow and often down with timeout errors. As far as I found on this forum, using mangle firewall rule can manage that problem, so I tried to do the same trick and it really works in a couple times, but generally I still face the same problem. Moreover I figured out that sometimes same resources can not load on, for example, wlan1 but they can do that on wlan2 at the same time. Maybe it's a normal thing for my incorrect config, but I really stucked because of that as a rookie in MikroTik.

Also you can find my RouterOS and WireGuard config in attached files. Looking forward for expert's advices!

Thank everybody in advance!

*A.A.A.A/19 - subnet of my company's white IPs.
*B.B.B.B - public IP adress of my company's OVPN-server.

Fairly simple but since there are no firewall rules. That should be addressed first.
Also you have no interface list for the LAN
Also you have this NOT disabled?...... set www port=someport
Dont see the point of this.......
add interface=WG list=wan

Do you want ALL users at home to go through the 3rdparty VPN for internet or just your laptop??

Hello and thanks for reply!

Also you have no interface list for the LAN
...
Dont see the point of this.......
add interface=WG list=wan

Frankly, I had never used interface list before and created WAN interface list first time just because to put my DHCP-server for LAN bridge (eth2-eth10, wlan1, wlan2) behind the NAT for both VPN-clients. Perhaps this is completely incorrect and I should do something instead, so I'd be pleased to get and advice for manage that.

Do you want ALL users at home to go through the 3rdparty VPN for internet or just your laptop??

Yes, I do. I have at least 10 devices on Wi-Fi and want all of them go though 3rdparty VPN for reaching public resources.

Also you have this NOT disabled?...... set www port=someport

Thanks for notion - have just disabled web at all

(1) for at least a start to firewall rule.
ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
{ADD ANY NEEDED VPN RULES HERE TO ACCEPT INCOMING VPN connections}
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" { Last rule to actually put in because it can lock you out of the router }
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward

(2) Interface list should be normally
WAN (etherport is a member + any special wan name assignment such as to a vlan required or pppoe required)
LAN - all subnets (vlans), if not VLans then Bridge will suffice to cover off subnets, ports not required.
Trusted ( if you only have one subnet then not required )

Where did this address come from??
10.128.38.182 ???

Assuming you just need a random Ip address to give to the third party VPN ??
Did they let you know if their server has a Server Wireguard Interface address ??

why so many routes???? Needs to be rationalized (purpose explained and cleaned up , then we can adjust for wireguard)
ip route
add disabled=no distance=1 dst-address=185.107.94.25/32 (someadress.com) gateway=100.69.16.1 \ (what is this for ??)
add disabled=no distance=1 dst-address=185.107.94.25/32 (someadress.com) gateway=100.69.16.1 \ (what is this for ??)
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=B.B.B.B/32 gateway=100.69.16.1 \
pref-src=0.0.0.0 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=main \ { okay so this is intended for internet access for all users?? }
suppress-hw-offload=no
add disabled=no distance=1 dst-address=A.A.A.A/19 gateway=10.132.15.129 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=10.132.15.129 \ { DUplicate to below ?? }
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=10.132.15.129 \ { Duplicate to below?? }
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=10.128.0.1/32 gateway=WG routing-table=main \
suppress-hw-offload=no
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=B.B.B.B/32 gateway=100.69.16.1 \
pref-src=0.0.0.0 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=A.A.A.A/19 gateway=10.132.15.129 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=10.132.15.129 \ { for ovpn traffic to business machine?? }
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=10.132.15.129 \ { for ovpn traffic to business machine?? }
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=10.128.0.1/32 gateway=WG routing-table=main \ (what is this for ??)
suppress-hw-offload=no

(2) Interface list should be normally
WAN (etherport is a member + any special wan name assignment such as to a vlan required or pppoe required)
LAN - all subnets (vlans), if not VLans then Bridge will suffice to cover off subnets, ports not required.
Trusted ( if you only have one subnet then not required )

So I put to WAN list following interfaces: eth1, which is connected to ISP, and both VPN-clients (WireGuard and OVPN), - and put bridge with eth2-eth10 and wlan1-wlan2 in LAN list. Is it correct or I should put away VPN-clients in my case?

(1) for at least a start to firewall rule.
{ADD ANY NEEDED VPN RULES HERE TO ACCEPT INCOMING VPN connections}

As far as I got, I should not add anything, becasue both my VPNs on home router are outcoming (they connect to remote VPN-servers)? All other rules I made.

According to other questions:
1. 10.128.38.182 - address, which VPN-provider gave me in his config for WG-client, 10.128.0.1 - address of WG-DNS, which VPN-provider gave me in his config (you can check it in WG.txt file in attachments for original post). 10.132.15.129 - address, which was assigned me by my company net-adminisstrator for my OVPN-client.

2. I'd be glad to rationalize routes, if you explain, why any of them are unnecessary. Basilcally the thing is:
- add disabled=no distance=1 dst-address=185.107.94.25/32 gateway=100.69.16.1 - reaching WG-server's endpoint for initial handshake
- add disabled=no distance=1 dst-address=B.B.B.B/32 gateway=100.69.16.1 - reaching OVPN-server for initial handshake
- add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=main - reaching public Internet resources through WG-client for all home devices
- add disabled=no distance=1 dst-address=A.A.A.A/19 gateway=10.132.15.129 - reaching public business net through OVPN-client for all home devices
- add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=10.132.15.129 - reaching private business net through OVPN-client for all home devices
- add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=10.132.15.129 - reaching private business net through OVPN-client for all home devices
- add disabled=no dst-address=10.128.0.1/32 gateway=WG - reaching WG-DNS though WG-client

So I put to WAN list following interfaces: eth1, which is connected to ISP, and both VPN-clients (WireGuard and OVPN), - and put bridge with eth2-eth10 and wlan1-wlan2 in LAN list. Is it correct or I should put away VPN-clients in my case?

OKAY, remove the VPN clients from WAN, you have one WAN here and thats through your ISP. There may be cases where considering them as a WAN connection might make sense but lets stick to "NORMAL" before we need to explore more radical approaches, which invariably get more complex. For VPNs, at least from the MT perspective the VPN connection is a service on the router and does NOT need to be put on the WAN interface.

[quote=anav post_id=920979 time=1648065736 user_id=115581]
(1) for at least a start to firewall rule.
{ADD ANY NEEDED VPN RULES HERE TO ACCEPT INCOMING VPN connections}
[/quote]
As far as I got, I should not add anything, becasue both my VPNs on home router are outcoming (they connect to remote VPN-servers)? All other rules I made.
Good, makes sense!!! You are a master at this!!

According to other questions:
1. 10.128.38.182 - address, which VPN-provider gave me in his config for WG-client, 10.128.0.1 - address of WG-DNS, which VPN-provider gave me in his config (you can check it in WG.txt file in attachments for original post). 10.132.15.129 - address, which was assigned me by my company net-adminisstrator for my OVPN-client.

OKAY CLEAR
+++++++++++++++++++++++++++++++++++++++++++
2. I'd be glad to rationalize routes, if you explain, why any of them are unnecessary. Basilcally the thing is:
- add disabled=no distance=1 dst-address=185.107.94.25/32 gateway=100.69.16.1 - reaching WG-server's endpoint for initial handshake
NOT REQUIRED AND WRONG

- add disabled=no distance=1 dst-address=B.B.B.B/32 gateway=100.69.16.1 - reaching OVPN-server for initial handshake
Dont know if you need this I suspect NOT if simply an outgoing connection???

- add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=main - reaching public Internet resources through WG-client for all home devices
NOT required UNLESS you want users to fall back to using your normal internet if wireguard internet is not available!!!! Confirm you want failback.........

- add disabled=no distance=1 dst-address=A.A.A.A/19 gateway=10.132.15.129 - reaching public business net through OVPN-client for all home devices ****
- add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=10.132.15.129 - reaching private business net through OVPN-client for all home devices ****
- add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=10.132.15.129 - reaching private business net through OVPN-client for all home devices ****

- add disabled=no dst-address=10.128.0.1/32 gateway=WG - reaching WG-DNS though WG-client
NOT SURE THIS IS REQUIRED???

[/quote]

**** Seems like duplicates to me.............

What I see is that you need a total of 3 Routes one for traffic to each subnet (so that the MT router knows for those destinations to use the OVPN tunnel.
The question is how many users on your home router need access (how many IP addresses???

To be frank I dont understand why the OVPN server has a public IP, as I am used to the router having the public IP, but if thats the case, then disregard any advice I have as I dont understand the way to approach this correctly (wireguard I can handle)

WIREGUARD

(1) IP ROUTES

dst-address=0.0.0.0/0 gwy==100.69.16.1
dst-address=0.0.0.0/0 gwy=WG table=useWG

Routing Table
/routing table add name=useWG fib

Routing Rule
/routing rule add src-address=172.16.0.0/24 action=lookup-only-in-table table=useWG

Note if action=lookup only then if the tunnel is not available traffic would then go through the regular ISP for internet.

(2) Setting your wireguard interface address. In this case you want to be in sync with the 3rd party VPN provider with respect to the associated subnet.
Thus
/ip address
add address=10.128.38.182/24 interface=wg (no need to and network, MT will do it for you and put in the correct one).

WHILE YOU ARE AT IP ADDRESS FIX THIS>
ip address
....
add address=172.16.0.1/24 interface=bridge network=172.16.0.0

AND FOR GODS SAKE DONT NAME YOUR BRIDGE lan, that is a recipe for confusing disaster when configuring a Mikrotik device. LOL
name it ANYTHING but that. name=milkshake for all I care...........:-0


(3) Peer Settings (look good).

(4) Firewall settings, Unknown but the configuration I provided will need one additional rule......between these two rules.

add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=bridge out-interface=WG comment="allow LAN traffic to reach WG interface"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

With the above changes, should work fine for you!!

Had started applying new rules instead of previous ones and after adding rule below lost opportunity to connect to MT via winbox. First time it happened in safe mode, but I tried it one more time without it and messed everything up

/routing rule add src-address=172.16.0.0/24 action=lookup-only-in-table table=useWG

So actually I’m going to make a hard reset and start all configuration from a clean sheet. Do you mind, if I ask you a favour and ask to provided best practice configuration for my case? I mean I guess we have already dealt with firewall, routing and interface lists, but I still not confident about my NAT masquerading and mangle rule for changing mss to make some resources not to fall with timeouts (basic problem).

Anyway thank you a lot for such a detailed explanations!

What I suggest is to use one port as off bridge access at the start and do the configuration from there.............

Item A here - viewtopic.php?t=182373

So after googling same topics on different forums I figured out that the reason was not in wrong routing or weak firewall security rules. Everything was tweaked by two firewall mangle rules (input and output) for change mss with clamp on pmtu on forward chains for WG interface.

But anyway thanks a lot for basic advices: I used firewall mangle marking for creation special routing table for couple of my home devices.