Community discussions

MikroTik App
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

hex as Wireguard client

Sat May 07, 2022 11:08 am

I've got a Mikrotik hex and want to set it up as the Wireguard client and route all the traffic from the local network through the VPN tunnel.
|    Mikrotik.                    
| local: 192.168.88.1  
| wireguard: 10.66.66.8
| wan: 192.168.2.10
    |
    |
    |
|  router lan-internet ----- ISP 
|   192.168.2.1.          
   | 
   |
   |
   |
| wireguard server.      
| external: 63.15.16.17 
| 10.66.66.1                  
  |
  |
  internet
      
I added all the Wireguard settings, set the wireguard interface address to 10.66.66.8 and added new routes:
	dst-address=10.66.66.1/32  gateway=wireguard
        dst-address=0.0.0.0/0  gateway=wireguard
Seems like Wireguard is working correctly because I can see the connection from 10.66.66.8 on the server and also I can ping 10.66.66.1 from the Mikrotik
But local traffic is not routed through the Wireguard tunnel for some reason.
How do I know what's going on and how do I fix that?

Here's all the routes I have:
[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY      DISTANCE
0  Xs 0.0.0.0/0        wireguard1          1
1  As 0.0.0.0/0        192.168.2.1         1
2  As 10.66.66.1/32    wireguard1          1
  DAc 10.66.66.8/32    wireguard1          0
  DAc 192.168.2.0/24   ether1              0
  DAc 192.168.88.0/24  bridge              0
  
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hex as Wireguard client

Sat May 07, 2022 3:30 pm

Since you want to route all traffic over the tunnel, foresee a route with 0.0.0.0/0 towards gateway wireguard with a distance lower then your default route towards your isp.

You may also have to increase distance on that default ISP route to make the other one fit in.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Sat May 07, 2022 3:49 pm

I use my hex as a wireguard client behind a CCR1009. Works great.
This link should be read and all the answers are there..... (including 3rd party vpn - para 7) - viewtopic.php?p=906311#p906311
Post your config if you continue to have problems.
BIG THREE
- peer setttings
- firewall rules (incl. source-nat)
- ip routes.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Wed May 11, 2022 11:27 pm

Since you want to route all traffic over the tunnel, foresee a route with 0.0.0.0/0 towards gateway wireguard with a distance lower then your default route towards your isp.

You may also have to increase distance on that default ISP route to make the other one fit in.
I can't increase the distance of the default route as it's dynamic and it has distance 1, so I can't create a rule that has a distance less than it :/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Thu May 12, 2022 1:56 am

Post your hex config
/export file=anynameyouwishexceptlarsa

and post your wireguard settings for the other end which is ???? (another Mt device or third party provider).

(just use a fake number or use letters for actual endpoint IP and port but be consistent so they match up if on both.)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hex as Wireguard client

Thu May 12, 2022 6:12 am


I can't increase the distance of the default route as it's dynamic and it has distance 1, so I can't create a rule that has a distance less than it :/
DHCP client, second tab, increase distance
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Fri May 13, 2022 3:39 pm

Post your hex config
/export file=anynameyouwishexceptlarsa

# may/12/2022 20:26:34 by RouterOS 7.2.1
# software id = 6Q3C-KADY
#
# model = RB750Gr3
# serial number = CC210F29A42D
/interface bridge
add admin-mac=DC:2C:6E:AA:EF:43 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=62.63.62.63 \
    endpoint-port=12321 interface=wireguard1 persistent-keepalive=25s \
    public-key="?????="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
/ip dhcp-client
add comment=defconf default-route-distance=2 interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[Interface]
PrivateKey = @@@@@=
Address = 10.66.66.8/32
Address = fd42:42:42::8/128
DNS = 1.1.1.1
DNS = 8.8.8.8

[Peer]
PublicKey = ?????=
PresharedKey = #####=
Endpoint = 62.63.62.63:12321
PersistentKeepalive = 23
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0


Screenshot 2022-05-13 at 14.36.47.png


Actually, the tunnel goes through the DSL router and ISP, but I didn't show that on the diagram.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Fri May 13, 2022 4:49 pm

Diagram is excellent it was assumed the separate path to the wireguard server was simply to illustrate its transparent nature through the ISP router etc, once the connection was established.

(1) Minor - IP address needs fixing......... This may be purely cosmetic but its recommended on MT devices to provide the standard setup.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.66.66.8/24 interface=wireguard1 network=10.66.66.0

(2) My biggest issue is the routing setup. Its very confusing as you have a private IP from the provider, Why do you have multiple table main routes for the provider??

Are we to assume its a fixed IP or not? In any case..............
Route-1ISP = /ip dhcp-client add comment=defconf default-route-distance=2 interface=ether1
Route-2ISP = add dst-address=0.0.0.0/0 gateway=192.168.2.1

Different distances too...... What are you trying to do give your router an ulcer? ;-)

If its a fixed IP, then remove the IP DHCP Client method, add the address of the router in IP address and keep the manual route you have.

/ip address
add address=192.168.2.23/24   interface=ether1 network=192.168.2.0
/ip route
dst-address=0.0.0.0/0  gateway=192.168.2.1  
dst-address=0.0.0.0/0  gateway=wireguard1  table=useWG
/routing table add name=useWG  fib
/routing rule add src-address=192.168.88.0/24    action=lookup-only-in-table table=useWG
Note: If you want users to be able to use local ISP if wireguard tunnel goes down then use action=LOOKUP.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So in general one has to take care of
IP routes - DONE
Firewall rules - DONE ( your firewall rules do not block LAN to WG traffic )
WG settings - DONE

BUT SOMETHING IS NOT RIGHT STILL - Lets think about it, if you had read the reference, you would have picked up on this.
Answer the question ---------------------->
What IPs is the WG server expecting (based on its allowed IPs).
Correct answer --------------------------->
Yes, its expecting all traffic to be from 10.66.66.8/32

So for third party VPNs we also have to consider SOURCE NATTING the traffic entering the tunnel so that its accepted at the other end.
Thus add this sourcenat rule.10.66.66.8
add action=masquerade chain=srcnat out-interface=wireguard1

Note: You could also add the wireguard1 interface, to the INTERFACE LIST of WAN and this would have the same effect and would use the current default rule you have in place.
/interface list member
add interface=wireguard1 list=WAN
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Sat May 14, 2022 1:55 am

Do I understand correct that the purpose of adding another routing table is to use it (and not main) for all the traffic from 192.168.88.0 network? If yes, then why just don't use main and route all the traffic to wireguard? Because if wireguard is down, then main table would be used?

I haven't expected that NAT is needed for the wireguard interface, but now it seems like it's obvious that it should be NATed. But I didn't get if that is enough just to add the wireguard interface to the WAN list, or the firewall rule is still required?

And could you please clerify the rule: it's just:
/ip/firewall add action=masquerade chain=srcnat out-interface=wireguard1
You've mentioned: "add this sourcenat rule.10.66.66.8" – should 10.66.66.8 somehow be the parameter of that rule, or it just based on the out-interface param?

Thank you a lot!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Sat May 14, 2022 2:31 am

Well yes, how do you suppose to send out your LAN network to the Wireguard interface unless you tell it to.
The router still needs access via table main for the initial connection etc. and if the wireguard tunnel goes down you may wish to give users to the local ISP connection but that is your choice.
If you use action=lookup, then if the wireguard interface is down the router will search the main table.

Think about it, the allowed IPs at the server is 10.66.66.8, and therefore anything hitting the server with 192.168.88.X will be rejected, so masquerade is required.
You have already identifed the IP address of the wireguard interface as 10.66.66.8/24 and thus when you sourcnat out the interface, all source IPs will be natted to 10.66.66.8,
which will be accepted by the server. In other words, source-nat takes the IP address of the outgoing interface when your masquerading.
Same as you WANIP ...............

As stated if you simply add the wireguard interface to the WAN list, then it will do the same thing as creating the second rule.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Sun May 15, 2022 12:58 am

It works now, thank you so much for help. It seems like the firewall NAT rule was the thing I've missed in all my previous trials.
 
User avatar
PKSpeleo
newbie
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

Re: hex as Wireguard client

Sun May 29, 2022 12:53 am

Good evening everyone!
Thanks a lot for this topic - it helps me a lot!

But i have a couple questions. Can you help me ?;)

I have a Mikrotik hAP ac.
The network configuration absolutely the same as described in this topic:
1. I have an ISP router what provide DHCP Server
2. My Mokrotik connected to this router as DHCP Client though ether1 with IP 192.168.2.0/24
3. ether2,3,4,5 and wlan1 connected to the bridge and provide normal internet with DHCP Server and IP's 192.168.88.0/24
4. Configured wireguard_client with VPN's gateway 10.66.66.1 and client IP 10.66.66.23.
5. Configured separated bridge-wg with only wlan2 with DHCP server and ip's 192.168.90.0/24 (i want to pass all traffic from wlan2 through wireguard VPN)

My questions:
1. When i connected to the Mikrotik's wlan2 (5g) (where configured wireguard) - I can reach only 60mbps download speed. But when use the same wifi, but wireguard client runned on my machine (not on Mikrotik) - a have full width 100mbps (limit of my provider).
What I found - when wireguard client runned on the Mikrotik and speed limited for 60mbps - CPU usage on Mikrotik - 100%
What is it?
I can't believe that so effective Wireguard protocol has eaten up all the resources only by 60mbps!
Maybe I configured something wrong?
Can you check my config, maybe something can be optimised?;)
2. I created 192.168.88.123/24 and 192.168.90.123/24 ip's to be able to ping form one network to internet. Without creating of this ip's - i was not able to ping it like this ping 1.1.1.1 src-address=192.168.90.123
Is really necessary to create ip's every time for test?
3. I created the nat masquerade for wireguard_client but when i switching it off - all continued to works (internet via wifi-wlan2-wireguard). Maybe it is not needed?

Thanks a lot for help.
Below you can find my config.


# may/28/2022 23:11:52 by RouterOS 7.2.3
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf name=bridge
add name=bridge-wg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=\
    no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany \
    disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-5 \
    wireless-protocol=802.11
/interface wireguard
add listen-port=11111 mtu=1420 name=wireguard_client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-wg name=dhcp1
/routing table
add disabled=no fib name=wg-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-wg comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=111.111.111.111 endpoint-port=11111 interface=\
    wireguard_client persistent-keepalive=23s public-key="some_secret"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.23/24 interface=wireguard_client network=10.66.66.0
add address=192.168.90.1/24 interface=bridge-wg network=192.168.90.0
add address=192.168.88.123/24 comment="Test from bridge" interface=bridge network=192.168.88.0
add address=192.168.90.123/24 comment="test form wg wifi" interface=bridge-wg network=192.168.90.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_client
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.66.66.1 routing-table=wg-table \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
    udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=\
    546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table
add action=lookup-only-in-table disabled=no src-address=192.168.90.0/24 table=wg-table
/system clock
set time-zone-name=Europe/Berlin

 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hex as Wireguard client

Sun May 29, 2022 10:48 am

1 best to start your own new thread, referencing this one
2 wireguard is 100% cpu, no hw offloading.
3 cpu on hap ac is less performant then hex, so what you see can be perfectly normal for that device.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Sun May 29, 2022 1:35 pm

What is server and what is client in this wireguard setup.
a. Hex is MT client?
b. Server is?
 
User avatar
PKSpeleo
newbie
Posts: 28
Joined: Fri May 13, 2022 6:02 pm
Location: Munchen

Re: hex as Wireguard client

Sun May 29, 2022 7:32 pm

What is server and what is client in this wireguard setup.
a. Hex is MT client?
b. Server is?
The WG Server is VPS. The WG Client - Mikrotik hAP ac.

If I connect to VPS directly with a client on my machine (MacBook) (wifi from Mikrotik hAP ac) - speed limit is 100mbps (maximum from ISP)
But if I move WG Client to Mikrotik hAP ac with configuration in my previous post - the speed limit is 60mbps and CPU loaded to 100%.
It really looks like CPU limits or some problems with my configuration of the Mikrotik (firewall, routing ...)

I tried to include ether5 port to the bridge-wg to connect to the Mikrotik through the cable and reached the same 60mbps limit.
This is not a wireless problem...

Interesting is it possible to predict the speed with the same configuration for hEX S and RB5009UG+S+IN or RB2011UiAS-2HnD-IN and RB4011iGS+5HacQ2HnD-IN and
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hex as Wireguard client

Sun May 29, 2022 10:15 pm

When going from VPS to Mac, hap ac only transfers data. It does this well.
When using hap ac as endpoint, see my previous remark point 2 and 3.

As far as predicting. I seem to recall someone here already managed to push 1gb using rb4011.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 12:23 am

Well yes, how do you suppose to send out your LAN network to the Wireguard interface unless you tell it to.
The router still needs access via table main for the initial connection etc. and if the wireguard tunnel goes down you may wish to give users to the local ISP connection but that is your choice.
If you use action=lookup, then if the wireguard interface is down the router will search the main table.
One last question I have. After applying all the rules, Mikrotik web admin interface moved from 192.168.88.1 to 10.66.66.8 no matter that it gives 192.168.88.x to DHCP clients.
Why did that happen? How do I set the address back to 192.168.88.1?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Tue May 31, 2022 12:43 am

Post latest config please...........
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 1:28 am

Post latest config please...........
# may/30/2022 23:06:58 by RouterOS 7.2.1
# software id = 6Q3C-KADY
#
# model = RB750Gr3
# serial number = CC210F29A42D
/interface bridge
add admin-mac=DC:2C:6E:AA:EF:43 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=62.63.62.63 \
    endpoint-port=12321 interface=wireguard1 persistent-keepalive=23s \
    public-key="="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add
add action=lookup src-address=192.168.88.0/24 table=useWG
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Tue May 31, 2022 4:07 am

(1) If you go back to post #8 I told you to fix the IP address of the wireguard....... This assuming that the MT server thinks your assigned IP address is 10.66.66.8/32 correct!

Still not done
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
Should be
add address=10.66.66.8/24 interface=wireguard1 network=10.66.66.0

(2) Where is the IP Route for the router to get to the ISP router? I dont see add default route in IP DHCP client, so thus you should have made one manually.
dst-address=0.0.0.0/0 gwy=192.168.2.1 table=main

(3) Also you have an empty routing rule started......... just remove it.
/routing rule
add
add action=lookup src-address=192.168.88.0/24 table=useWG

---> Other than that looks fine on this end..........
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 10:50 pm

Thanks! I've fixed the wireguard1 interface mask (1),
ip route to ISP is added dynamically. I can see it when printing /ip/route/print:
[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY      DISTANCE
  DAd 0.0.0.0/0        192.168.2.1         1
  DAc 10.66.66.0/24    wireguard1          0
  DAc 192.168.2.0/24   ether1              0
  DAc 192.168.88.0/24  bridge              0
0  As 0.0.0.0/0        wireguard1          1
And I removed the empty rule (3)
But it hasn't solved the issue with router web interface address change from 192.168.88.1 to 10.66.66.8 =(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Tue May 31, 2022 11:14 pm

Okay please post latest so am working with fresh copy

But use the code quotes to shorten the post black square with white square brackets next to quotation mark.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 11:17 pm

Okay please post latest so am working with fresh copy

But use the code quotes to shorten the post black square with white square brackets next to quotation mark.
# may/31/2022 21:46:03 by RouterOS 7.2.1
# software id = 6Q3C-KADY
#
# model = RB750Gr3
# serial number = CC210F29A42D
/interface bridge
add admin-mac=DC:2C:6E:AA:EF:43 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=12321 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=62.63.62.63 \
    endpoint-port=12321 interface=wireguard1 persistent-keepalive=23s \
    public-key="="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.8/24 interface=wireguard1 network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=useWG suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=useWG
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Tue May 31, 2022 11:24 pm

Okay its a misunderstanding of requirement not an error.
I assumed that the Wireguard provider gave you a fixed IP address, and thus would only accept traffic from that IP.
That is typical of most 3rd party vpn providers.

The way to ensure 192.168.88.x users would be accepted at the WIreguard server was to sourcenat them to the acceptable IP of the wireguard1 interface.
IF this is not the case, then DISABLE this rule to see if it works then. --> the users 192.168.88.x IPs will be sent to the VPN provider or server ..............

add action=masquerade chain=srcnat out-interface=wireguard1

+++++++++++++++++++
I should add that there should be no issue doing it with sourcenat and the rule in place as the MT router keeps track and unsource-nats each connection such that it will work just fine regardless.............
It appears however its important that the source address remains intact. true???.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 11:31 pm

Okay its a misunderstanding of requirement not an error.
I assumed that the Wireguard provider gave you a fixed IP address, and thus would only accept traffic from that IP.
That is typical of most 3rd party vpn providers.
No, it goes like this. Wireguard provider gave the fixed IP and wireguard1 interface always has 10.66.66.8 address. But the Mikrotik clients get the IP from Mikrotik in 192.168.88.x range, so I'm trying to connect from the laptop with the address 192.168.88.254 to Mikrotik's web interface assuming that this connection doesn't go to the tunnel (as it is between laptop and Mikrotik) and Mikrotik should still be available with 192.168.88.1 address for my laptop.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Tue May 31, 2022 11:40 pm

To clarify. YOur laptop is connected physically to the MT router (by ethernet or wifi) and it has an IP of .254

A. you are trying to reach a server on the 192.168.88.0 network?
B. you are trying to config the router itself?
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Tue May 31, 2022 11:59 pm

yes, my laptop is connected to the Mikrotik with WiFi and it has 192.168.88.254 ip address that it received from Mikrotik. Wifi is served with AP without any routing or NAT and I'm trying to connect to Mikrotik web admin (or ssh connection, it doesn't matter). Mikrotik responses for the 10.66.66.8 address, but doesn't response for 192.168.88.1. But from my point of view, it should be opposite =). I don't understand why it is available in the 192.168.88.x network with 10.66.66.8 address.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Wed Jun 01, 2022 12:06 am

Because we send all requests from 192.168.0.0 to the wireguard interface LOL.
Matter of capturing/understanding the requirements.
Initially it was send all traffic out wireguard, now its but I want some traffic to go elsewhere...............

All you need to do is create another IP ROUTE RULE and place this new rule, BEFORE the current route rule.
/routing rule add dst-address=192.168.0.0/24 action=lookup-only-in table table=main
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 886
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: hex as Wireguard client

Wed Jun 01, 2022 12:18 am

Matter of capturing/understanding the requirements.
Initially it was send all traffic out wireguard, now its but I want some traffic to go elsewhere...............
Requirements elicitation on a forum usually takes longer than solving the real problem.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: hex as Wireguard client

Wed Jun 01, 2022 12:33 am

Because we send all requests from 192.168.0.0 to the wireguard interface LOL.
Matter of capturing/understanding the requirements.
Initially it was send all traffic out wireguard, now its but I want some traffic to go elsewhere...............

All you need to do is create another IP ROUTE RULE and place this new rule, BEFORE the current route rule.
/routing rule add dst-address=192.168.0.0/24 action=lookup-only-in table table=main
Thanks, I will try that. It was not a requirement, I was totally fine accessing it with 10.66.66.8 =). I just didn't understand why does it work that way and wanted to figure that out. Thank you so much for help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hex as Wireguard client

Wed Jun 01, 2022 12:39 am

Hopefully the logic makes sense to you!

Who is online

Users browsing this forum: hatred, mtkvvv, voytecky and 47 guests