Code: Select all
# setup wireguard
/interface wireguard add name=Cloudflare listen-port=13231 mtu=1280 private-key="***"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address="162.159.192.1" endpoint-port=2408 interface=Cloudflare public-key="***"
/ip address add address=172.16.0.2/24 interface=Cloudflare network=172.16.0.0
# mark packets
/routing table add disabled=no fib name=via-vpn
/ip firewall address-list add address=somesite.com comment=bypass list=bypass
/ip firewall mangle add action=mark-routing chain=prerouting comment=wg_bypass dst-address-list=bypass new-routing-mark=via-vpn passthrough=yes
# routing
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=Cloudflare routing-table=via-vpn
# NAT
/ip firewall nat add action=masquerade chain=srcnat comment=wireguard out-interface=Cloudflare
My setup works perfectly fine with all clients directly connected to Mikrotik via LAN or WiFi (network 192.168.1.0/24), target traffic successfully goes via Wireguard.
But any client who connected via L2TP + IPSec can't ping or access the target domain and request just timeouts. Even more strange thing is that 1 of roughly 50 ping packets is received successfully.
When I change the routing rule to another gateway (my OpenVPN client connection for example) i.e. from
Code: Select all
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=Cloudflare routing-table=via-vpn
Code: Select all
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=OVPNClient routing-table=via-vpn
Wonder if anyone has any idea what I might be missing with the Wireguard connection?