Community discussions

MikroTik App
 
sidiai
just joined
Topic Author
Posts: 4
Joined: Fri Dec 02, 2022 10:07 am

How do I get the Bond interface to use default gateway for internet?

Fri Dec 02, 2022 10:18 am

So, I'm trying to setup 4x EOIP Tunnels over WireGuard. This is the config of RouterOS CHR running on my VPS
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=WAN

/interface eoip
add local-address=10.66.66.1 mac-address=02::BA name=EOIP1 \
    remote-address=10.66.66.2 tunnel-id=0
add local-address=10.66.67.1 mac-address=02::BA name=EOIP2 \
    remote-address=10.66.67.2 tunnel-id=1
add local-address=10.66.68.1 mac-address=02::BA name=EOIP3 \
    remote-address=10.66.68.2 tunnel-id=2
add local-address=10.66.69.1 mac-address=02::9C name=EOIP4 \
    remote-address=10.66.69.2 tunnel-id=3

/interface wireguard
add listen-port=51820 mtu=1420 name=WG1
add listen-port=51821 mtu=1420 name=WG2
add listen-port=51822 mtu=1420 name=WG3
add listen-port=51823 mtu=1420 name=WG4

/interface bonding
add name=BOND slaves=EOIP2,EOIP1,EOIP3,EOIP4

/interface wireguard peers
add allowed-address=10.66.66.2/32 interface=WG1 persistent-keepalive=5s \
    public-key="Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc="
add allowed-address=10.66.67.2/32 interface=WG2 persistent-keepalive=5s \
    public-key="Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc="
add allowed-address=10.66.68.2/32 interface=WG3 persistent-keepalive=5s \
    public-key="Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc="
add allowed-address=10.66.69.2/32 interface=WG4 persistent-keepalive=5s \
    public-key="Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc="

/ip address
add address=10.66.66.1/24 interface=WG1 network=10.66.66.0
add address=10.66.67.1/24 interface=WG2 network=10.66.67.0
add address=10.66.68.1/24 interface=WG3 network=10.66.68.0
add address=10.66.69.1/24 interface=WG4 network=10.66.69.0
add address=10.100.100.1/24 interface=BOND network=10.100.100.0

/ip dhcp-client
add interface=WAN

/ip firewall filter
add action=accept chain=input dst-port=51820 protocol=udp
add action=accept chain=input dst-port=51823 protocol=udp
add action=accept chain=input dst-port=51822 protocol=udp
add action=accept chain=input dst-port=51821 protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WG1
add action=masquerade chain=srcnat out-interface=WG2
add action=masquerade chain=srcnat out-interface=WG3
add action=masquerade chain=srcnat out-interface=WG4
add action=masquerade chain=srcnat out-interface=BOND
I'm able to ping the other IP on the bond network which is 10.100.100.2. I did the RouterOS speedtest and everything is working fine.

However, I can't ping the internet from BOND interface. Shouldn't it use the default gateway which is the WAN DHCP?

Image

I want to be able to get internet (WAN interface) from BOND.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do I get the Bond interface to use default gateway for internet?

Fri Dec 02, 2022 12:19 pm

I'm not sure what you want to achieve. If you force the BOND interface as the source one for the ping, the system bypasses the routing process and chooses BOND as the out-interface for the ping packets. As BOND is an L2 interface, tre router sends ARP requests "who has 1.1.1.1? Tell 10.100.100.1" down that interface, and as the remote device where the tunnels are terminated apparently doesn't support proxy-arp, it does not respond these requests with its own MAC address so the actual IP packets carrying the echo request cannot be sent.

If you want to test that what comes via the bonded EoIP tunnels from remote will be able to reach internet via the local router (but that's just my guess), set the src-address of the ping to 10.100.100.1 and do not specify any interface. This will make the router use the normal routing process but use the indicated source address rather than one chosen up to the out-interface found by the routing. The pings will fail too as there is currently no src-nat or masquerade for out-interface=WAN, but that can be fixed.
 
sidiai
just joined
Topic Author
Posts: 4
Joined: Fri Dec 02, 2022 10:07 am

Re: How do I get the Bond interface to use default gateway for internet?

Fri Dec 02, 2022 12:39 pm

I've another x86 router running RouterOS at my home and I'm trying to bond these 4 EOIP tunnels running over WireGuard for testing out faster internet.

There is a bond interface just like this on the other end on IP 10.100.100.2 . I want to be able to access the internet through this. The link is working as I'm able to ping 10.100.100.1 but nothing else outside is. I want the VPS to act like a bonded VPN Server.

Here is config of the "client" router":
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no

/interface eoip
add local-address=10.66.66.2 mac-address=02::61 name=EOIP1 \
    remote-address=10.66.66.1 tunnel-id=0
add local-address=10.66.67.2 mac-address=02::61 name=EOIP2 \
    remote-address=10.66.67.1 tunnel-id=1
add local-address=10.66.68.2 mac-address=02::61 name=EOIP3 \
    remote-address=10.66.68.1 tunnel-id=2
add local-address=10.66.69.2 mac-address=02::61 name=EOIP4 \
    remote-address=10.66.69.1 tunnel-id=3

/interface wireguard
add listen-port=13231 mtu=1420 name=WG1_CLIENT
add listen-port=13232 mtu=1420 name=WG2_CLIENT
add listen-port=13233 mtu=1420 name=WG3_CLIENT
add listen-port=13234 mtu=1420 name=WG4_CLIENT

/interface bonding
add name=BOND slaves=EOIP1,EOIP2,EOIP3,EOIP4

/routing table
add disabled=no fib name=WG1
add disabled=no fib name=WG2
add disabled=no fib name=WG3
add disabled=no fib name=WG4
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=51.182 endpoint-port=\
    51820 interface=WG1_CLIENT persistent-keepalive=5s public-key=\
    "txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=51.182 endpoint-port=\
    51821 interface=WG2_CLIENT persistent-keepalive=5s public-key=\
    "txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=51.182 endpoint-port=\
    51822 interface=WG3_CLIENT persistent-keepalive=5s public-key=\
    "txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 endpoint-address=51.182 endpoint-port=\
    51823 interface=WG4_CLIENT persistent-keepalive=5s public-key=\
    "txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="

/ip address
add address=192.168.100.170/24 interface=ether1 network=192.168.100.0

add address=10.66.66.2 interface=WG1_CLIENT network=10.66.66.0
add address=10.66.67.2 interface=WG2_CLIENT network=10.66.67.2
add address=10.66.68.2 interface=WG3_CLIENT network=10.66.68.2
add address=10.66.69.2 interface=WG4_CLIENT network=10.66.69.2
add address=10.100.100.2/24 interface=BOND network=10.100.100.0

/ip dns
set servers=1.1.1.1

/ip firewall mangle
add action=mark-routing chain=output disabled=yes dst-port=51820 \
    new-routing-mark=WG1 passthrough=yes protocol=udp
add action=mark-routing chain=output disabled=yes dst-port=51821 \
    new-routing-mark=WG2 passthrough=yes protocol=udp
add action=mark-routing chain=output disabled=yes dst-port=51822 \
    new-routing-mark=WG3 passthrough=yes protocol=udp
add action=mark-routing chain=output disabled=yes dst-port=51823 \
    new-routing-mark=WG4 passthrough=yes protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=BOND
add action=masquerade chain=srcnat out-interface=ether1

/ip route
add disabled=no dst-address=10.66.66.0/24 gateway=WG1_CLIENT routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.66.67.0/24 gateway=WG2_CLIENT \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=10.66.68.0/24 gateway=WG3_CLIENT \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=10.66.69.0/24 gateway=WG4_CLIENT \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.50 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
192.168.100.50 is the IP of my main router at home (just testing out bonding on a separate CHR VM). 51.182... is the Public IP of the router from the first post.

Image


>As BOND is an L2 interface, tre router sends ARP requests "who has 1.1.1.1? Tell 10.100.100.1" down that interface, and as the remote device where the tunnels are terminated apparently doesn't support proxy-arp, it does not respond these requests with its own MAC address so the actual IP packets carrying the echo request cannot be sent.

Oh, so when I assign 192.168.100.x IPs to BOND interfaces it just sends arp packets over MAC? Do I need to configure another IP Tunnel over this bond?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do I get the Bond interface to use default gateway for internet?  [SOLVED]

Fri Dec 02, 2022 1:11 pm

I'm trying to bond these 4 EOIP tunnels running over WireGuard for testing out faster internet.
Not sure how encapsulating traffic into a tunnel and then sending it via the same uplink should make the connection faster - it will actually make it slower due to part of the bandwidth being wasted on the tunnel overhead. So the only explanation is that your ISP throttles bandwidth of individual connections separately, so you need to create 4 independent UDP streams carrying the Wireguard transport traffic to overcome this limitation for the traffic sent via Wireguard - is that the case?
There is a bond interface just like this on the other end on IP 10.100.100.2 . I want to be able to access the internet through this. The link is working as I'm able to ping 10.100.100.1 but nothing else outside is. I want the VPS to act like a bonded VPN Server.
So on the VPS CHR, the default route of the main routing table must go via the WAN interface; in addition, there must either be routes to all subnets at the home x86 side with gateway set to the IP address attached to the bond interface at the home x86 side, or some connectin-mark & routing-mark setup along with a dedicated routing table to make sure that responses to requests coming via the bond will be responded via the bond no matter the address. I think the first approach is simpler unless you have tens of subnets at the home x86 side.

On the home x86, you need a dedicated routing table in addition to the main one, which contains a default route via the IP address attached to the bond interface at the VPS CHR side, and routing rule(s) or mangle rule(s) assigning the name of this dedicated table as a routing-mark to all traffic you wish to go through the tunnel (which way to use depends on the required level of detail for the classification rules - if source address is sufficient, use routing rules as they are faster, otherwise use mangle rules that can match also on protocols and ports).

It's exactly the same as if you had two routers connected by an Ethernet patchcord, except that the patchord is substituted by the bonded set of tunnels.

Who is online

Users browsing this forum: adimihaix, Bing [Bot], coreshock, GoogleOther [Bot], Qalderu and 64 guests