Hello anav..! hope you are doing well..!Of course, the router is doing what you told it to do...........
Take traffic from ether3 and ether5 and force it out the WAN.
How do you expect any return traffic from wireguard will go back into the tunnel?
/routing rule ( besides the fact that you have duplicates and redundancy in routing rules...........)
add action=lookup-only-in-table disabled=no src-address=192.168.30.1/24 \
table=ISP-2
add action=lookup-only-in-table disabled=no src-address=192.168.42.1/24 \
table=VP
Try
/routing rule ( so wireguard return traffic gets into the tunnel prior to being forced out wan.)
add action=lookup-only-in-table dst-address=172.11.2.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.30.1/24\
table=ISP-2
add action=lookup-only-in-table disabled=no src-address=192.168.42.1/24 \
table=VP
yes Mr anav i understand what you meant..but my question is that in routing rules i didn't set any rule that related to wireguard traffic.. so in this case why the wiregyard traffic doesnt go through the mainIf you send traffic from wireguard remote user to one of the subnets, how do you expect the return traffic to be routed back into the tunnel?
As I showed, you have routing rules that force all traffic coming from the subnets out one of the two local WANS........... So no wireguard user return traffic will return to the wireguard user.
well stil that didn't work with your rule Mr.anav..!You are not listening, there is nothing wrong with your wireguard settings...........
The wireguard traffic reaches the subnets no problem.
What happens next with the return traffic from the subnets................................
You have to consider how that traffic is routed, traffic coming from subnets......... not the wireguard.......
Right now anything from the subnet is routed out either WAN1 or WAN2 and thus also including return wireguard traffic ................ so we ensure with a rule prior to those rules, that wireguard traffic is looked at first, before we force all the other traffic out WAN1, and WAN2. AKA the fix I noted.
You made the rules, you told the router what to do with subnet traffic, why cant you take responsibility for your decisions ;-PPPPP
Hello Mr.anav ..!No I dont see or understand LOL.
Please draw a network diagram.
1-my requirement that i want to access all My LAN devices that in the 192.168.1.1/24 range, yet as i mentioned previously due to the routing rule above in my configI suspect your equipment drinks blood and goes out at night .................
A diagram will help,
then instead of rambling sentences that make no sense right down your user requirements with respect to wireguard.
Router X ( wg server for initial handshake) Router Y (wg client router for initial handshake ) laptop wireguard client - admin
User A on subnet? on Router X, needs to reach server(s) at Router Y in subnet(s)?
Group of users/Subnet on router X, need to reach internet through Router Y
etc...
Admin while local at router X, needs to configure Router Y
Admin while local at router Y, needs to configure Router X
Admin needs to remotely configure Router X
Admin needs to remotely configure Router Y
Admin needs to reach all LANS on Router X remotely
Admin needs to reach all LANS on Router Y remotely
here we are..Great now provide the export
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
you can consider WAN-1 as a primary and WAN-2 as a secondary -(this WAN-2 for only a specific users)- all ports forwarding rule is through WAN-1 not WAN-2Well the config bares little resemblance to your first post, so not sure I can help as i dont know what is truth??
Also, on the config, it is unclear what you are doing with the two WANs?
Is WAN1 Primary and WAN2 secondary.
Is there failover between the WANS,
Are there some users that should not use the primary WAN1 but should use WAN2 and do they access WAN1 if WAN2 is not available.
Do you have users coming in on either WAN1 or WAN2 for servers ( you mention you want to keep them open to the public ) but on which WAN do they come in on.
Which WAN does wireguard come in on as remote users need to know the endpoint address etc......
Need to know that you actually have thought this through........before commenting on config.
using DMZ rule in routers .. yes that's can be done..!So you dont have public IPs they are private IPs from some upstream router where port fowarding can be done??
Hello Mr anav this response is dedicated to thank you for your help..!You have no firewall rules so traffic is not being blocked to your lan subnets for incoming wireguard.
Did you fix the other items........... (what do the client devices have for allowed addresses for their single peer entry for the main router?)
further our discussion i can say that i understand what happen, and why it work, actually i remebered that i apply such a rule in my old routing LABs but for this situation i forget that i have to do that..!Techsystem, if you didnt understand what was done and why it works, then the config might work, but the effort from my perspective is a fail.
Hello Anav..!Techsystem, if you didnt understand what was done and why it works, then the config might work, but the effort from my perspective is a fail.
so it is a home network.I dont understand your network probably because I dont understand the use cases, you mix up users and config in such a way its not readable.
Thus forget the config for now and concentrate on use cases.
a. Identify all users/devices or group of users/device (including admiin)
b. Identify where they are local or exist
c. Identify the traffic they need to have (access to)
In terms of the diagram so your router gets
a. fixed static WAN IP from eth1
b. fixed static WAN IP from eth2
c. WANIP from eth3 but how, I do not understand From VPN......................
which type of VPN and to where a third party VPN provider ???
d. same for ether4
e. Ether5 is a normal LAN??
In terms of the config viewed.
i. Why two POOls, you only have one LAN ?
ii. Where is the other end of the Wireguard tunnel ( is your router the client at handshake )
iii. If your router is the server for handshake which WAN is the WG client coming in on............
iv. If your router is the client for handshake which WAN is the WG handshake going out on.........
v. Why does ether5 have two IP addresses, ?????
vi. Why does ether4 have dhcp client setting and not ether3 as well...........
vii. Why do you have two routing rules with same source subnet........ ( no go )
viii. Why do you have wg address in the routing rules............ ( no go )
so it is a Linksys WRT1900 AC Router it contain one WAN port and four LAN port. -(there is an expressVPN account in it with one year validation so you have to renew it every year)-from ether3 on Mikrotik router there is a LAN interface go to the VPN router -(to WAN interface on VPN Router)-
That is my point what VPN router? You only have two connections to the internet.
Where is this VPN router located and what make or model is it?
Then you have a link back to the mT on ether 4 from this unknown router. Not a clue what you are doing sorry.
What is the VPN router connected to on the internet, a third party provider ???
Forget the confg port this lan that, why do you have a vpn router in the first place. YOu can do wireguard on the MT for example dont need another router.
can you guide me on one of this provider ..!? really i don't know any of them..!?Sure you do,,,,,,,, get a wireguard account with a third party vpn provider just like you have on the linksys.
ExpressVPN doesnt have wirguard yet? ..... many others do.
You are making your config needlessly complex.
yes it is..!To get it straight.
Ether5 is the main LAN subnet and is 192.168.42.0/24
Ether3 is a LAN subnet to the Linksys Router where the Linksys Router gets its WANIP from ( and how the linksys gets its VPN connection ).
Ether4 is WHAT , purpose etc...???
You have a wireguard server on the router for handshake.
You have a laptop or iphone or both when away from the router which you want to connect to the router and LAN5.
Does that sum it up??
FirstOkay let me get this straight.
One you are connected to the www in three different ways and have no firewall rules ???
On the mikrotik router you have two fixed WANIPs to two different providers ether1 and ether2.
On the mikrotik you have two LANS, one for users 192.168.42.0/24 on ether5, and one to feed the linksys router (for double nat) on ether3 192.168.30.0/24
The Linksys gets a WANIP via ether3 and out this WAN, the linksys reaches a third party VPN provider and the internet.
One of the LANs on the linksys is 192.168.40.0/24 which is connected to ether4 on the mikrotik.
You use ether4 on the MT as another WAN port with IP DHCP client set.
Thus ether4, gets an IP automatically like 192.168.40.X .
Then you create a static route from ether5 users to ether4.
exactly that is my situation ..!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets look at the routes.
First you should have default routes for the real ISPs.......
As we set up earlier so that ether1 is the primary and ether2 is the secondary and the only two routes available on the main table.
Then we want to ensure certain people get routed out certain paths.
/ip route
add distance=5 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main check-gateway=ping
add distance=10 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
+++++++++++++++++++++++++++++++++++++++
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=\
ISP-1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=ISP-2 \
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.40.1 routing-table=VPN \
suppress-hw-offload=no
Lets see if the routing rules makes sense. YOu should use SUBNETS not IP addresses to describe the subnet!!!
(1) add action=lookup-only-in-table disabled=yes src-address=192.168.30.0/24 table=ISP-1
Not required as the distance application above will send out all traffic to ether1 and if not available to ether2.
Either way, the Linksys will be able to reach with VPN client the internet address from either public IP.
(2) add action=lookup-only-in-table disabled=no src-address=192.168.42.10/32 table=ISP-1
This makes sense as you want one particular user/device to go out ether1 for internet Prior to being forced out other rule.
(3) add action=lookup-only-in-table disabled=no src-address=192.168.30.0/24 table=ISP-2
More confusing than anything else, why do you have this subnet going out possibly two ISPs............. you need to clarify your intentions!!
(4) add action=lookup-only-in-table disabled=no src-address=192.168.42.170/32 table=ISP-1
This rule makes sense if you want this IP address not to follow some other Routing Rule because my default all users go out ISP1
I see with the rule below this rule is necessary!
(6) add action=lookup-only-in-table disabled=no src-address=192.168.42.0/24 table=VPN
Ahh the static route
(7) add action=lookup-only-in-table disabled=yes src-address=172.11.2.1/24 table=ISP-1
Not sure why this is required as the default order of rules will ensure that this subnet goes out ISP1 normally.
No other routing rules are forcing this traffic anywhere
If your scheduling basically turns off an ISP so only the other is available one changes the action to: LOOKUP only.However, you do have two exceptions which need to go out to the internet and thus we need to tweak these rules......
FROM
/routing rule
add action=lookup-only-in-table dst-address=172.11.2.0/24 table=main { ensures wireguard return traffic will get back into the tunnel }
add action=lookup-only-in-table src-address=192.168.42.10/32 table=ISP-1 { ensures single/user device uses ISP1 before any other rules }
add action=lookup-only-in-table src-address=192.168.42.170/32 table=ISP-1 {ensures single/user device uses ISP1 before any other rules }
add action=lookup-only-in-table src-address=192.168.42.1/24 table=VPN { FORCE originating traffic and any return traffic leaving subnet to go out VPN }
TO:
/routing rule
add action=lookup-only-in-table dst-address=172.11.2.0/24 table=main { ensures wireguard return traffic will get back into the tunnel }
add action=lookup src-address=192.168.42.10/32 table=ISP-1 { ensures single/user device uses ISP1 before any other rules }
add action=lookup src-address=192.168.42.170/32 table=ISP-1 {ensures single/user device uses ISP1 before any other rules }
add action=lookup-only-in-table src-address=192.168.42.1/24 table=VPN { FORCE originating traffic and any return traffic leaving subnet to go out VPN }
If your scheduling basically turns off an ISP so only the other is available one changes the action to: LOOKUP only.
Result, the router will see the route rule and force the exception IPs to ISP1, if the ISP is not available, then the router will look on the main table for an alternate and will find ISP2 and you are good to go.