Community discussions

MikroTik App
 
rufus1987
just joined
Topic Author
Posts: 4
Joined: Sun Mar 13, 2022 11:26 pm

Multiple WAN and Wireguard all traffic (without one bridge traffic)

Thu Mar 16, 2023 5:29 pm

I have a question about configuring traffic through Wireguard when using 2 WANs.

My configuration is:
1) Standard WAN over cable, used 99% of the time
2) Backup LTE WAN, used when #1 is not working

The whole thing automatically switches over using netwatch.

I have 2 bridges where one is all LAN + Wifi devices and the other where only one device with a separate LAN address is hooked up.

In addition, I have wireguard hooked up.

I would like all traffic regardless of which WAN is used to go through the VPN except for the device from the second bridge (there the traffic should always go without VPN).

Current config as below
# mar/16/2023 16:22:37 by RouterOS 7.8
# software id = GUIM-DBRY
#
# model = RBD52G-5HacD2HnD
# serial number = XXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge_elzab
/interface lte
set [ find default-name=lte1 ] name=lte_play
/interface ethernet
set [ find default-name=ether1 ] name=eth_1_wan
set [ find default-name=ether2 ] name=eth_2_wyse_printers
set [ find default-name=ether3 ] name=eth_3
set [ find default-name=ether4 ] name=eth_4
set [ find default-name=ether5 ] name=eth_5_wyse_fiscal
/interface wireguard
add listen-port=51820 mtu=1420 name=wg_biuro_lux
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=elzab_wifi radius-mac-authentication=yes supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=lp_biuro supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country=no_country_set default-authentication=no disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=elzab_wifi ssid=elzab_wifi wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors frequency=5260 frequency-mode=superchannel \
    installation=indoor mode=ap-bridge security-profile=lp_biuro ssid=lp_biuro wireless-protocol=802.11 wps-mode=disabled
/ip dhcp-server option sets
add name=MT
/ip pool
add name=default-dhcp ranges=192.168.222.10-192.168.222.254
add name=dhcp_pool_elzab ranges=192.168.66.2-192.168.66.254
/ip dhcp-server
add address-pool=default-dhcp dhcp-option-set=MT interface=bridge name=dhcp_main
add address-pool=dhcp_pool_elzab dhcp-option-set=MT interface=bridge_elzab name=dhcp_elzab
/routing table
add disabled=no fib name=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_2_wyse_printers
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_3
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_4
add bridge=bridge_elzab comment=defconf ingress-filtering=no interface=eth_5_wyse_fiscal
add bridge=bridge interface=wlan2
add bridge=bridge_elzab interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte_play list=WAN
add interface=wg_biuro_lux list=VPN
add interface=wlan1 list=LAN
add interface=eth_1_wan list=WAN
add interface=wlan2 list=LAN
add interface=bridge_elzab list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxx.eu endpoint-port=51820 interface=wg_biuro_lux persistent-keepalive=10s public-key=\
    "xxxxxxxxxxxxxxxxxx"
/interface wireless access-list
add comment=elzab_zeta interface=wlan1 mac-address=XX:XX:XX:XX:XX:XX
/ip address
add address=192.168.222.1/24 comment=defconf interface=bridge network=192.168.222.0
add address=10.8.0.222/24 interface=wg_biuro_lux network=10.8.0.0
add address=192.168.66.1/24 interface=bridge_elzab network=192.168.66.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=eth_1_wan use-peer-dns=no use-peer-ntp=no
# DHCP client can not run on slave or passthrough interface!
add add-default-route=no interface=wlan2 use-peer-dns=no
add add-default-route=no interface=lte_play use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.222.100 comment="macbook air" dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.223 comment="macbook pro" dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.101 comment=ipad dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.202 comment=wyse_printers dhcp-option-set=MT lease-time=1w mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.66.33 comment=wyse_fiscal dhcp-option-set=MT lease-time=1w mac-address=XX:XX:XX:XX:XX:XX server=dhcp_elzab
/ip dhcp-server network
add address=192.168.66.0/24 gateway=192.168.66.1
add address=192.168.222.0/24 comment=defconf gateway=192.168.222.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 use-doh-server=\
    https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.66.0/24 list=elzab_zeta_full
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=spinet disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.111.1 pref-src="" routing-table=main suppress-hw-offload=yes
add comment=lteplay disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wg_biuro_lux pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=208.67.220.220/32 gateway=192.168.8.1 pref-src="" routing-table=main suppress-hw-offload=yes
add disabled=no distance=1 dst-address=208.67.222.222/32 gateway=192.168.111.1 pref-src="" routing-table=main suppress-hw-offload=yes
add blackhole disabled=no distance=2 dst-address=208.67.220.220/32 gateway="" pref-src="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no distance=2 dst-address=208.67.222.222/32 gateway="" pref-src="" routing-table=main suppress-hw-offload=no
add comment=all_vpn disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.8.0.1 pref-src="" routing-table=vpn scope=30 suppress-hw-offload=yes target-scope=10
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterOS
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool e-mail
set address=email-smtp.eu-west-1.amazonaws.com from=router@xxxxxxxxxx.xx port=587 tls=starttls user=xxxxxxxxxxxxxxxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=":log error \"SPINET is DOWN\"\
    \n/tool e-mail send to=\"xxxxxxxxx@gmail.com\" subject=\"SPINET is DOWN\" body=\"\$currentTime \\r\\n SPI NET DOWN\"\
    \n/ip route disable [find comment=spinet]\
    \n/ip route enable [find comment=lteplay]" host=208.67.222.222 interval=5s test-script="" timeout=1s type=simple up-script=":log info \"SPINET is UP\"\
    \n:delay 300s\
    \n/tool e-mail send to=\"xxxxxxxxx@gmail.com\" subject=\"SPINET is UP\" body=\"\$currentTime \\r\\n SPI NET UP\"\
    \n/ip route enable [find comment=spinet]\
    \n/ip route disable [find comment=lteplay]"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple WAN and Wireguard all traffic (without one bridge traffic)

Fri Mar 17, 2023 12:08 am

(1) This can be shortened. If using bridge and not vlans, the two bridges suffices for LAN interface list members!
Also I see no purpose to the VPN list ??????

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte_play list=WAN
add interface=wg_biuro_lux list=VPN ?????
add interface=eth_1_wan list=WAN
add interface=bridge_elzab list=LAN


(2) Remove the route for WLAN2 wrong as indicated by red text. All local interface get an automatic <dac> route!!!
/ip dhcp-client
add add-default-route=no comment=defconf interface=eth_1_wan use-peer-dns=no use-peer-ntp=no
# DHCP client can not run on slave or passthrough interface!
add add-default-route=no interface=wlan2 use-peer-dns=no
add add-default-route=no interface=lte_play use-peer-dns=no use-peer-ntp=no


(3) You can get rid of this legacy or default static route...........not required.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


(4) Why do you have a firewall address list for a subnet ???????????????
/ip firewall address-list
add address=192.168.66.0/24 list=elzab_zeta_full


can be described in rules by
(in/out) interface=bridge_elzab
(src/dst) address=192.168.66.0/24


(5) assuming you have no firewall rules on purpose??

(6) Suggest change name of Table because you ahve too many things with name vpn LOL or VPN.
useWG works.............
/routing table
add disabled=no fib name=useWG


(7) The requirement seems clearly stated, you have one user on a separate bridge that must use the regular WAN 99% of the time but be able to switch over to the LTE wan once in a blue moon.
The rest of the users on the standard bridge must use the WG connection for internet ALL the time and never use the local WAN.

So I see two standard routes, I prefer using distance 5 and 10 to separate like to have space before and between. Lets prove simplicity works first.
We add in the wireguard table.

/ip route
add comment=spinet distance=5 dst-address=0.0.0.0/0 gateway=192.168.111.1 pref-src="" routing-table=main check-gateway=ping
add comment=lteplay distance=10 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" routing-table=main
add comment=wg dst=address=0.0.0.0/0 gateway=wg_biuro_lux routing-table=useWG



Now all we need is a routing rule to ensure that the bridge in question goes out wireguard.............
/routing rule
add action=lookup-only-in-table src-address=192.168.222.0/24 table=useWG


Note: If you want local users on the bridge to reach the other subnet on the other bridge, it wont be possible as we are forcing them out the vpn.
If you did want them to be able to, you need another routing rule but in order pRior to the wg one!

/routing rule
add action=lookup-only-in-table dst-address=otherSubnet table=main
add action=lookup-only-in-table src-address=192.168.222.0/24 table=useWG


(8) Final Observation: YOu need to sourcenat the traffic going out WG because the third party provider in only expecting the IP it gave you for incoming traffic.
/ip nat
add chain=srcnat action=masquerade out-interface=wg_biuro_lux[



PS. not sure what your doing with blackhole stuff but unless you have a specific reason would remove it, especially for the sake of getting needed traffic working!
 
rufus1987
just joined
Topic Author
Posts: 4
Joined: Sun Mar 13, 2022 11:26 pm

Re: Multiple WAN and Wireguard all traffic (without one bridge traffic)

Fri Mar 17, 2023 3:50 am

@anav

Thank you very much for such a detailed explanation and your time.
I will follow the comments and some things in my setup are due to not knowing.

There is only one problem with this part
/ip route
add comment=spinet distance=5 dst-address=0.0.0.0/0 gateway=192.168.111.1 pref-src="" routing-table=main check-gateway=ping
add comment=lteplay distance=10 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" routing-table=main
add comment=wg dst=address=0.0.0.0/0 gateway=wg_biuro_lux routing-table=useWG
IP address 192.168.111.1 is address of TP-Link router which is always available for ping and not determine if WAN is working.

I have a main router to which the fiber is connected.
Then I have a TP-LINK (IP: 192.168.111.1) which connects over WiFi to the main router (due to the inability to run a cable) and a mikrotik is connected to the TP-LINK over cable.
So:
Fibre -> Main Router -> TP-LINK (over Wifi) -> Mikrotik (over cable)

I can't directly connect from the mikrotik to the main router because it can't maintain a stable connection over WiFi, the TP-LINK has no problem with this.

Therefore, check-ping is added on the OpenDns IPs to which the routes are added.

Who is online

Users browsing this forum: araqiel, Google [Bot], ips, mac86, Majestic-12 [Bot], mkx, Seko777 and 95 guests