Thanks. Let's consider this one:You are on the right track for sure.
THe key is not whether the public iP is static or dynamic but is it publicly accessible.
So you either need to have an ISP Modem device that gives your router a public IP ( most common )
OR
An ISP modem Router that gets a public IP and which you can enter to at least forward ports to your router ( common )
There is much reading to be had..........
viewtopic.php?t=182373
If I purchase a static IP from my ISP, how can I assign that to my router? (Not my Modem.)So you either need to have an ISP Modem device that gives your router a public IP ( most common )
Well, this is because It seems that my IP is not public. When I check my IP address in https://www.iplocation.net/ it shows an address that is totally different with what IP address that ADSL modem shows in PPPoE setting section.Why would you want to purchase a static IP if they are providing you with a public dynamic IP??
Seems like an extra cost for very little gain. I only say this because you are pinching pennies with ah haplite aka didnt buy an RB5009 for example! or an AX3!
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1450 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface l2tp-server server
set use-ipsec=yes
/interface wireguard peers
add endpoint-address=192.168.2.1 endpoint-port=13231 interface=wireguard1 \
public-key="1YjceDL371vHOid7**********"
/ip dhcp-client
add interface=ether1
Hi, Please find the config attached below.Of course not as its probably not setup properly. The config only follows the error prone human.
Hiding parts of your config just wastes the time of us attempting to help so please provide the full export (minus router serial number and any public WANIP information).
I always have this problem and haven't find a solution for that. I mean I useNot much of a config, but the extra source address is what is not needed.
If your traffic is.... remote users inbound, get rid of it.
/export file=somename
/export verbose
My WAN port is 5142.Where is your wan port ???
Is this connected to another router??
Is it MT, if so need to see config..........
If not is WG port forwarded to the WANIP of this device??
Thanks, works like a charm!Okay so you have a TPLink router forwarding the port to the MT router.........
Suggest the following config then.......
I get that the Fixed static IP of the MT router on the TPLINK Lan is 192.168.2.100
Ether1 is the "wan" port.
Ether2 is unknown but lets say its connected to something........
Things I did
a. removed IP DHCP Client - not required.
b. removed unneeded srcnat and modified default for static IP.
c. add dns server to ip dhcp network settings
d. added dns settings
Give it a shot and see if things are better ( but change client MTU to 1420 or change MT to 1450, they both should be the same!! )............
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"ydz3qh9st1bAgWZeKl55xIv5XXXXXXXXXXXXXXXX"
/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=192.168.3.1
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.2.100
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Hi. Here is the config.As always, only work from the latest updated config..........
Any user LAn details needed should be stated in clear requirments.
who needs what where both internal and external flows by all, exceptions should be noted.
Finally failover expections and usage of WANs in general should be discussed.
Then the config can be modified with context.
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=7236 mtu=1420 name=wg-iface-dsl
add listen-port=5036 mtu=1420 name=wg-iface-lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether3 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wg-iface-dsl public-key=\
"Y8HzPJuhH5he7xqgvbqNLYX1eVfAm1oT/ClgVMzPBXo="
add allowed-address=192.168.200.2/32 interface=wg-iface-lte public-key=\
"1Lqomm4L/nluKczxheAQskfWAH95gtph5L9Ha+FZS0s="
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.100.1/24 interface=wg-iface-dsl network=192.168.100.0
add address=192.168.200.1/24 interface=wg-iface-lte network=192.168.200.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=\
192.168.2.100
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
192.168.1.100
[Interface]
PrivateKey = wKNmmsp1fAxv5ryQps1DceXoNq6XmiBwqOyvyXfnNng=
Address = 192.168.100.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = ufG1OYlNvlZt//1FoawUj+oZFffzNmOn37ybSqxyjWk=
AllowedIPs = 0.0.0.0/0
Endpoint = 188.188.188.188:7236
PersistentKeepalive = 25
[Interface]
PrivateKey = 2IfSkvQRcgB/IxHc5KFU+4jSJ7csb/JRB1FS04BxgGI=
Address = 192.168.200.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = tzSGclGX633qfvll+g4vf/N8SP2Ww5fJnJdWrUdIcHo=
AllowedIPs = 0.0.0.0/0
Endpoint = 155.155.155.155:5036
PersistentKeepalive = 25
MT needs to get an IP from each modem, can it be done without a DHCP client?a. removed IP DHCP Client - not required.
Can you confirm you only have one LAN, and thats connected on ether3?
Can you explain why you have three pools for the same subnet?
Remove IP DHCP Client for both interfaces. There is no dynamic assignments and thus no real purpose to this method!
You get a private IP Not public from upstream device and its static WANIP.
There are multiple ways to accomplish these things, in your case the simplest is
a. IP address of each WAN, as you have done
b. manual route (which you failed to show
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
Assuming wireguard is strictly for your remote external clients (not for local LAN users).
++++++++++++++++++++++++++++++++++++++
Herein lies the problem, the initial handshake needs to be considered. There is not a problem reaching ether1 or ether2 by various means, dyndns type name.
So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??
Also, what is the hierachy of wan1, wan2, for your LAN users.
How are they suppose to utilize the two WANs, is one primary and the other failover, PCC (shared) etc......
YesCan you confirm you only have one LAN, and thats connected on ether3?
It was just a mistake.Can you explain why you have three pools for the same subnet?
Yes, this is the main problem.So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??
There is no hierachy at all. No load balancing and no failover.Also, what is the hierachy of wan1, wan2, for your LAN users.
By the endpoint which connects to it using wireguard.I do not understand, how can a user decide which WAN they use............ its not obvious.......
Well I am talking about wireguard users who connects remotely.I am talking about LAN users not wireguard users LOL
Let's consider the simplest scenario, without any LAN device at all. We can extend the solution for more complex scenarios afterward.Everything works together so approaching the entire WAN usage coherently is what makes sense, so what is the plan ..........
In other words
Identify what traffic LAN users require, both internally and externally.
how will the wans be used for this traffic.
Well I think there is misunderstanding here. Let me explain. If there would any ambiguity, It would be my pleasure to answer.Either you have LAN subnets and users on those subnets and potentially even servers, or you dont.
Im assuming you do, and thus all is required to approach a config.
Furthermore, not knowing how the wans will be used for all traffic is simply a lack of good planning
Since you insist on thinking a config can be done in isolation and without planning, I will leave you to it.
L8r,
(PS you have a typo in your post the second WAN entry should be ....All of the peers .... "through" WAN2)
If user choose the first IP as endpoint then he/she should have access to internet through WAN1.
If user choose the second IP as endpoint then he/she should have access to internet through WAN2.
Hi,hello tirdano,
do you mean :Code: Select allIf user choose the first IP as endpoint then he/she should have access to internet through WAN1. If user choose the second IP as endpoint then he/she should have access to internet through WAN2.
you want to route your remote wireguard users back to the internet - using the other wan link other than wan link the wireguard initiated?
ok. that would be a double:No, the remote wireguard users should be routed back to the internet by exactly the WAN link the wireguard initiated.
Hello anav,Wiseroute dont bother playing because a configuration strictly for wireguard users supposes that there are no local LAN users or devices/servers.
So as soon as the OP is screwed because the LAN users or servers dont work, he/she will come back to state but but but.
Hence why I ask for full requirements so we dont waste our time.
Hello anav,
I need that all wireguard users go out the pppoe-vpn WAN connection for internet.In this regard normal traffic will flow and the handshake should work. Note I added a distance of 2, to your vpn network.
This will ensure all users go out the pppoe-wa WAN connection for internet.