Hello everyone,
Im using Orther Brand Routers untill now. TP link and mostly Ubiquiti and i would like to start with the Mikrotiks. So i got one HEX for testing. But as i have learned Mikrotiks nees every step to be made by hand, i have researched some days now and i cannot find any solution for my Wireguard KEY that i got froma provider.
As start i have setup with basik steps the Network with 2 wan ports as Failover for the 2nd was with the Trick of DISTANCE on the Router List.
I am sending my setup from the Router plus a sample from the KEy i got from my provider.
I have tried some tuttorials but nearly all of the Guides are setup of mikrotik as Server VPN instead of Client.
The wireguard key is generated from routerOR also from my provider
Is there any other post or someone to explain what am i doing wrong on this one?
a tuttorial that i have tried and didnt work was this one. https://protonvpn.com/support/wireguard ... k-routers/
2WAN as Failover and Setup Wireguard KEY as Client
You do not have the required permissions to view the files attached to this post.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Code: Select all
/interface wireguard
add listen-port=13231 private-key="private_key_from_provider" name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="wireguard_port" interface=wireguard1 public-key="public_key_of_provider"
/ip address
add address=192.168.32.2xx/30 network=192.168.32.0 interface=wireguard1
/ip route
add dst-address=0.0.0.0 gateway=192.168.32.1
add dst-address=5.172.196.95 gateway=192.168.1.1 distance=1
add dst-address=5.172.196.95 gateway=192.168.2.1 distance=5
Last edited by TheCat12 on Tue Mar 12, 2024 3:47 pm, edited 1 time in total.
Re: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]
(1) Need persistent keep alive in your Peer settings so........
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="proton-provided-port" interface=wireguard1 \
persistent-keep-alive=30s public-key="public_key_of_provider"
/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 \
endpoint-port="proton-provided-port" interface=wireguard1 persistent-keep-alive=30s \
public-key="public_key_of_provider"
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG0
Note1: If you NEVER want your bridge LAN users to access your local WAN, if wireguard is not available then change action on routing rule to:
action=lookup-only-in-table
Note2: If you are using IP DHCP client for your two wans: Do NOT select add default route or peer DNS on IP DHCP clients.
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="proton-provided-port" interface=wireguard1 \
persistent-keep-alive=30s public-key="public_key_of_provider"
/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 \
endpoint-port="proton-provided-port" interface=wireguard1 persistent-keep-alive=30s \
public-key="public_key_of_provider"
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG0
Note1: If you NEVER want your bridge LAN users to access your local WAN, if wireguard is not available then change action on routing rule to:
action=lookup-only-in-table
Note2: If you are using IP DHCP client for your two wans: Do NOT select add default route or peer DNS on IP DHCP clients.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
I have tried this but nothing happened, still WAN1 and WAN2 internet continued working without the Wireguard. Might be anything missing commands?Code: Select all/interface wireguard add listen-port=13231 private-key="private_key_from_provider" name=wireguard1 /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="wireguard_port" interface=wireguard1 public-key="public_key_of_provider" /ip address add address=192.168.32.2xx/30 network=192.168.32.0 interface=wireguard1 /ip route add dst-address=0.0.0.0 gateway=192.168.32.1 add dst-address=5.172.196.95 gateway=192.168.1.1 distance=1 add dst-address=5.172.196.95 gateway=192.168.2.1 distance=5
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router.........
Best of luck..............
You seem to forget that the handshake starts on your router.........
Best of luck..............
Last edited by anav on Mon Mar 18, 2024 10:57 pm, edited 1 time in total.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 \
endpoint-port="proton-provided-port" interface=wireguard1 persistent-keep-alive=30s \
public-key="public_key_of_provider"
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG0
Note1: If you NEVER want your bridge LAN users to access your local WAN, if wireguard is not available then change action on routing rule to:
action=lookup-only-in-table
Note2: If you are using IP DHCP client for your two wans: Do NOT select add default route or peer DNS on IP DHCP clients.
Although i havent underestand the way wireguard will work this was i have made all the lines and at the last line (/routing rule add action=lookup src-address=192.168.13.0/24 table=via-WG0)
internet and access to the mikrotik could not be manages, i had to hard reset the router. I got some questions although
1) at the start able name was via-WG1 and at the last line it was WG0. i suppose it should be WG1 right?
2) at Firewall NAT you write the first line (out-interface-list=WAN) i got only WAN1 and WAN2 i should make 2 line with each WAN?
Re: 2WAN as Failover and Setup Wireguard KEY as Client
IP Adress from my VPN Provider is Address = 192.168.32.20/32.Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router.........
Best of luck..............
Generaly as i said im new on mikrotiks so im taking lessons theese days from a platform.. im just trying to underestand how the wireguard could be setup and work because on the lessons there is not wireguard.
Last edited by LeoNaXe on Mon Mar 18, 2024 11:00 pm, edited 1 time in total.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
1. Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined.
2. put IP address on your router for wireguard1 as
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
3. As long as both WAN interfaces are interface list members of the interface list=WAN, no need for anything extra.
2. put IP address on your router for wireguard1 as
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
3. As long as both WAN interfaces are interface list members of the interface list=WAN, no need for anything extra.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
So you suggest to go like this?Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined.
Good then
put IP addresss on your router for wireguard1 as
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=”your private key”
/ip address
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 \
endpoint-port="endpointadress" interface=wireguard1 persistent-keep-alive=30s \
public-key="public_key_of_provider"
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG1
3. As long as both WAN interfaces are interface list members of the interface list=WAN, no need for anything extra.
Let me check that on the mikrotik how its done
i suppose the image i uploade is ok.
You do not have the required permissions to view the files attached to this post.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
@anav i made the lines and the wireguard seems to work normally. thanks a lot for your help, now ill try to learn the way it works but i got a question.
1)is this firewall rule nessecary? internet works without it also.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets"
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
2) at speed test platforms the upload works properly exepr ookla's, only download is working there is no upload on that test.
1)is this firewall rule nessecary? internet works without it also.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets"
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
2) at speed test platforms the upload works properly exepr ookla's, only download is working there is no upload on that test.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
The mangle was recommended, not a random suggestions LOL. It does NO HARM to your setup and one never knows what particular website, through the thirdparty VPN, will give the router shits and giggles. So its a good safety net to keep.
To improve your setup you can setup both failover on the main WANs AND also recursive routing which is always more accurate then normal routing.
Normal routing says, hey I can reach the ISP equipment, recursive routing says I can reach the internet.
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.9 19.168.1.1 routing-table=main scope=10 target-scope=12
add distance=1 dst-address=9.9.9.9/32 gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=main scope=10 target-scope=12
add distance=5 dst-address=8.8.4.4/32 gateway=192.168.1.2 routing-table=main scope=10 target-scope=11
+++++++++++++++++
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
Now technically you dont need check-gateway on the backup WAN, but it does not harm and leaves the door open to situations like:
a. you decided to have WAN2 use VPN or a server on the LAN be accessed via WAN2
b. you decide to use PCC so that equal use of both WANs is made all the time for your traffic.
To improve your setup you can setup both failover on the main WANs AND also recursive routing which is always more accurate then normal routing.
Normal routing says, hey I can reach the ISP equipment, recursive routing says I can reach the internet.
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.9 19.168.1.1 routing-table=main scope=10 target-scope=12
add distance=1 dst-address=9.9.9.9/32 gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=main scope=10 target-scope=12
add distance=5 dst-address=8.8.4.4/32 gateway=192.168.1.2 routing-table=main scope=10 target-scope=11
+++++++++++++++++
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
Now technically you dont need check-gateway on the backup WAN, but it does not harm and leaves the door open to situations like:
a. you decided to have WAN2 use VPN or a server on the LAN be accessed via WAN2
b. you decide to use PCC so that equal use of both WANs is made all the time for your traffic.
Last edited by anav on Tue Mar 19, 2024 2:39 am, edited 1 time in total.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Thanks again for your reply, i will check everything better tomorrow morning. Its already late here and need to rest.
at the internet i see some anomalies like package losses although the itnernet is working fine with another VPN key on my ubiquiti for months now. Plus there is n upload on ooklas speedtest, on other spoeed platforms seems to work properly and i get some Tx errors and dropws on Wireguard.
at the internet i see some anomalies like package losses although the itnernet is working fine with another VPN key on my ubiquiti for months now. Plus there is n upload on ooklas speedtest, on other spoeed platforms seems to work properly and i get some Tx errors and dropws on Wireguard.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
I have made the setup as suggested and i can say with Widscribe Wireguard KEY everything seems to work properly. but when im installing My providers VPN key i got strange thing happening, like at speedtest of ookla upload does not work sometimes. Whatsapp web does not work either, (Windscribe VPN everything perfect as i saw), at Ubiquiti i had to lower mtu to 1412 in order to get it proper working but here even that does not fix anything.
Another issue with both VPNs is when i do the last line /routing rule i get disconnect from the winbox and i only got acces via MAC after that.
Another issue with both VPNs is when i do the last line /routing rule i get disconnect from the winbox and i only got acces via MAC after that.
# 2024-03-22 00:13:04 by RouterOS 7.14
# software id = M8KE-V5ID
#
# model = RB750Gr3
# serial number = HD2******2AS
/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.13.100-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-LAN lease-time=1d name=dhcp1
/routing table
add disabled=no fib name=via-WG1
/interface bridge port
add bridge=Bridge-LAN interface=ether3
add bridge=Bridge-LAN interface=ether4
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.1**.1**.95 endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"ySD/xFuTQ**********yxQeVbfhIS**********4xyT6wE="
/ip address
add address=192.168.13.1/24 interface=Bridge-LAN network=192.168.13.0
add address=192.168.1.99/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.98/24 interface=WAN2 network=192.168.2.0
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-client
add disabled=yes interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing Packets" new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=\
via-WG1 suppress-hw-offload=no
#error exporting "/ipv6/nd/prefix/default" (timeout)
/routing rule
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
Re: 2WAN as Failover and Setup Wireguard KEY as Client
1. You have three sourcenat rules, get rid of the first one, its incomplete and is just noise.
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
2. well it kinda makes sense, since you force all traffic out the wireguard tunnel its hard to reach something local on the router.
However I would have thought 192.168.13.1:winbox port OR via mac address would still work but I guess not.
Try this and see if it works, order is important ( easy way to add rule in front and not have to delete the existing rule is make a copy of the existing rule. Then keep the copy second one as is, and change the first one.
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.13.0/24 table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
2. well it kinda makes sense, since you force all traffic out the wireguard tunnel its hard to reach something local on the router.
However I would have thought 192.168.13.1:winbox port OR via mac address would still work but I guess not.
Try this and see if it works, order is important ( easy way to add rule in front and not have to delete the existing rule is make a copy of the existing rule. Then keep the copy second one as is, and change the first one.
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.13.0/24 table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
Re: 2WAN as Failover and Setup Wireguard KEY as Client
First NAT deleted as informed, About teh connection via WinBox i can reach it without any problem via MAC Adress, just ip stopped working.
I added the rule also but when its like that wireguard is no more in front and internet goes via wan1 network, i got it disabled and internet is via wireguard normal.
I dont know if its my VPN providers issue but i got drops via the Wireguard as you can see. is that a problem to my network? is it fixable?
I added the rule also but when its like that wireguard is no more in front and internet goes via wan1 network, i got it disabled and internet is via wireguard normal.
I dont know if its my VPN providers issue but i got drops via the Wireguard as you can see. is that a problem to my network? is it fixable?
You do not have the required permissions to view the files attached to this post.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Okay, strange but if you can reach by mac you have access.
As far as packets, as long as your browsing experience is okay I wouldnt worry too much.
The extra rule is designed to ensure browsing performance is the best it can be.
As far as packets, as long as your browsing experience is okay I wouldnt worry too much.
The extra rule is designed to ensure browsing performance is the best it can be.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
nm duplicate/
Re: 2WAN as Failover and Setup Wireguard KEY as Client
if you mean this extra rule, it disables the vpn in general.
The provider has setup the vpn keys over routerOS also thats why its the same port.
on Ubiquiti about the MTU i had to lower it to 1412 in order not to have issues and also have the TCP MSS Clamping at 1372.
update: i have put Wireguard at 1412 also in mikoritk and at the firewall i added tcpmss 1372, things seems the same. any experience with that? am i putting it in correct place? at the NAT rule its grayed outand cannot put it there.
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing Packets" new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1372
i cant say that the experience is the same, as without the vpn. some things are unreachable, for example at whatsapp images sometimes it cannot be sent, or on speedtest the upload is going strange etc./routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.13.0/24 table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
The provider has setup the vpn keys over routerOS also thats why its the same port.
on Ubiquiti about the MTU i had to lower it to 1412 in order not to have issues and also have the TCP MSS Clamping at 1372.
update: i have put Wireguard at 1412 also in mikoritk and at the firewall i added tcpmss 1372, things seems the same. any experience with that? am i putting it in correct place? at the NAT rule its grayed outand cannot put it there.
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing Packets" new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1372
Re: 2WAN as Failover and Setup Wireguard KEY as Client
I have seen this rule also tried. Starting with putting wireguard mtu setting back to 1420 with
/ip mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535[/color][/i]
/ip mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535[/color][/i]
Re: 2WAN as Failover and Setup Wireguard KEY as Client
i put the Wireguard 1420 back and replaced the Mangle as the one you showed, internet seems to work good now but i got one question... why tcp-mss=1381-65535 ?I have seen this rule also tried. Starting with putting wireguard mtu setting back to 1420 with
/ip mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535[/color][/i]
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Not a sweet Fing clue. I just saw it writtng somewhere but my guess is this allows the router to match what its detecting on a given connection ( very flexible) for optimal results.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
The goal is to reduce MSS to value which fits MTU. Because many routers don't do fragmentation (it's CPU intensive and IPv6 doesn't allow it), MSS has to be low enough to allow packets pass end-to-end.
Since a working value for MTU is 1420, this translates to MSS value of 1380 (1420 minus TCP and IP overhead). If MSS is already smaller than this (because some other entity on connection path already reduced it), then we don't want to mess with its value (hence 1381-65535, the later being maximum possible value for MSS). Ah, yes, the firewall rule property tcp-mss is a matcher, so the rule will match all packets with MSS value within the range. Usual MTU on LAN is 1500, matching MSS is 1460 ... so when a LAN host starts a connection which should pass the wireguard tunnel, router's firewall filter has to match it (and matcher tcp-mss=1372 doesn't match it). Hence the range. OTOH the "clamp to PMTU" rule might just work if there wasn't this matcher specified.
More about MSS.
Since a working value for MTU is 1420, this translates to MSS value of 1380 (1420 minus TCP and IP overhead). If MSS is already smaller than this (because some other entity on connection path already reduced it), then we don't want to mess with its value (hence 1381-65535, the later being maximum possible value for MSS). Ah, yes, the firewall rule property tcp-mss is a matcher, so the rule will match all packets with MSS value within the range. Usual MTU on LAN is 1500, matching MSS is 1460 ... so when a LAN host starts a connection which should pass the wireguard tunnel, router's firewall filter has to match it (and matcher tcp-mss=1372 doesn't match it). Hence the range. OTOH the "clamp to PMTU" rule might just work if there wasn't this matcher specified.
More about MSS.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Thats what I thought, as the go to rule, that I provided earlier at post #3, does that, but the OP reported issues with it ????
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
Oh I see now, on his own the OP decided to bastardize the clamping rule by adding some additional bits of magical wisdom..............
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing Packets" new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1372
Note to OP: Dont change the rules provided, if the clamp rule AS IS, doesnt work for you then use the latter one provided at post #19.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
Oh I see now, on his own the OP decided to bastardize the clamping rule by adding some additional bits of magical wisdom..............
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing Packets" new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1372
Note to OP: Dont change the rules provided, if the clamp rule AS IS, doesnt work for you then use the latter one provided at post #19.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
If I were home I would send you the setup from ubiquiti I have.
I have the wireguard keys from a local data center and they have them srtup on RouterOS. When I started the vpn via windscribe i never had any issues and the need to play with the mtu but for the VPN keys I got from data center my clients had some issues lie not having access to some websites, iptv issues etc. Later at my research I found out that it's the mtu thing so with a lot of help from a friend I stabilized the network at 1412MTU but still I had some issues but not that mouch. With some other research I found out that MSS clamping had to be another 40 points lower than the mtu so I put it 1372 and the network is working for months without any client to have any connection issue.
So now at the mikrotik the windscribe key as setup provided at post3 works perfectly but with the local data center I had to find the same setup to put as with the ubiquiti router I had, thsts why I wanted to try the 1372 but as I informed at first post I'm new on the mikrotik.
I got the wireguard now at 1420 as default and post 19 firewall mangle rule and testing.
I have the wireguard keys from a local data center and they have them srtup on RouterOS. When I started the vpn via windscribe i never had any issues and the need to play with the mtu but for the VPN keys I got from data center my clients had some issues lie not having access to some websites, iptv issues etc. Later at my research I found out that it's the mtu thing so with a lot of help from a friend I stabilized the network at 1412MTU but still I had some issues but not that mouch. With some other research I found out that MSS clamping had to be another 40 points lower than the mtu so I put it 1372 and the network is working for months without any client to have any connection issue.
So now at the mikrotik the windscribe key as setup provided at post3 works perfectly but with the local data center I had to find the same setup to put as with the ubiquiti router I had, thsts why I wanted to try the 1372 but as I informed at first post I'm new on the mikrotik.
I got the wireguard now at 1420 as default and post 19 firewall mangle rule and testing.
You do not have the required permissions to view the files attached to this post.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Sounds reasonable!
Re: 2WAN as Failover and Setup Wireguard KEY as Client
So before I connect the mikrotik tk my clients I would like to ask, is there any website thst I can fully check the stability of my internet with the setup of wireguard ;
I have it with 1420 and mss 1380 and seems working but I dint have iptv s etc, mabe ubiquiti had something I didn't see and used the extra 8packages and mikrotik does not?
I have it with 1420 and mss 1380 and seems working but I dint have iptv s etc, mabe ubiquiti had something I didn't see and used the extra 8packages and mikrotik does not?
Re: 2WAN as Failover and Setup Wireguard KEY as Client
i have made lots of test but unfortunately the internet is unstable, its not like the ubiquiti i have setup the Wireguard.
Today i contacted the VPN provider and sent them my config nd informed me that they have the same setup as i have it on my mikrotik and they also included the rule i have sent on them "/ip firewall mangle add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535"
But im asking why did i need to put on the Ubiquiti the -8 package? did the PPPOE played the role here from the modem?
On ubiquiti even with 1420MTU and even with 1412 MTU and -40 for each on MSS did not resolve anything.
Any other suggestions that i might try? i also tried on each senario the clamping thing.
Today i contacted the VPN provider and sent them my config nd informed me that they have the same setup as i have it on my mikrotik and they also included the rule i have sent on them "/ip firewall mangle add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535"
But im asking why did i need to put on the Ubiquiti the -8 package? did the PPPOE played the role here from the modem?
On ubiquiti even with 1420MTU and even with 1412 MTU and -40 for each on MSS did not resolve anything.
Any other suggestions that i might try? i also tried on each senario the clamping thing.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
There are two things
Each end should have the same MTU setting, start with 1420
Only the client for handshake should use the clamping rule aka the mikrotk.
Also starting to get confused as to what you are doing.
A. sending wireguard through a third party provider from MT to . proton, or windscribe etc..
B. something else as well ( ubiquiti )???
In case A, is it a single user or whole subnet, what is the traffic requirement if the tunnel is up and what if it goes down??
Each end should have the same MTU setting, start with 1420
Only the client for handshake should use the clamping rule aka the mikrotk.
Also starting to get confused as to what you are doing.
A. sending wireguard through a third party provider from MT to . proton, or windscribe etc..
B. something else as well ( ubiquiti )???
In case A, is it a single user or whole subnet, what is the traffic requirement if the tunnel is up and what if it goes down??
Re: 2WAN as Failover and Setup Wireguard KEY as Client
The setup goes like this.
There is a data center that has installed routerOS on them site in order to connect via wireguard. I got one private key with 5 different peer keys.
I have the 1dt key installed on the ubiquiti. There were some issues at first but then figured out thst 1420 was not working well so I had to lower to 1412 and open the TCP MMS clamping at 1372. After thst everything works perfectly.
not thst I have installed the mikrotik I am trying to put the 2nd wireguard key, data center site informed that MTU is 1420 and I asked for the config file to Chek what else they did.
First installation on mikrotik everything showed that there is internet but unfortunately there are issues. Tried lowering the MTU bot no thing still has connection issues.
There is a data center that has installed routerOS on them site in order to connect via wireguard. I got one private key with 5 different peer keys.
I have the 1dt key installed on the ubiquiti. There were some issues at first but then figured out thst 1420 was not working well so I had to lower to 1412 and open the TCP MMS clamping at 1372. After thst everything works perfectly.
not thst I have installed the mikrotik I am trying to put the 2nd wireguard key, data center site informed that MTU is 1420 and I asked for the config file to Chek what else they did.
First installation on mikrotik everything showed that there is internet but unfortunately there are issues. Tried lowering the MTU bot no thing still has connection issues.
Re: 2WAN as Failover and Setup Wireguard KEY as Client
So the device at the data center is mikrotik CHR or something else.
The local MT router config should be as a client for handshake then.
Which local users or subnets are to use this wireguard connection for internet?
What happens if the wireugard tunnel goes down for these users?
I gather you have no control over the datacenter wireguard, just get assigned public key to use ...............
and the private key to use vice randomly generating one with your Mikrotik
The local MT router config should be as a client for handshake then.
Which local users or subnets are to use this wireguard connection for internet?
What happens if the wireugard tunnel goes down for these users?
I gather you have no control over the datacenter wireguard, just get assigned public key to use ...............
and the private key to use vice randomly generating one with your Mikrotik
Re: 2WAN as Failover and Setup Wireguard KEY as Client
The DataCenter has Mikrotik Device (i dont know the model as they dont inform)
Connection goes like this, They have a Mikrotik Device that i rent with Bandwith Limit and they have given me 5 Wireguard Keys.
If wireguard tunel goes down, internt goes down. they does not send me any information about the mikrotik setup on them side but the got informed that the MTU on wireguard is at 1420 and the Mangle rule is the same as mine, with New mss 1380, TCP mss 1381, Pasthrough yes, and go on.
The private key and the Public keys are given from them, i have one key on Ubiquiti for months now without any issue with MTU 1412 and NewMss at 1381 (there are no other options as i know on ubiquiti) but with that numbers on Mikrotik its still a problem, its like at first internet is super and after that comes the problem after some mins. And the Wireguard does not care about the MTU, its all same issue with 1500 down to 1350, no difference or improvment at all.
PS. Another Weird thing is that i get this message on the forum (Your IP 5.172.196.95 has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=5.172.196.95.) but its not listed at (https://check.spamhaus.org/not_listed/? ... 172.196.95)
Connection goes like this, They have a Mikrotik Device that i rent with Bandwith Limit and they have given me 5 Wireguard Keys.
If wireguard tunel goes down, internt goes down. they does not send me any information about the mikrotik setup on them side but the got informed that the MTU on wireguard is at 1420 and the Mangle rule is the same as mine, with New mss 1380, TCP mss 1381, Pasthrough yes, and go on.
The private key and the Public keys are given from them, i have one key on Ubiquiti for months now without any issue with MTU 1412 and NewMss at 1381 (there are no other options as i know on ubiquiti) but with that numbers on Mikrotik its still a problem, its like at first internet is super and after that comes the problem after some mins. And the Wireguard does not care about the MTU, its all same issue with 1500 down to 1350, no difference or improvment at all.
PS. Another Weird thing is that i get this message on the forum (Your IP 5.172.196.95 has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=5.172.196.95.) but its not listed at (https://check.spamhaus.org/not_listed/? ... 172.196.95)
Re: 2WAN as Failover and Setup Wireguard KEY as Client
Whoever is providing the MikROTIK CHR for wireguard ( server for handshake ) is doing it wrong. Its the client (for handshake) router that needs to setup the mangle rule.
Good thing at least both sides are at 1420 for default. I havent paid attention to your firewall rules.....or the rest of the config, but not sure you published it?????
Good thing at least both sides are at 1420 for default. I havent paid attention to your firewall rules.....or the rest of the config, but not sure you published it?????
Re: 2WAN as Failover and Setup Wireguard KEY as Client
I'm coming from another brand so mangle is new at me. And data center is supposed has techs that know what to do with wireguard config.
because I got clients on ubiquiti if they disable the mangle will thst affect it?
I can ask for that but if it's gonna be unstable for ubiquiti there will be some hours probably untill they put is as before because the only option is communicating by mail.
VPN Provider informed me that the Mangle on them side is disabled. Mabe a silly question but id like to ask. it does not mater if i hasve mikrotik wan connection via the same modem that gives to ubiquiti right?
because I got clients on ubiquiti if they disable the mangle will thst affect it?
I can ask for that but if it's gonna be unstable for ubiquiti there will be some hours probably untill they put is as before because the only option is communicating by mail.
Code: Select all
# 2024-03-29 04:40:50 by RouterOS 7.14
# software id = M8KE-V5ID
#
# model = RB750Gr3
# serial number = HD2******AS
/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.13.100-192.168.13.254
add name=dhcp_pool1 ranges=192.168.14.100-192.168.14.105
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-LAN lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=ether5 lease-time=5d name=dhcp2
/routing table
add disabled=no fib name=via-WG1
/interface bridge port
add bridge=Bridge-LAN interface=ether3
add bridge=Bridge-LAN interface=ether4
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.1**.95 endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"ySD/xFuT**********************xyT6wE="
/ip address
add address=192.168.13.1/24 interface=Bridge-LAN network=192.168.13.0
add address=192.168.1.99/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.98/24 interface=WAN2 network=192.168.2.0
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
add address=192.168.14.1/24 interface=ether5 network=192.168.14.0
/ip dhcp-client
add disabled=yes interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
add address=192.168.14.0/24 gateway=192.168.14.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=\
via-WG1 suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.13.0/24 \
table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
Re: 2WAN as Failover and Setup Wireguard KEY as Client
i think i might found something but dont know if related?
this guy below on the 2min of the video says something about the /32 and /24. at ip Adresses on the mikrotik when i put /32 it does not accept it and just removes it by itself. for o long i had it by misake at /24. might that be something as an issue? why i cannot apply with /32
this guy below on the 2min of the video says something about the /32 and /24. at ip Adresses on the mikrotik when i put /32 it does not accept it and just removes it by itself. for o long i had it by misake at /24. might that be something as an issue? why i cannot apply with /32
Re: 2WAN as Failover and Setup Wireguard KEY as Client
2nd update that i have found.
About the /32 i have set it up on /32 but it does not show at the gui, in cmd its swots it normal /32.
Another thing i have found at TCP analyser and the differences with the ubiquiti routers are the TCP Windows thing., here below are the results.
MIKROTIK RESULTS with 1412MTU (1420 is the same TCP Windows
About the /32 i have set it up on /32 but it does not show at the gui, in cmd its swots it normal /32.
Another thing i have found at TCP analyser and the differences with the ubiquiti routers are the TCP Windows thing., here below are the results.
MIKROTIK RESULTS with 1412MTU (1420 is the same TCP Windows
UBIQUITI RESULT with 1412MTU (fully working)« SpeedGuide.net TCP Analyzer Results »
Tested on: 2024.03.30 19:20
IP address: 5.172.xxx.xx
Client OS/browser: Windows 10 (Firefox 124.0)
TCP options string: 0204055c0103030801010402
MSS: 1372
MTU: 1412
TCP Window: 131328 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 513
Recommended RWINs: 63112, 126224, 252448, 504896, 1009792
BDP limit (200ms): 525 Mbps (53 Megabytes/s)
BDP limit (500ms): 210 Mbps (21 Megabytes/s)
MTU Discovery: ON
TTL: 119
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2024.03.30 19:10
IP address: 5.172.xxx.xx
Client OS/browser: Windows 10 (Firefox 124.0)
TCP options string: 0204055c0103030801010402
MSS: 1372
MTU: 1412
TCP Window: 263424 (multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 1029
Recommended RWINs: 63112, 126224, 252448, 504896, 1009792
BDP limit (200ms): 1054 Mbps (105 Megabytes/s)
BDP limit (500ms): 421 Mbps (42 Megabytes/s)
MTU Discovery: ON
TTL: 119
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)
Re: 2WAN as Failover and Setup Wireguard KEY as Client
I am Sharing my final setup before making it stable (i hope at least) the main issue was from the Lancom them DNS had issues. and at the setup as friend informed me i closed the DNS from the DHCP Server and leave put it at the ip/DNS side. the config is as below but with minor issues on instabilities like sometimes i cannot send picture or even message via Whatsapp, cannot upload imaged on ym NAS Server etc things. Some website even could not load so i lowered the MSS at 1372 but still nothing. im left without any clue on what i can do or what part i should adjust.
On Ubiquiti everything works perfectly with 1412MTU and 1372MSS witht he same tunel but different VPN key. also tried the KEY on the windows and everything works perfectly.
On Ubiquiti everything works perfectly with 1412MTU and 1372MSS witht he same tunel but different VPN key. also tried the KEY on the windows and everything works perfectly.
# 2024-04-02 23:02:52 by RouterOS 7.14.2
# software id = M8KE-V5ID
#
# model = RB750Gr3
# serial number = HD2*****AS
/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.13.100-192.168.13.254
add name=dhcp_pool1 ranges=192.168.14.200-192.168.14.205
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-LAN lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=ether5 lease-time=6d name=dhcp2
/routing table
add disabled=no fib name=via-WG1
/interface bridge port
add bridge=Bridge-LAN interface=ether3
add bridge=Bridge-LAN interface=ether4
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.1*.95 endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"ySD/xFuTQ0+********************S4xyT6wE="
/ip address
add address=192.168.13.1/24 interface=Bridge-LAN network=192.168.13.0
add address=192.168.1.99/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.98/24 interface=WAN2 network=192.168.2.0
add address=192.168.32.50(here i put /32 but it vanishes) interface=wireguard1 network=192.168.32.0
add address=192.168.14.1/24 interface=ether5 network=192.168.14.0
/ip dhcp-client
add disabled=yes interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1
add address=192.168.14.0/24 gateway=192.168.14.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,192.168.32.1
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=\
via-WG1 suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.13.0/24 \
table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no