I want to forward only some destination address to the wireguard table, but I can't figure out the cause of the problems with macOS.
Please tell me what's wrong with the setup
Current CHR:
Code: Select all
/interface bridge
add name=bridge1
/interface list
add name=LAN
add name=WAN
/ip ipsec policy group
add name=group1
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip ipsec peer
add exchange-mode=ike2 local-address=XXX.XXX.XXX.XXX name=peer1 passive=yes profile=profile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip pool
add name=MT ranges=192.168.1.2
add name=macOS ranges=192.168.1.3
/ip ipsec mode-config
add address-pool=MT address-prefix-length=32 name=MT split-include=0.0.0.0/0 static-dns=192.168.1.1 system-dns=no
add address-pool=macOS address-prefix-length=32 name=macOS split-include=0.0.0.0/0 static-dns=192.168.1.1 system-dns=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add !dhcp-options interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input dst-address=XXX.XXX.XXX.XXX dst-port=500,4500 protocol=udp
add action=accept chain=input dst-address=XXX.XXX.XXX.XXX protocol=ipsec-esp
add action=accept chain=input ipsec-policy=in,ipsec src-address=192.168.1.0/24
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward dst-address-list=bad_ipv4
add action=accept chain=forward dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward dst-address=192.168.1.0/24 ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 src-address=192.168.1.0/24 to-addresses=XXX.XXX.XXX.XXX
/ip ipsec identity
add auth-method=digital-signature certificate=CHR.p12 generate-policy=port-strict match-by=certificate mode-config=MT peer=peer1 policy-template-group=group1 remote-certificate=MT.crt
add auth-method=digital-signature certificate=CHR.p12 generate-policy=port-strict match-by=certificate mode-config=macOS peer=peer1 policy-template-group=group1 remote-certificate=macOS.crt remote-id=ignore
/ip ipsec policy
add dst-address=192.168.1.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
My attempts to forward only some destination address to the wireguard (which are not available through the primary ISP):
Code: Select all
/interface wireguard
add listen-port=13231 name=wireguard1 private-key=""
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=engage.cloudflareclient.com endpoint-port=2408 interface=wireguard1 persistent-keepalive=20s public-key=""
/ip address
add address=172.16.0.2 interface=wireguard1 network=172.16.0.2
/interface list member
add interface=wireguard1 list=WAN
/ip firewall address-list
add address=ping.eu list=list30
/routing table
add fib name=cf
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=list30 new-routing-mark=cf passthrough=yes
/ip route
add check-gateway=none distance=10 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=cf scope=30 target-scope=10
