Multiple Tunnels
I have 2 wireguard tunnels configured on my CHR. 1 wireguard tunnel is used for my primary outgoing traffic. The 2nd Wireguard tunnel has static public IP address. How can I configure my CHR so that when traffic coming in from the 2nd WG Tunnel, the return traffic will go out from the 2nd tunnel? Right now, it tries to go out from my primary tunnel and it won't work.
Re: Multiple Tunnels
Draw a diagram so tis clearer, where the CHR fits between the devices connected by tunnels.
ALso need CHR configuration
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
ALso need CHR configuration
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Re: Multiple Tunnels
YOu have half a diagram.
CHR does not typically have any clients SO.
a. what is goig to or coming from WG1\
b. what is going to or coming in from WG2|
What are the relationships?
Are you saying WG1 and WG2 are both WG servers for initial handshake?
What is their relationship?
Still not clear at all......
You didnt provide CHR config ?????????
CHR does not typically have any clients SO.
a. what is goig to or coming from WG1\
b. what is going to or coming in from WG2|
What are the relationships?
Are you saying WG1 and WG2 are both WG servers for initial handshake?
What is their relationship?
Still not clear at all......
You didnt provide CHR config ?????????
Re: Multiple Tunnels
I am running CHR at an X86 machine as my home router. So, my CHR has LAN clients. WG1 and WG2 are tunnels going out from my WAN interface. I route all outgoing LAN traffic to WG1 by adding a static route 0.0.0.0/0 & ::/0 via WG1 in the routing table. WG2 I only have a route to that subnet where my Public IP stay at. My trouble is incoming traffic from WG2 seems to go out from WG1.
Re: Multiple Tunnels
YOu have half a diagram.
CHR does not typically have any clients SO.
a. what is goig to or coming from WG1\
b. what is going to or coming in from WG2|
What are the relationships?
Are you saying WG1 and WG2 are both WG servers for initial handshake?
What is their relationship?
Still not clear at all......
You didnt provide CHR config ?????????
Here is the CHR config
wireguard5 is the wg01 in the diagram
wireguard2fr is the wg02 in the diagram
Code: Select all
# 2023-11-07 19:54:23 by RouterOS 7.11.2
# software id =
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN disable-running-check=no
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/interface wireguard
add listen-port=13331 mtu=1420 name=wireguard2fr
add listen-port=13231 mtu=1420 name=wireguard5-lax
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.253
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard2fr list=VPN
add interface=wireguard5-lax list=VPN
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=103.144.*.* \
endpoint-port=51828 interface=wireguard2fr persistent-keepalive=25s \
public-key="***"
add allowed-address=::/0,0.0.0.0/0 endpoint-address=38.175.*.* \
endpoint-port=58 interface=wireguard5-lax persistent-keepalive=25s \
public-key="***"
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=23.129.*.*/24 interface=wireguard2fr network=23.129.32.0
add address=192.168.90.2/24 interface=wireguard5-lax network=192.168.90.0
add address=172.17.0.1/24 interface=bridge1 network=172.17.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
netmask=24
/ip firewall mangle
add action=change-mss chain=postrouting disabled=yes new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=VPN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard5-lax \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=23.134.*.*/32 gateway=\
172.16.1.1%ether1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=38.175.*.*/32 gateway=172.16.1.1%ether1 \
routing-table=main suppress-hw-offload=no
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=wireguard5-lax \
routing-table=main scope=30 target-scope=10
/ipv6 address
add address=2602:***::1 advertise=no interface=bridge1
add address=2602:***::4a45 advertise=no interface=veth3
add address=2602:***:102::1 advertise=no interface=bridge1
add address=2a06:***::1 interface=bridge1
/ipv6 firewall address-list
add address=2602:***::/64 list=pool1
/ipv6 nd
set [ find default=yes ] dns=2602:***::1 interface=bridge1 \
other-configuration=yes
Re: Multiple Tunnels
You miss the point or maybe I do LOL
WHere does the CHR get its public IP???
Right now you only show two wireguard tunnels, but the CHR wether its in the cloud or whever still needs a public IP.
What am I missing here??
You need another diagram cause right now I have zero context.
Are there any routers in the mix, where is the x86 located, and what is it connected to etc etc.....
WHere does the CHR get its public IP???
Right now you only show two wireguard tunnels, but the CHR wether its in the cloud or whever still needs a public IP.
What am I missing here??
You need another diagram cause right now I have zero context.
Are there any routers in the mix, where is the x86 located, and what is it connected to etc etc.....
Re: Multiple Tunnels
This CHR does get a public IP via Wireguard Tunnel 2. It also has a local WAN port that goes to the internet. So the WAN port goes to the ISP provided router
Re: Multiple Tunnels
Finally, why this is missing from all previous explanation is beyond me LOL.
Now for the next questions,
a. assuming WG1 has its own public IP, separate from the CHRs public WANIP.
Hence the WG1 can act as a wg server for the initial handshake as is ideal for you as admin to remotely access the CHR for config purpose or to connect to subnets the CHR can reach locally.
But that begs the question, why bother. If you have no router and the CHR connects directly to the modem for internet and its a public IP, why do you need a second public IP for wireguard, JUST use the first one.
b. assuming the WG2 does not have its own public IP. In fact you state its Natted, so what is the public IP its natted behind and can this device port forward to the CHR???
I found case b. also confusing, perhaps what it really is, is a wireguard tunnel to a third party VPN provider and you want to use this for internet access ???
(instead of the public IP of the WAN on the CHR???)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In other words, this is too difficult to ascertain truth when you withhold needed information. I hope someone else has more patience mine has run out today.
Now for the next questions,
a. assuming WG1 has its own public IP, separate from the CHRs public WANIP.
Hence the WG1 can act as a wg server for the initial handshake as is ideal for you as admin to remotely access the CHR for config purpose or to connect to subnets the CHR can reach locally.
But that begs the question, why bother. If you have no router and the CHR connects directly to the modem for internet and its a public IP, why do you need a second public IP for wireguard, JUST use the first one.
b. assuming the WG2 does not have its own public IP. In fact you state its Natted, so what is the public IP its natted behind and can this device port forward to the CHR???
I found case b. also confusing, perhaps what it really is, is a wireguard tunnel to a third party VPN provider and you want to use this for internet access ???
(instead of the public IP of the WAN on the CHR???)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In other words, this is too difficult to ascertain truth when you withhold needed information. I hope someone else has more patience mine has run out today.
Re: Multiple Tunnels
Oh, these WG1 is not intended for public internet to access the router. But is acted as a WAN for LAN clients. WG2 that has public IP is the one I intended for Internet to access this CHR router.
Re: Multiple Tunnels
Gluck!
Re: Multiple Tunnels
Anyway to make incoming traffic from WG2 back out on WG2?
Re: Multiple Tunnels
Always the same considerations......
1. Firewall
- does firewall rule allow traffic to exit the tunnel.
- does firewall rule allow traffic to enter the tunnel
Shortcut
add chain=forward action=accept in-inteface=wg-interface out-interface=wg-interface
Then two things have to line up.
2. . ROUTE for that traffic
3. ALLOWED IPs for that traffic
1. Firewall
- does firewall rule allow traffic to exit the tunnel.
- does firewall rule allow traffic to enter the tunnel
Shortcut
add chain=forward action=accept in-inteface=wg-interface out-interface=wg-interface
Then two things have to line up.
2. . ROUTE for that traffic
3. ALLOWED IPs for that traffic
Re: Multiple Tunnels
I tried the forward chain configure you suggested. However, in wireshark I can still see pings coming in from WG2 still trying to go out via other WG tunnel because of that 0.0.0.0/0 via WG1 static route in routing table.
Re: Multiple Tunnels
Without better diagrams showing everything, I cannot begin to guess. You have flawed logic or missing rules, but too hard for me to tell based on the diagram I am looking at.
Add one that puts the COmputer on a network attached to a modem etc, MORE detail and showing the subnets invovled.
Add one that puts the COmputer on a network attached to a modem etc, MORE detail and showing the subnets invovled.