Hi all i have this setup:
Wireguard server (CHR) 7.14.2
Wireguard IP 10.254.101.1/24
Wireguard Peer A: Allowed address 10.254.101.26/32 10.26.0.0/16
Wireguard Peer B: Allowed address 10.254.101.126/32 10.26.0.0/16
Route Dst. Address: 10.26.0.0/16 GW 10.254.101.26 distance 1 Check Gateway ping (black)
Route Dst. Address: 10.26.0.0/16 GW 10.254.101.126 distance 2 Check Gateway ping (blue)
I can ping booth Peers A and B ips but when i try to reach the 10.26.0.0/16 tracert showme always going using the .126 gw never the .26
gw. If Peer B is disconnected works using the .26.
Any Idea? ty.
Re: Wireguard routing.
Your config is wrong, more advice if you provide network diagram and configs of both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
Re: Wireguard routing.
Hi Anav:
https://1drv.ms/i/s!AiKNjZkPqVGVyfUrl7M ... g?e=MZBc2v
CHR
/interface wireguard peers
add allowed-address=10.254.101.26/32,10.26.0.0/16 client-address=10.254.101.26/32 comment="XXXXX_ Main" \
interface="Wireguard Tracks" preshared-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=10.254.101.126/32,10.26.0.0/16 client-address=10.254.101.126/32 comment="XXXXX_Backup" interface=\
"Wireguard Tracks" preshared-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=10.26.0.0/16 gateway=\
10.254.101.26 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=10.26.0.0/16 gateway=\
10.254.101.126 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
FYI with L2TP+IPSEc instead Wireguard, it works.
The strange think is with the allowed-address it each site i put the other site ips lik another peers running in same router. The difference here is i have 2 peers with the same IP range in allowed ips. When i removed the allowed IPS in the Backup Peer it works aswell. As if when I put the allowed ips on the peer it affects the route...
Ty
https://1drv.ms/i/s!AiKNjZkPqVGVyfUrl7M ... g?e=MZBc2v
CHR
/interface wireguard peers
add allowed-address=10.254.101.26/32,10.26.0.0/16 client-address=10.254.101.26/32 comment="XXXXX_ Main" \
interface="Wireguard Tracks" preshared-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=10.254.101.126/32,10.26.0.0/16 client-address=10.254.101.126/32 comment="XXXXX_Backup" interface=\
"Wireguard Tracks" preshared-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=10.26.0.0/16 gateway=\
10.254.101.26 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=10.26.0.0/16 gateway=\
10.254.101.126 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
FYI with L2TP+IPSEc instead Wireguard, it works.
The strange think is with the allowed-address it each site i put the other site ips lik another peers running in same router. The difference here is i have 2 peers with the same IP range in allowed ips. When i removed the allowed IPS in the Backup Peer it works aswell. As if when I put the allowed ips on the peer it affects the route...
Ty
Re: Wireguard routing.
Hi Anav,
With L2TP+IPSEc i have 1 connections established from each router (Peer A and B) to the CHR if the A router fails the route on the CHR gone to the backup route stablished.
L2TP
CHR 10.30.40.1
A 10.30.40.26 Route distance 1 Active (established) gw 10.30.40.1
B 10.30.40.126 Route distance 2 Backup (established) gw 10.30.40.1
Wireguard
CHR 10.254.101.1
A 10.254.101.26 Route distance 1 Active (established) gw 10.254.101.1 (copy on A and B)
Enabled and disbaled (main backup) by scrip on B with VRRP
A 10.254.101.26 Route distance 1 Active (established) gw 10.254.101.1 (copy on A and B)
Thats all but i don't like it because in my case i have 3 ISP on the CHR...
CHR 10.30.40.1
CHR 10.30.40.100
A 10.30.40.26 Route distance 1 Active (established) using in the l2tp connect to ISP 1 gw 10.30.40.1
A 10.30.40.226 Route distance 2 Active (established) using in the l2tp connect to ISP 2 gw 10.30.40.100
B 10.30.40.27 Route distance 1 Active (established) using in the l2tp connect to ISP 1 gw 10.30.40.1
B 10.30.40.227 Route distance 2 Active (established) using in the l2tp connect to ISP 2 gw 10.30.40.100
I don't know how to do it using wireguard instead l2tp.
ty
With L2TP+IPSEc i have 1 connections established from each router (Peer A and B) to the CHR if the A router fails the route on the CHR gone to the backup route stablished.
L2TP
CHR 10.30.40.1
A 10.30.40.26 Route distance 1 Active (established) gw 10.30.40.1
B 10.30.40.126 Route distance 2 Backup (established) gw 10.30.40.1
Wireguard
CHR 10.254.101.1
A 10.254.101.26 Route distance 1 Active (established) gw 10.254.101.1 (copy on A and B)
Enabled and disbaled (main backup) by scrip on B with VRRP
A 10.254.101.26 Route distance 1 Active (established) gw 10.254.101.1 (copy on A and B)
Thats all but i don't like it because in my case i have 3 ISP on the CHR...
CHR 10.30.40.1
CHR 10.30.40.100
A 10.30.40.26 Route distance 1 Active (established) using in the l2tp connect to ISP 1 gw 10.30.40.1
A 10.30.40.226 Route distance 2 Active (established) using in the l2tp connect to ISP 2 gw 10.30.40.100
B 10.30.40.27 Route distance 1 Active (established) using in the l2tp connect to ISP 1 gw 10.30.40.1
B 10.30.40.227 Route distance 2 Active (established) using in the l2tp connect to ISP 2 gw 10.30.40.100
I don't know how to do it using wireguard instead l2tp.
ty
Re: Wireguard routing.
Suggest provide a network diagram to help visualize the equipment/devices and ISPs involved etc...
EDIT: I see link above now........... thanks
You have three Devices, only shown partial config of one
need to see all three
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )
EDIT: I see link above now........... thanks
You have three Devices, only shown partial config of one
need to see all three
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )
Re: Wireguard routing.
Hi Anav,
Now i have a copy of one wireguard peer in router A and B with vrrp script to enable it. The export of the CHR have around 30000 lines... The clients A and B maybe 300. The extrange thing is the first hop with wireguard, always is .126 instead .26. I go to try to replicate in small laboratory with 3 HAPs if i have time during this week. But from my point of view something changes in the routes when i put the allowed ips in the peers on the CHR.
Best Regards,
Now i have a copy of one wireguard peer in router A and B with vrrp script to enable it. The export of the CHR have around 30000 lines... The clients A and B maybe 300. The extrange thing is the first hop with wireguard, always is .126 instead .26. I go to try to replicate in small laboratory with 3 HAPs if i have time during this week. But from my point of view something changes in the routes when i put the allowed ips in the peers on the CHR.
Best Regards,
-
-
mantouboji
Frequent Visitor
- Posts: 59
- Joined:
- Location: Shanghai
Re: Wireguard routing.
Why do you assign same 10.26.0.0/16 to both peers?
It is the mistake.
It is the mistake.
Re: Wireguard routing.
Hello Mantouboji.
So I can't have two remote points with the same IP assignment and decide through routes which one I want to access? Maybe I'm totally confused about the "peer" configuration; I mean, in "allowed address," I understand that it's only to indicate which networks are allowed in the tunnel and do not imply routes.
I think that "allowed IPs" are only the networks that are accepted through the peer and the routing table determines the gw to reach it.
So I can't have two remote points with the same IP assignment and decide through routes which one I want to access? Maybe I'm totally confused about the "peer" configuration; I mean, in "allowed address," I understand that it's only to indicate which networks are allowed in the tunnel and do not imply routes.
I think that "allowed IPs" are only the networks that are accepted through the peer and the routing table determines the gw to reach it.
Re: Wireguard routing.
Correct, The subnets cannot be duplicated for two different peers.
If unable to change one of them then use a second wireguard interface.
If unable to change one of them then use a second wireguard interface.
Re: Wireguard routing.
Hi Llamajaja,
So, in the CHR, can I set up two WireGuard servers using two different ports, create a peer for each of them with the same subnet, and there wouldn't be a problem?
CHR Server Wireguard MAIN: 10.254.102.1/24 port 13235
CHR Server Wireguard BACKUP: 10.254.103.1/24 port 13236
CCR A: 10.254.102.2/24 allowed ip 10.254.102.1 10.26.0.0/16 Endpoint: "CHR" port: 13235
CCR B: 10.254.103.2/24 allowed ip 10.254.103.1 10.26.0.0/16 Endpoint: "CHR" port: 13236
....
So, in the CHR, can I set up two WireGuard servers using two different ports, create a peer for each of them with the same subnet, and there wouldn't be a problem?
CHR Server Wireguard MAIN: 10.254.102.1/24 port 13235
CHR Server Wireguard BACKUP: 10.254.103.1/24 port 13236
CCR A: 10.254.102.2/24 allowed ip 10.254.102.1 10.26.0.0/16 Endpoint: "CHR" port: 13235
CCR B: 10.254.103.2/24 allowed ip 10.254.103.1 10.26.0.0/16 Endpoint: "CHR" port: 13236
....
Re: Wireguard routing.
In summary, there is no problem if the allowed IP addresses in the peers of two different WireGuard servers are the same, as long as they are associated with different servers. This is because WireGuard identifies peers by their public keys, not by their allowed IP addresses. Therefore, even if two peers have the same allowed IP addresses on different servers, WireGuard will distinguish them correctly using their unique public keys. it is right?