I want to do bonding with wireguard+eoip and several pppoe connections (each pppoe connection is on a unique ADSL line)
I am using routeros 7.1rc5
I use mangle rules to match the wireguard interface's endpoint port and mark routing so each wg interface should route via a unique pppoe connection
However I'm facing a problem, namely all the wireguard connections are trying to use the same src-address (from whichever pppoe interface is the default route on main table), so it seems impossible to route each wireguard tunnel over a unique pppoe connection
How can I change the source address for each wg connection (ideally based on the endpoint port)?
It seems the only solution is to have a second mikrotik router and then do mangling on the forwarded packets. Surely this shouldn't be necessary??
Any ideas welcomed
src-address for wireguard endpoint connection
Last edited by fragtion on Mon Nov 08, 2021 4:23 pm, edited 1 time in total.
Re: Wireguard src-address problems
So you have only one (main) routing table you say? How can that possibly work? And what does it have to do with wireguard?
Re: Wireguard src-address problems
Hi
No, there's a routing table created for each pppoe interface, each with a default route for that pppoe interface only. The problem is even if I mangle the wireguard ports and mark routing to the respective routing tables, the return packet replies never arrive from the remote host (the server) because all outgoing traffic (on the client) comes from the same src-address and routeros is using the src-address associated with the default route from the main rotating table
If the remote host had several public IP addresses then I could route each public IP address to a different PPPoE interface. It only has one though, so the best I can do is mangle the endpoint ports (src or destination) however this doesn't change the src-address problem and so replies never get routed back
No, there's a routing table created for each pppoe interface, each with a default route for that pppoe interface only. The problem is even if I mangle the wireguard ports and mark routing to the respective routing tables, the return packet replies never arrive from the remote host (the server) because all outgoing traffic (on the client) comes from the same src-address and routeros is using the src-address associated with the default route from the main rotating table
If the remote host had several public IP addresses then I could route each public IP address to a different PPPoE interface. It only has one though, so the best I can do is mangle the endpoint ports (src or destination) however this doesn't change the src-address problem and so replies never get routed back
Re: Wireguard src-address problems
Ok I think I fixed it !!
Solution as follows:
assume router's lan IP is 192.168.0.2
assume default route (on main) is another router 192.168.0.1
assume remote wireguard host = 196.1.0.1
assume pppoe1 IP = 172.16.0.1
assume pppoe2 IP = 172.17.0.1
As you can see the router tried to establish the connections with src-address=192.168.0.2
It seems the solution was simply to add src-nat with relevant ports and to-address to the IP address of the respective pppoe interface.
The src-nat rules on their own don't work unless output packets are marked and routed. So it's a combination of all 3 rules that gets things going
So far so good, I will complete the setup and test to see if everything works as expected
Solution as follows:
assume router's lan IP is 192.168.0.2
assume default route (on main) is another router 192.168.0.1
assume remote wireguard host = 196.1.0.1
assume pppoe1 IP = 172.16.0.1
assume pppoe2 IP = 172.17.0.1
Code: Select all
/ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark connection-state=new dst-address=196.1.0.1 dst-port=13241 protocol=udp new-connection-mark=pppoe1_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=pppoe1_conn new-routing-mark=to_pppoe1 passthrough=no
/ip firewall mangle add action=mark-connection chain=output connection-mark=no-mark connection-state=new dst-address=196.1.0.1 dst-port=13242 protocol=udp new-connection-mark=pppoe2_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=pppoe2_conn new-routing-mark=to_pppoe2 passthrough=no
/ip firewall nat add action=src-nat chain=srcnat protocol=udp src-address=192.168.0.2 src-port=13241 to-addresses=172.16.0.1
/ip firewall nat add action=src-nat chain=srcnat protocol=udp src-address=192.168.0.2 src-port=13242 to-addresses=172.17.0.1
It seems the solution was simply to add src-nat with relevant ports and to-address to the IP address of the respective pppoe interface.
The src-nat rules on their own don't work unless output packets are marked and routed. So it's a combination of all 3 rules that gets things going
So far so good, I will complete the setup and test to see if everything works as expected
Re: Wireguard src-address problems
Isn't your scenario what is explained in this document (shared by @anav):
https://mum.mikrotik.com/presentations/US12/steve.pdf
https://mum.mikrotik.com/presentations/US12/steve.pdf
Re: Wireguard src-address problems
That's a great guide for load balancing in general, but actually no it doesn't go into the specific issue I had here, which is namely to do with ensuring that all the wireguard interfaces use separate source addresses when establishing their links even if they all have the same endpoint IP (but not port obviously). So even though yes I'm implementing a load balancing solution as described in that document, the root problem here actually had nothing to do with the load balancing side of things, lol xD anyways it's sorted now and I'm happy as hell. The power of MikroTik proves it's worth for me yet again "thumbs up*Isn't your scenario what is explained in this document (shared by @anav):
https://mum.mikrotik.com/presentations/US12/steve.pdf
Thank you, guys