MikroTik

Posted: **Sat Mar 11, 2023 10:15 am**

My peered is using an internal DNS server. However, the query logs all indicate the ip address of ROS, and I canceled the masquerade for the LAN interface in NAT.
After that I couldn't access the LAN through Wireguard.
I traced via tracert and it only traced to the Wireguard address and then the request timed out.
My configuration is as follows

Maybe you will find my grammar wrong, please don't laugh at me, it's from Google Translate. I'm new to networking and I enjoy the learning process even though it's hard. Thanks for any help.



# mar/11/2023 16:06:52 by RouterOS 7.8
# software id = TI09-7WK3
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=lan1-lan5
set [ find default-name=ether2 ] disable-running-check=no name=wan
/interface vrrp
add comment="gatway vrrp" interface=bridge1 name=vrrp1 version=2 vrid=51
add comment="dns vrrp" interface=bridge1 name=vrrp2 version=2 vrid=52
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=Lan
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name=Gateway-Ros value="'192.168.2.1'"
add code=3 name=Gateway-Openwrt value="'192.168.2.2'"
add code=6 name=DNSServer-3 value="'192.168.2.5'"
add code=6 name=DnsServer.1 value="'192.168.2.1'"
/ip ipsec policy group
add name=ikev2
/ip pool
add comment=192.168.2.10-192.168.2.200 name=dhcp_pool ranges=192.168.2.10-192.168.2.200
add name=ikev2pool ranges=10.0.3.225-10.0.3.238
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge1 lease-time=20m name=server1
/ip ipsec mode-config
add address-pool=ikev2pool address-prefix-length=28 name=ikv2 static-dns=192.168.2.5 system-dns=no
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name="TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name="TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name="TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" up-port=1700
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=autoUpdateUpnp on-up="delay 3s\r\
    \n\r\
    \n:execute \"updateUpnp\""
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan name=pppoe-out1 profile=autoUpdateUpnp user=CD0283392346505
/routing table
add comment=wireguard disabled=no fib name=wireguard
/interface bridge port
add bridge=bridge1 interface=lan1-lan5
/ip neighbor discovery-settings
set discover-interface-list=Lan
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge1 list=Lan
add interface=vrrp1 list=Lan
add interface=vrrp2 list=Lan
add interface=wireguard1 list=Lan
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.2.2/32 comment="phone s10" interface=wireguard1 public-key="xxx"
add allowed-address=10.0.2.3/32 comment="work pc" interface=wireguard1 public-key="xxx"
add allowed-address=10.0.2.4/32 comment=xlwork_pc interface=wireguard1 public-key="xxx"
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=192.168.1.2/24 interface=wan network=192.168.1.0
add address=192.168.2.4/24 comment=gatway interface=vrrp1 network=192.168.2.0
add address=192.168.2.5/24 comment=dns interface=vrrp2 network=192.168.2.0
add address=10.0.2.1/24 interface=wireguard1 network=10.0.2.0
/ip dhcp-server lease
add address=192.168.2.115 client-id=1:0:11:32:b5:61:bf dhcp-option=Gateway-Ros lease-time=1d mac-address=00:11:32:B5:61:BF server=server1
add address=192.168.2.237 client-id=1:68:77:24:96:92:42 comment=tp_video mac-address=68:77:24:96:92:42 server=server1
add address=192.168.2.2 dhcp-option=Gateway-Ros mac-address=00:0C:29:D3:52:8D server=server1
add address=192.168.2.3 client-id=ff:9f:6e:85:24:0:2:0:0:ab:11:71:44:f9:1c:d7:a9:37:67 mac-address=00:0C:29:EB:E8:6C server=server1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.5,192.168.2.3 gateway=192.168.2.4 netmask=24
/ip dns
set allow-remote-requests=yes servers=114.114.114.114,2400:3200::1,2400:3200:baba::1
/ip firewall address-list
add address=192.168.2.115 comment=nas list=upnp
add address=192.168.2.69 comment=pc list=upnp
add address=192.168.2.3 comment=ubuntu_server list=upnp
/ip firewall filter
add action=accept chain=input comment="allow lan ping" in-interface=bridge1 protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="allow upnp" dst-port=1900 in-interface=bridge1 protocol=udp src-address-list=!upnp
add action=drop chain=input comment="allow upnp" dst-port=2828 in-interface=bridge1 protocol=tcp src-address-list=!upnp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop Ax3600 dns " dst-port=53 protocol=udp src-address=192.168.2.96 src-address-list=""
add action=accept chain=input comment="allow gatwayarrp input" in-interface=vrrp1
add action=accept chain=input comment="allow dnsarrp input" in-interface=vrrp2
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="drop wan dns search" dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=forward comment="drop forward invalid conn" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=accept chain=input dst-port=13231 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-ah
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="drop all wan" in-interface=pppoe-out1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.2.2 new-routing-mark=*400 passthrough=yes src-address=10.0.0.10
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 new-routing-mark=wireguard passthrough=yes src-address=10.0.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.2.0/24 out-interface=!bridge1
add action=masquerade chain=srcnat out-interface-list=!Lan
add action=dst-nat chain=dstnat comment="ubuntu" dst-port=2222 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.3 to-ports=22
add action=dst-nat chain=dstnat comment="ubuntu_10001" dst-port=10001 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=10001
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.2.3 to-ports=4500
add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.2.3 to-ports=500
add action=dst-nat chain=dstnat dst-port=5001 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.115 to-ports=5001
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.2.1 dst-port=6054 in-interface=bridge1 protocol=udp to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=3333 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.2.99 to-ports=22
add action=dst-nat chain=dstnat dst-port=9998 in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.100 to-ports=5001
add action=dst-nat chain=dstnat dst-port=9997 in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.100 to-ports=9997
add action=dst-nat chain=dstnat dst-port=9996 in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.100 to-ports=9996
/ip firewall raw
add action=add-src-to-address-list address-list=PSD address-list-timeout=none-dynamic chain=prerouting comment="psd\B6\CB\BF\DA\C9\A8\C3\E8" in-interface=\
    pppoe-out1 protocol=tcp psd=21,3s,3,1
add action=drop chain=prerouting comment="psd" src-address-list=PSD
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 pref-src=0.0.0.0 routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=wireguard1 pref-src=0.0.0.0 routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src="" routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.2.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.2.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/ipv6 address
# address pool error: pool not found: v6pool (4)
add eui-64=yes from-pool=v6pool interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=v6pool pool-prefix-length=60 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes other-configuration=yes
add disabled=yes interface=bridge1 mtu=1492 other-configuration=yes
/routing rule
add action=lookup disabled=no interface=wireguard1 src-address=10.0.2.0/24 table=*400
/system clock
set time-zone-name=Asia/Shanghai
/system hardware
set allow-x86-64=yes
/system identity
set name=Nextadmin.net
/system logging
add disabled=yes topics=upnp
add disabled=yes topics=dhcp
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.2.255 enabled=yes
/system ntp client servers
add address=ntp.aliyun.com
add address=ntp1.aliyun.com
add address=ntp2.aliyun.com
/system scheduler
add interval=2d name="\B6\A8\CA\B1\D6\D8\B2\A5" on-event="/interface disable pppoe-out1\r\
    \n/interface enable pppoe-out1" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jun/29/2022 start-time=04:00:00
/system script
add dont-require-permissions=no name=updateUpnp owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global addold\r\
    \n:global addnew\r\
    \n:set addnew [/interface get [/interface find name=\"pppoe-out1\"] running]\r\
    \n:if (\$addnew=true) do={\r\
    \n:set addold [/ip address get [/ip address find dynamic=yes interface=\"pppoe-out1\"] address]\r\
    \n:set addold [:pick \$addold 0 ([:len \$addold ] -3)]\r\
    \n/ip firewall nat set [find dynamic=yes comment ~\"^upnp*.\"] dst-address=\$addold\r\
    \n}"
/tool graphing interface
add interface=lan1-lan5
add interface=pppoe-out1
/tool mac-server
set allowed-interface-list=Lan
/tool mac-server mac-winbox
set allowed-interface-list=Lan
[admin@Nextadmin.net] >

Posted: **Sun Mar 12, 2023 2:02 pm**

Provide a network diagram to help describe.

Posted: **Mon Mar 13, 2023 5:23 am**

Provide a network diagram to help describe.

Thanks for your reply, I have provided the network diagram

未命名文件 (2) (中).png

Posted: **Mon Mar 13, 2023 7:31 am**

An internal DNS server is being used by my peer. The masquerade for the LAN interface in NAT was stopped because the query logs all contain the IP address of ROS.

Posted: **Mon Mar 13, 2023 10:56 am**

An internal DNS server is being used by my peer. The masquerade for the LAN interface in NAT was stopped because the query logs all contain the IP address of ROS.

Thank you for your reply, I also try to stop LAN To LAN masquerade in NAT, but after I stop masquerade, my peer will not be able to visit LAN. I'm looking for a solution for this.

Posted: **Mon Mar 13, 2023 1:23 pm**

Because I deal only in home networks, I need simple talk.

Is the problem that you cannot get your wireguard users 'pad/notebook' to use the local DNS server at device .2.3 ??

Aka what is the problem in clearer terms

Posted: **Mon Mar 13, 2023 3:22 pm**

Because I deal only in home networks, I need simple talk.

Is the problem that you cannot get your wireguard users 'pad/notebook' to use the local DNS server at device .2.3 ??

Aka what is the problem in clearer terms

It can use 2.3 as a dns server, but the query record shows that the ip is from 2.1 instead of 10.0.2.3 or 10.0.2.2

Posted: **Mon Mar 13, 2023 4:37 pm**

(1) Are you accessing internet of network from wireguard clients or just subnets and the router/devices for config purposes?

(2) Why are you marking wireguard traffic?

(3) Why are your source nat rules SO OBTUSE.
and I dont even see a default rule???

(4) Are you attempting to run your own DNS server from 192.168.2.3 ?????

IF SO why this rule. BESIDES the format being totally WRONG, the IP address is NOT THE SERVER
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.2.1 dst-port=6054 in-interface=bridge1 protocol=udp to-addresses=192.168.2.1 to-ports=53

+++++++++++++++++++++++

You need to simplify the config, be clear on requirements, and do your dns server thing properly.

Posted: **Mon Mar 13, 2023 5:16 pm**

(1) Are you accessing internet of network from wireguard clients or just subnets and the router/devices for config purposes?

(2) Why are you marking wireguard traffic?

(3) Why are your source nat rules SO OBTUSE.
and I dont even see a default rule???

(4) Are you attempting to run your own DNS server from 192.168.2.3 ?????

IF SO why this rule. BESIDES the format being totally WRONG, the IP address is NOT THE SERVER
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.2.1 dst-port=6054 in-interface=bridge1 protocol=udp to-addresses=192.168.2.1 to-ports=53

+++++++++++++++++++++++

You need to simplify the config, be clear on requirements, and do your dns server thing properly.

1.Access the Internet while using the internal DNS server.
2.I marked wireguard to use OpenWrt, which provides me with the ability to circumvent GFW.
3.add action=masquerade chain=srcnat out-interface-list=!Lan I modified the default rules, he is now like this. Does it have any problems? Thank you for any suggestions.
4.The DNS server is running normally in the LAN.

I'm sorry for bothering you with my redundant configuration, actually my router has been working fine for a while before I didn't use wireguard. So it has some configuration that is not currently working. I'm going to try to clean up my config files.

Posted: **Mon Mar 13, 2023 7:55 pm**

Why do you send wg to openwrt??? what is GFW???

Are the users coming into the router via WG and then NOT going out the local WAN but out a remote WAN via an openwrt tunnel ????

Posted: **Mon Mar 13, 2023 9:10 pm**

Why do you send wg to openwrt??? what is GFW???

Are the users coming into the router via WG and then NOT going out the local WAN but out a remote WAN via an openwrt tunnel ????

Sent to openwrt to let openwrt handle traffic, I use open clash in openwrt to provide me with VPN function, let me pass GFW
In fact, this is a commonly used solution in China, because most of the network cannot be accessed due to the existence of GFW

The traffic of 10.0.2.0/24 leaves through the wireguard interface. (I have this operation in the routing table.) The traffic with the destination address 192.168.2.0/24 leaves through the bridge1 interface. (I have this operation in the routing table.) Send the traffic of other destination addresses to openwrt. (I have this in the routing table.) After openwrt processes the traffic, it will be sent to ROS and finally leave through the WAN.

As I said, I enjoyed the learning process even though it was difficult.
Thank you again for your help.

Posted: **Mon Mar 13, 2023 11:34 pm**

What is so special about openwrt that the traffic needs to go from wireguard through MT router and then not directly to WAN? I dont get it?
What is is that the MT router cannot do??

Posted: **Tue Mar 14, 2023 3:40 am**

What is your purpose? I am somewhat dizzy after looking at your topology. If openwrt is for client bypass routing service, you can use ip dhcp-server option code 3 & 6 to distribute gateway and dns.
If you are accessing internal lan-side services externally, you already have esxi, so it is more convenient to open a cloudflared docker tunnel.

Posted: **Tue Mar 14, 2023 5:24 am**

What is so special about openwrt that the traffic needs to go from wireguard through MT router and then not directly to WAN? I dont get it?
What is is that the MT router cannot do??

I think the VPN protocol is different. Commonly used VPN protocols such as ipsec are easily detected by gfw and block traffic.

Posted: **Tue Mar 14, 2023 5:29 am**

What is your purpose? I am somewhat dizzy after looking at your topology. If openwrt is for client bypass routing service, you can use ip dhcp-server option code 3 & 6 to distribute gateway and dns.
If you are accessing internal lan-side services externally, you already have esxi, so it is more convenient to open a cloudflared docker tunnel.

In fact, I only have two purposes,
1 to mark the flow of wg. Traffic with different destination addresses leaves through different interfaces.
2 wg uses internal dns server and how to show query IP is from wg not MT.

Posted: **Tue Mar 14, 2023 9:47 am**

I think the VPN protocol is different. Commonly used VPN protocols such as ipsec are easily detected by gfw and block traffic.

I understand. I guess I live in the same country as you. If you want to avoid censorship, you can consider deploying your own vps node with a more advanced xray protocol. If you must use wg, you can deploy "wg-easy" conveniently in esxi. I hope can help you.

Posted: **Tue Mar 14, 2023 2:07 pm**

I think the VPN protocol is different. Commonly used VPN protocols such as ipsec are easily detected by gfw and block traffic.
I understand. I guess I live in the same country as you. If you want to avoid censorship, you can consider deploying your own vps node with a more advanced xray protocol. If you must use wg, you can deploy "wg-easy" conveniently in esxi. I hope can help you.

Thank you for your suggestion, why do I arrange wg on MT.
1. I can access the LAN through wg.
2. I mark wg and send traffic to Op (Op provides Xary) and I can pass the network review.

Posted: **Tue Mar 14, 2023 5:13 pm**

Wouldnt this work and avoids marking/mangling....

Firewall rule/ routing table/ ip route / routing rules

/ip firewall filter
add action=forward chain=accept in-interface=wirequard dst-address= 192.168.2.2

/routing table add fib name=useOP

/ip route
add dst=0.0.0.0./0 gwy=192.168.2.4 table=useOP

/routing rule add action=lookup-only-in-table src-address=10.0.2.2 table=useOP
/routing rule add action=lookup-only-in-table src-address=10.0.2.3 table=useOP

Posted: **Tue Mar 14, 2023 6:29 pm**

Wouldnt this work and avoids marking/mangling....

Firewall rule/ routing table/ ip route / routing rules

/ip firewall filter
add action=forward chain=accept in-interface=wirequard dst-address= 192.168.2.2

/routing table add fib name=useOP

/ip route
add dst=0.0.0.0./0 gwy=192.168.2.4 table=useOP

/routing rule add action=lookup-only-in-table src-address=10.0.2.2 table=useOP
/routing rule add action=lookup-only-in-table src-address=10.0.2.3 table=useOP

Thank you for your reply, I sorted out some questions and ask you for advice.
1. I send traffic to the OP in the following way, is there any difference between this and your way?

/routing table
add comment=wireguard disabled=no fib name=wireguard

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.2.0/24 new-routing-mark=wireguard passthrough=yes src-address=10.0.2.0/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 pref-src=0.0.0.0 routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=wireguard1 pref-src="" routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src="" routing-table=wireguard scope=30 suppress-hw-offload=no target-scope=10

I know too little about routing. But I configure it like this, my traffic is indeed sent to the OP.
I have three routes configured and I would like to explain why I am doing this.
a. add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=wireguard1
I configure it because so that I can visit each other's devices in wg.
b. add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2
I configured because, I send other traffic to OP.
c.add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1
I configured it because, when the OP cannot be accessed, the wg device can still access the network.

As you can see, when I marked routing, I excluded 192.168.2.0/24, I think it will hit the default routing rule ie: DAc 192.168.2.0/24 bridge1 0, of course this is my guess, I would like to get your suggestion.

2.In the internal dns server used by wg, the query request ip of wg is always 192.168.2.1, can I get the ip of wg, if so, how should I do it, I tried the following command

/interface list member
add disabled=yes interface=bridge1 list=Lan
add interface=vrrp1 list=Lan
add interface=vrrp2 list=Lan
add interface=wireguard1 list=Lan

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=!Lan

As you can see, I disabled the bridge1 interface, because when I enable it, my peer can't access the Lan, I don't know why, I just disabled it, and the peer can access the Lan normally. Do you have any suggestion? Thanks

Posted: **Tue Mar 14, 2023 7:22 pm**

(1) You do not need to create a route for wireguard on the router. ( Get rid of the one you made ) When you add the ip address
add address=10.0.2.1/24 interface=wireguard1 network=10.0.2.0 this automatically creates a route for you.

<dac> dst-address=10.0.2.0/24 gateway=wireguard1 routing-table=main

Thus the router knows that if there is any destination traffic heading towards any such address, the traffic will be pointed to the tunnel.

(2) It was not clear you wanted the road warrior clients to have the option to go out Local Router WAN ppoe if the OP service was not working ????
You made it clear it had to go out OP to defeat GFW, so you are giving conflicting messages!!!

(3) I would make the routes as such. I use different distance numbers so I always have room in front and in between for other routes!!

add distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.2 table=main check-gateway=ping ( all users will be sent out OP as a primary WAN )
add distance=10 dst-address=0.0.0.0/0 gateway=pppoe-out1 table=main ( when OP is not available, all users pushed to local WAN )

(4) Typically one also ensures
/interface list members
add wireguard1 list=LAN
and therefore any forward chain rule LAN to WAN automatically allows wireguard clients to also access the local WAN (needs to be allowed when OP is not available).

(5) So you need two firewall rules

add action=accept chain=forward in-interface-list=LAN out-interface=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.2.0/24

(6) Currently, i see no reason to mark any wireguard traffic.

Posted: **Wed Mar 15, 2023 5:59 am**

(1) You do not need to create a route for wireguard on the router. ( Get rid of the one you made ) When you add the ip address
add address=10.0.2.1/24 interface=wireguard1 network=10.0.2.0 this automatically creates a route for you.

<dac> dst-address=10.0.2.0/24 gateway=wireguard1 routing-table=main

Thus the router knows that if there is any destination traffic heading towards any such address, the traffic will be pointed to the tunnel.

(2) It was not clear you wanted the road warrior clients to have the option to go out Local Router WAN ppoe if the OP service was not working ????
You made it clear it had to go out OP to defeat GFW, so you are giving conflicting messages!!!

(3) I would make the routes as such. I use different distance numbers so I always have room in front and in between for other routes!!

add distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.2 table=main check-gateway=ping ( all users will be sent out OP as a primary WAN )
add distance=10 dst-address=0.0.0.0/0 gateway=pppoe-out1 table=main ( when OP is not available, all users pushed to local WAN )

(4) Typically one also ensures
/interface list members
add wireguard1 list=LAN
and therefore any forward chain rule LAN to WAN automatically allows wireguard clients to also access the local WAN (needs to be allowed when OP is not available).

(5) So you need two firewall rules

add action=accept chain=forward in-interface-list=LAN out-interface=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.2.0/24

(6) Currently, i see no reason to mark any wireguard traffic.

1. I marked that wg did not modify the default routing table, because in the LAN, I configure the gateway of the device through the DHCP option, and not all devices in the LAN need to avoid network censorship. (
Actually now I only mark src 10.0.2.0/24 going to non-10.0.2.0/24 and 192.168.2.0/24, before that I mark all src 10.0.2.4/24 going to 0.0.0.0/0 mark, and then select different network outlets in the routing table based on the destination address, obviously my routing table is not configured correctly, because I can't access MT, but I can access devices in other LANs, which is another problem)
2. I have executed the following command
add wireguard1 list=LAN

add action=accept chain=forward in-interface-list=LAN out-interface=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.2.0/24

But in my DNS server, the peer query record still does not correctly display its own ip, what should I do?

thanks for any advice

Posted: **Fri Mar 17, 2023 3:33 am**

First of all, I am not very familiar with mikrotik routing, but I basically understand your needs. Although wireguard is currently the best performing vpn, it still affects performance. The bypass mode is recommended for devices such as Android TV, no need to set. There are many xray clients for other devices, and the performance is much better if the client initiates an xray request directly. Try not to complicate the words, and the convenience of the user terminal is also very important. My humble opinion is for reference only.

MikroTik

Can not access to the remote LAN through wireguard

Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard [SOLVED]

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard

Re: Can not access to the remote LAN through wireguard