Here is my 2 factory's network diagram:
Currently, I have configured remote access on each router, no need to access other one's network.
Wireguard site to site between 2 factory is now using WAN2.
Wireguard client to site VPN still using WAN1, how can I make these connection usng WAN2.
Another issue, I cannot connect to WAN2 by winbox on both Router.
I make WAN2 primary but still not work, while WAN1 still accessible, I think it's cause maybe by ISP's Security.
Current config after following anav's advice:
Router A:
# 2024-12-23 21:51:14 by RouterOS 7.16.2
# software id = 9931-M8FK
#
# model = CCR1016-12G
/interface bridge
add name=guest-lan
add name=py1-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=WAN-FTTH user=netnam_manipy
/interface wireguard
add listen-port=51248 mtu=1420 name=PY1-Wireguard
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.255.1-10.0.255.253
add name=dhcp_pool1 ranges=10.22.10.10-10.22.10.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=1d name=guest-dhcp
add address-pool=dhcp_pool1 interface=py1-lan lease-time=8h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=FTTH-table
add disabled=no fib name=ILL-table
/interface bridge port
add bridge=py1-lan interface=ether11
add bridge=py1-lan interface=ether12
add bridge=guest-lan interface=ether8
add bridge=py1-lan interface=ether9
add bridge=py1-lan interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=guest-lan list=LAN
add interface=py1-lan list=LAN
add interface=WAN-FTTH list=WAN
add interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=172.25.0.0/16 endpoint-address=RouterB-WAN2-IP \
endpoint-port=51248 interface=PY1-Wireguard name=vpn-to-PY2 public-key=\
"1"
add allowed-address=10.22.0.2/32 interface=PY1-Wireguard name=hangmmh \
public-key="1"
add allowed-address=10.22.0.1/32 interface=PY1-Wireguard name=bh.anh \
public-key="1"
add allowed-address=10.22.0.3/32 interface=PY1-Wireguard name=ngocmmh \
public-key="1"
add allowed-address=10.22.0.4/32 interface=PY1-Wireguard name=damhammh \
public-key="1"
add allowed-address=10.22.0.5/32 interface=PY1-Wireguard name=hung.bravo \
public-key="1"
add allowed-address=10.22.0.6/32 interface=PY1-Wireguard name=hoangbravo \
public-key="1"
add allowed-address=10.22.0.7/32 interface=PY1-Wireguard name=bh.anh2 \
public-key="1"
add allowed-address=10.22.0.8/32 interface=PY1-Wireguard name=bh.anh3 \
public-key="1"
add allowed-address=10.22.0.9/32 interface=PY1-Wireguard name=lanbravo \
public-key="1"
add allowed-address=10.22.0.10/32 interface=PY1-Wireguard name=nm.hung \
public-key="1"
/ip address
add address=10.22.10.254/24 interface=py1-lan network=10.22.10.0
add address=10.0.255.254/24 interface=guest-lan network=10.0.255.0
add address=WAN2-IP interface=ether2 network=WAN2-DG-IP
add address=10.22.0.254/24 interface=PY1-Wireguard network=10.22.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.255.0/24 gateway=10.0.255.254
add address=10.22.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.22.10.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.20.0.0/16 list=LAN
add address=10.0.255.0/24 list=LAN
add address=10.22.10.0/24 list=LAN
add address=thuedientu.gdt.gov.vn list=traffic-via-ILL
add address=172.25.0.0/16 list=VPN
add address=tracuunnt.gdt.gov.vn list=traffic-via-ILL
add address=vieclamthainguyen.gov.vn list=traffic-via-ILL
add address=dichvucong.thainguyen.gov.vn list=traffic-via-ILL
add address=hoadondientu.gdt.gov.vn list=traffic-via-ILL
add address=
www.gdt.gov.vn list=traffic-via-ILL
add address=thainguyen.gov.vn list=traffic-via-ILL
add address=canhan.gdt.gov.vn list=traffic-via-ILL
add address=kcn.thainguyen.gov.vn list=traffic-via-ILL
add address=10.22.0.0/24 list=VPN
add address=speedtest.vn list=traffic-via-ILL
add address=smartone.vps.com.vn list=traffic-via-ILL
/ip firewall filter
add action=accept chain=input dst-port=51248 in-interface-list=WAN protocol=\
udp
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=traffic-via-ILL \
dst-address-type=!local new-routing-mark=ILL-table passthrough=yes \
src-address-list=LAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp to-addresses=10.22.10.253 to-ports=443
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=10.22.10.253 \ *To RouterA's Factory LAN*
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.25.0.0/16 gateway=PY1-Wireguard \ *To RouterB's Factory LAN*
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.22.20.0/24 gateway=10.22.0.253 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
WAN2-DG-IP routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WAN2-IP routing-table=ILL-table scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WAN1-DG-IP routing-table=FTTH-table scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=main scope=10 suppress-hw-offload=no target-scope=\
12
add check-gateway=ping disabled=no distance=2 dst-address=8.8.8.8/32 gateway=\
WAN1-DG-IP routing-table=main scope=10 suppress-hw-offload=no \
target-scope=11
add comment=vpn-to-py2 disabled=no distance=1 dst-address=RouterB-WAN2-IP \
gateway=RouterA-WAN2-DG-IP routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY1-router-mikrotik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/tool e-mail
set from="" server=smtp.gmail.com tls=yes
Router B:
# 2024-12-23 21:53:09 by RouterOS 7.16.2
# software id = 2M0R-ULGQ
#
# model = CCR2004-16G-2S+
/interface bridge
add name=guest-lan
add name=py2-lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-FTTH
set [ find default-name=ether2 ] comment=WAN-ILL
/interface pppoe-client
add disabled=no interface=ether1 name=netnam-ftth user=netnam_manitn2
/interface wireguard
add listen-port=51248 mtu=1420 name=PY2-Wireguard
/interface list
add name=LAN
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=10.255.255.1-10.255.255.250
/ip dhcp-server
add address-pool=dhcp_pool0 interface=guest-lan lease-time=8h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=FTTH-table
add disabled=no fib name=ILL-table
/interface bridge port
add bridge=py2-lan interface=ether16
add bridge=py2-lan interface=ether15
add bridge=py2-lan interface=ether14
add bridge=py2-lan interface=ether13
add bridge=guest-lan interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=guest-lan list=LAN
add interface=py2-lan list=LAN
add interface=netnam-ftth list=WAN
add interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=172.20.0.0/16 endpoint-address=RouterA-WAN2-IP \
endpoint-port=51248 interface=PY2-Wireguard name=vpn-to-PY1 \
persistent-keepalive=25s public-key=\
"1"
add allowed-address=10.22.29.1/24 interface=PY2-Wireguard name=bh.anh \
public-key="1"
/ip address
add address=10.22.20.254/24 interface=py2-lan network=10.22.20.0 *RouterB's LAN*
add address=10.255.255.254/24 interface=guest-lan network=10.255.255.0 *Guest LAN*
add address=WAN2-IP interface=ether2 network=WAN2-DG-IP *WAN2*
add address=10.22.0.253/24 interface=PY2-Wireguard network=10.22.0.0 *PY2-Wireguard*
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.254
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.25.0.0/16 list=LAN
add address=10.255.255.0/24 list=LAN
add address=10.22.20.0/24 list=LAN
add address=10.22.29.0/24 list=VPN
add address=172.20.0.0/16 list=VPN
/ip firewall filter
add action=accept chain=input dst-port=51248 in-interface-list=WAN protocol=\
udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp to-addresses=10.22.20.253 to-ports=443
add action=masquerade chain=srcnat out-interface-list=WAN to-addresses=\
14.241.82.232
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
WAN2-DG-IP routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=4 dst-address=10.22.10.0/24 gateway=10.22.0.254 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WAN1-DG-IP routing-table=FTTH-table scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WAN2-DG-IP routing-table=ILL-table scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=main scope=10 suppress-hw-offload=no target-scope=\
12
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=PY2-Wireguard \ *To RouterA's Facotry LAN*
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=172.25.0.0/16 gateway=10.22.20.253 routing-table=\ *To RouterB's Factory LAN*
main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=8.8.8.8/32 gateway=\
WAN1-DG-IP routing-table=main scope=10 suppress-hw-offload=no \
target-scope=11
add comment=vpn-to-py1 disabled=no distance=1 dst-address=RouterA-WAN2-IP \
gateway=WAN2-DG-IP routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system identity
set name=PY2-Mikrotik-Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vn.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key