Community discussions

MikroTik App
 
Chasteaux
just joined
Topic Author
Posts: 2
Joined: Sat Nov 26, 2022 7:29 am

Route specific source connections through WG

Sat Nov 26, 2022 7:43 am

I am sure I am missing something basic.
I am trying to route traffic from a specific list of hosts through wireguard vpn.
# nov/25/2022 21:36:20 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS
/ip firewall address-list
add address=192.168.88.253 list=wireguard
I setup wireguard on my router:
# nov/25/2022 23:41:45 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add endpoint-address=us9690.nordvpn.com endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s public-key=\
    "<pub>"
Now how do I tell it to route everything from that list, through the wireguard vpn, but still allow LAN connections (192.168.88.0/24)?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14522
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Sun Nov 27, 2022 3:34 am

Need full config please, if I am to be of assistance.
/export hide-sensitive file=anynameyouwish ( minus router serial number and any public WANIP information )
 
wuhoatu
just joined
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Route specific source connections through WG  [SOLVED]

Sun Nov 27, 2022 8:17 am

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.
/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN
Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no
 
Chasteaux
just joined
Topic Author
Posts: 2
Joined: Sat Nov 26, 2022 7:29 am

Re: Route specific source connections through WG

Mon Nov 28, 2022 11:42 pm

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.
/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN
Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no
I got it to work by adding a new routing table with the wireguard as the default gateway, and creating a routing rule to use this table for the specific clients that I want to go through vpn.
Is that basically what this mangle rule is doing?
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=usWG1 suppress-hw-offload=no
/routing table
add fib name=usWG1
/routing rule
add action=lookup disabled=no src-address=192.168.88.254/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.250/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.251/32 table=usWG1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14522
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route specific source connections through WG

Tue Nov 29, 2022 1:31 am

That is the better way yes, you can do an entire subnet or 3 individual users. All good.

By the way if they need also to access a different subnet on the lan, just put another routing rule BEFORE the wg ones, so that they can access local devices aka like a printer.
add dst-address=IPofPrinter action=lookup-only-in-table table=main

Who is online

Users browsing this forum: No registered users and 10 guests