TL;DR
I need to set up a Mikrotik Hex Refresh to route WhatsApp/FaceTime traffic from one WiFi network through VPN while keeping all other traffic on regular ISP. Looking for configuration guidance.
My Setup
I'm trying to configure a Mikrotik Hex Refresh as my main router with selective VPN routing for specific apps (WhatsApp/FaceTime) on one network segment while keeping normal ISP routing for everything else.
Hardware Configuration:
Desired Routing Logic:
VPN Details:
I'm using Windscribe with WireGuard. My configuration is:
WhatsApp/FaceTime IPs:
I have the following IP ranges for routing through VPN:
Questions and Concerns:
Any guidance or example configurations would be extremely helpful. Thank you!
I need to set up a Mikrotik Hex Refresh to route WhatsApp/FaceTime traffic from one WiFi network through VPN while keeping all other traffic on regular ISP. Looking for configuration guidance.
My Setup
I'm trying to configure a Mikrotik Hex Refresh as my main router with selective VPN routing for specific apps (WhatsApp/FaceTime) on one network segment while keeping normal ISP routing for everything else.
Hardware Configuration:
Code:
Internet Layer: └─ ISP (1Gbps Fiber) └─ ONT (Optical Network Terminal) └─ Mikrotik Hex Refresh (Main Router) ├─ Port 1: WAN (from ONT) ├─ Port 2: Switch 1 (regular ISP access) ├─ Port 3: Switch 2 (regular ISP access) ├─ Port 4: Access Point (SSID: MYWIFI1 - regular ISP access) └─ Port 5: Access Point (SSID: MYWIFI2 - selective VPN routing)Desired Routing Logic:
Code:
Traffic Routing: ├─ Ports 2,3,4 (including MYWIFI1): → Regular ISP connection └─ Port 5 (MYWIFI2): ├─ WhatsApp/FaceTime traffic → Windscribe WireGuard VPN └─ All other traffic → Regular ISP connectionVPN Details:
I'm using Windscribe with WireGuard. My configuration is:
Code:
[Interface]PrivateKey = yb2xT3u98lPqkR4V6gNhUw7Zp5XJdCq0LmMv1AqEzXY=Address = 100.101.181.14/32DNS = 10.255.255.3[Peer]PublicKey = Dq8Mv0Y9LkJhX7T2bKn5Rq4Vp1Cq3NzAwLqZJg8YXYw=AllowedIPs = 0.0.0.0/0, ::/0Endpoint = example-wg.example.com:65142PresharedKey = pQ7xLmN9VqK4T2Cj5ZbX1R4JdCq0AwY8Mv3NzLqXYw=WhatsApp/FaceTime IPs:
I have the following IP ranges for routing through VPN:
- WhatsApp ranges: 31.13.0.0/16, 66.220.144.0/20, 69.63.176.0/20, etc.
- Apple/FaceTime: 17.0.0.0/8
Code:
31.13.0.0/16 34.252.184.159/3235.72.108.16/3252.48.8.54/3266.220.144.0/2069.63.176.0/2069.171.0.0/16102.132.96.0/20129.134.0.0/16157.240.0.0/16163.70.138.62/32173.252.0.0/16179.60.192.0/22185.60.216.0/22185.166.143.38/32199.201.64.0/22204.15.20.0/2217.0.0.0/8Questions and Concerns:
- VPN Kill Switch: I want to disable any kill switch functionality so if the VPN goes down, traffic will fall back to regular ISP.
- Implementation Approach: What's the best way to implement this policy-based routing on the Mikrotik?
- VLAN Configuration: Do I need to set up VLANs to properly isolate the networks?
- Firewall Rules: What firewall rules would I need to make this work properly?
Any guidance or example configurations would be extremely helpful. Thank you!
Statistics: Posted by 3zzy — Tue Mar 04, 2025 4:12 am