First, I want to thank you so much for your quick reply @anav. I apologize for duplicating the post; I have already report to delete it the other one in the beginner basics section.
Regarding your point, "This is not possible with a normal connection, let alone through a WireGuard tunnel," I understand that it is not possible. Therefore, I am asking if there is any other way to achieve this: "I want to upload files from that local device using the combined speed of the dual PPPoE connections." If you have any information about this, please let me know.
About the question, "What you have not made clear is which WAN will be hosting the WireGuard on the Server Peer (for handshake) wan1 or wan2?" I will choose WAN1, which is "PPPoE-Orange."
I have implemented the following changes based on your advice:Regarding the mangles:Here are the updated configurations:
Regarding your point, "This is not possible with a normal connection, let alone through a WireGuard tunnel," I understand that it is not possible. Therefore, I am asking if there is any other way to achieve this: "I want to upload files from that local device using the combined speed of the dual PPPoE connections." If you have any information about this, please let me know.
About the question, "What you have not made clear is which WAN will be hosting the WireGuard on the Server Peer (for handshake) wan1 or wan2?" I will choose WAN1, which is "PPPoE-Orange."
I have implemented the following changes based on your advice:
- Removed the persistent keepalive and private key from the configuration.
- Corrected the allowed IPs on the BRANCH Router to `10.0.0.0/24`.
- Ensured that the endpoint address reflects a dynamic IP setup using DDNS.
- Removed the input chain rule for WireGuard on the client peer for the handshake.
- Set TCP syn cookies to `no`.
- Set detect internet to `none`.
- Added the WireGuard interface to the LAN list.
Code:
/interface list membersadd interface=wireguard2 list=LAN- Clarified that the static IPs for WAN1 and WAN2 are incorrect, ensuring they are dynamic PPPoE connections.
- Added necessary firewall rules for better security.
- Structured the routes to avoid having two WANs at the same distance, ensuring proper failover.
Code:
/ip routeadd check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-Orange-Line routing-table=mainadd check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=PPPoE-Vodafone-Line routing-table=mainadd dst-address=0.0.0.0/0 gateway=PPPoE-Orange-Line routing-table=Orange-Lineadd dst-address=0.0.0.0/0 gateway=PPPoE-Vodafone-Line routing-table=Vodafone-Lineadd dst-address=192.168.88.0/24 gateway=wireguard2 routing-table=main- Ensured WireGuard traffic from the subnet is not caught in the PCC rules.
Code:
add chain=prerouting action=accept in-interface-list=LAN out-interface=wireguard2- Ensured handshakes hitting either WAN get returned via the same WAN.
Code:
add action=mark-connection chain=input connection-mark=no-mark in-interface=PPPoE-Orange-Line new-connection-mark=ISP1-conn passthrough=yesadd action=mark-connection chain=input connection-mark=no-mark in-interface=PPPoE-Vodafone-Line new-connection-mark=ISP2-conn passthrough=yesadd action=mark-routing chain=output connection-mark=ISP1-conn new-routing-mark=Orange-Line passthrough=noadd action=mark-routing chain=output connection-mark=ISP2-conn new-routing-mark=Vodafone-Line passthrough=no- Implemented the PCC mangles.
Code:
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local hotspot=auth in-interface-list=LAN passthrough=yes new-connection-mark=to-ISP1 per-connection-classifier=src-address-and-port:2/0add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local hotspot=auth in-interface-list=LAN passthrough=yes new-connection-mark=to-ISP2 per-connection-classifier=src-address-and-port:2/1add action=mark-routing chain=prerouting connection-mark=to-ISP1 hotspot=auth new-routing-mark=Orange-Line passthrough=noadd action=mark-routing chain=prerouting connection-mark=to-ISP2 hotspot=auth new-routing-mark=Vodafone-Line passthrough=no- Main Branch Router:Code:
# 2024-06-12 20:12:27 by RouterOS 7.15# software id = XY70-9YIU## model = RBD53iG-5HacD2HnD/interface bridgeadd add-dhcp-option82=yes dhcp-snooping=yes fast-forward=no igmp-snooping=yes \ name=bridge1 port-cost-mode=short/interface wirelessset [ find default-name=wlan1 ] ssid=MikroTikset [ find default-name=wlan2 ] ssid=MikroTik/interface ethernetset [ find default-name=ether1 ] comment=Orange-Line-Interface name=\ ether1-Orangeset [ find default-name=ether4 ] comment=Vodafone-Line-Interface name=\ ether4-Vodafone/interface pppoe-clientadd disabled=no interface=ether1-Orange name=PPPoE-Orange-Line user=\ 0237876646add disabled=no interface=ether4-Vodafone name=PPPoE-Vodafone-Line user=\ 0237873072/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard2/interface bondingadd mode=802.3ad name=bonding1 slaves=ether2,ether3/interface listadd name=WANadd name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=POOL1 ranges=192.168.55.2-192.168.55.254/ip dhcp-serveradd address-pool=POOL1 interface=bridge1 lease-time=1h name=DHCP/routing tableadd disabled=no fib name=Vodafone-Lineadd disabled=no fib name=Orange-Line/interface bridge portadd bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10add bridge=bridge1 interface=wlan1 internal-path-cost=10 path-cost=10add bridge=bridge1 interface=wlan2 internal-path-cost=10 path-cost=10add bridge=bridge1 interface=bonding1 internal-path-cost=10 path-cost=10/ip settingsset tcp-syncookies=no/interface detect-internetset detect-interface-list=none/interface list memberadd interface=bridge1 list=LANadd interface=PPPoE-Orange-Line list=WANadd interface=PPPoE-Vodafone-Line list=WANadd interface=wireguard2 list=LAN/interface wireguard peersadd allowed-address=10.0.0.0/24,192.168.88.0/24 interface=wireguard2 name=\ peer1 private-key="********************" \ public-key="******************************"/ip addressadd address=192.168.55.1/24 interface=bridge1 network=192.168.55.0add address=192.168.1.3/24 interface=ether1-Orange network=192.168.1.0add address=192.168.0.3/24 interface=ether4-Vodafone network=192.168.0.0add address=10.0.0.2/24 interface=wireguard2 network=10.0.0.0/ip cloudset ddns-enabled=yes/ip dnsset servers=192.168.55.1,8.8.8.8,8.8.4.4/ip firewall filteradd action=accept chain=input dst-port=13231 in-interface=PPPoE-Orange-Line \ protocol=udp/ip firewall mangleadd action=accept chain=prerouting in-interface=wireguard2 in-interface-list=\ LANadd action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\ bridge1add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=\ bridge1add action=accept chain=prerouting dst-address=192.168.55.0/24 in-interface=\ bridge1add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface=PPPoE-Orange-Line new-connection-mark=\ ISP1-conn passthrough=yesadd action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface=PPPoE-Vodafone-Line \ new-connection-mark=ISP2-conn passthrough=yesadd action=mark-connection chain=input connection-mark=no-mark in-interface=\ PPPoE-Orange-Line new-connection-mark=ISP1-conn passthrough=yesadd action=mark-connection chain=input connection-mark=no-mark in-interface=\ PPPoE-Vodafone-Line new-connection-mark=ISP2-conn passthrough=yesadd action=mark-routing chain=output connection-mark=ISP1-conn \ new-routing-mark=Orange-Line passthrough=noadd action=mark-routing chain=output connection-mark=ISP2-conn \ new-routing-mark=Vodafone-Line passthrough=noadd action=mark-connection chain=forward connection-mark=no-mark \ dst-address-type=!local hotspot=auth in-interface-list=LAN \ new-connection-mark=ISP1-conn passthrough=yes per-connection-classifier=\ src-address-and-port:2/0add action=mark-connection chain=forward connection-mark=no-mark \ dst-address-type=!local hotspot=auth in-interface-list=LAN \ new-connection-mark=ISP2-conn passthrough=yes per-connection-classifier=\ src-address-and-port:2/1add action=mark-routing chain=prerouting connection-mark=ISP1-conn hotspot=\ auth new-routing-mark=Orange-Line passthrough=noadd action=mark-routing chain=prerouting connection-mark=ISP2-conn hotspot=\ auth new-routing-mark=Vodafone-Line passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment=Orange-masquerade out-interface=\ PPPoE-Orange-Lineadd action=masquerade chain=srcnat comment=Vodafone-masquerade out-interface=\ PPPoE-Vodafone-Line/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-Vodafone-Line \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-Orange-Line \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PPPoE-Orange-Line routing-table=Orange-Line scope=30 suppress-hw-offload=\ no target-scope=10add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\ PPPoE-Vodafone-Line routing-table=Vodafone-Line scope=30 \ suppress-hw-offload=no target-scope=10add disabled=no dst-address=192.168.88.0/24 gateway=wireguard2 routing-table=\ main suppress-hw-offload=noadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-Orange-Line \ routing-table=Orange-Line scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE-Vodafone-Line \ routing-table=Vodafone-Line scope=30 suppress-hw-offload=no target-scope=\ 10
Second Branch Router:Code:# 2024-06-12 21:57:20 by RouterOS 7.15# software id = 3IWS-3MNN## model = RB951Ui-2HnD/interface bridgeadd add-dhcp-option82=yes dhcp-snooping=yes fast-forward=no igmp-snooping=yes \ name=Bridge1 port-cost-mode=short/interface wirelessset [ find default-name=wlan1 ] mode=ap-bridge name=Wlan1 ssid=MikroTik \ wireless-protocol=802.11/interface ethernetset [ find default-name=ether1 ] name=Ether1set [ find default-name=ether2 ] name=Ether2set [ find default-name=ether3 ] name=Ether3set [ find default-name=ether4 ] name=Ether4set [ find default-name=ether5 ] name=Ether5/interface pppoe-clientadd disabled=no interface=Ether1 name=PPPoE user=0236990051/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface listadd name=WANadd name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip ipsec proposalset [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc/ip pooladd name=POOL1 ranges=192.168.88.2-192.168.88.254/ip dhcp-serveradd address-pool=POOL1 interface=Bridge1 lease-time=1h name=DHCP1/interface bridge portadd bridge=Bridge1 interface=Ether5 internal-path-cost=10 path-cost=10add bridge=Bridge1 interface=Wlan1 internal-path-cost=10 path-cost=10/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=none protocol=""/ip settingsset tcp-syncookies=no/interface detect-internetset detect-interface-list=none/interface list memberadd interface=Bridge1 list=LANadd interface=PPPoE list=WAN/interface wireguard peersadd allowed-address=10.0.0.0/24,192.168.55.0/24 endpoint-address=45.241.59.10 \ endpoint-port=13231 interface=wireguard1 name=peer2 persistent-keepalive=\ 25s private-key="*************************=" \ public-key="************************="/ip addressadd address=192.168.88.1/24 interface=Bridge1 network=192.168.88.0add address=192.168.1.3/24 interface=Ether1 network=192.168.1.0add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0/ip cloudset ddns-enabled=yes ddns-update-interval=1m/ip dnsset servers=8.8.8.8,8.8.4.4/ip firewall filteradd action=accept chain=forward dst-address=192.168.88.0/24 src-address=\ 192.168.55.0/24add action=accept chain=forward dst-address=192.168.55.0/24 src-address=\ 192.168.88.0/24/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface-list=WAN/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=PPPoE routing-table=main \ suppress-hw-offload=noadd disabled=no distance=1 dst-address=192.168.55.0/24 gateway=wireguard1 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Statistics: Posted by memo009525 — Wed Jun 12, 2024 10:50 pm