Hey guys, just pinning some useful links that you can use to configure Dynamic Routing with Wireguard on MikroTik (Sorry for some pops in the audio, I only realized after recording that the filter was touching the mic and whenever I would hit the table it would make a very slight pop MikroTik WG: help.mikrotik.com/docs/display/ROS/WireGuard MikroTik BGP: help.mikrotik.com/docs/display/ROS/BGP MikroTik OSPF: help.mikrotik.com/docs/display/ROS/OSPF
I managed to do this; I can interconnect two cities using a common broadband link and even mirror a private IP block, making the network of both places appear as if it were the same network
That was pretty sweet! Using wiregaurd rather than Ipsec seems a more modern method. Also Ive noticed route flapping can occur if you share all routes over the tunnel. Would you be able to address how to mitigate this in a video please
buenas amigo gracias por el video ahora bien unas preguntas cuando usted crea el wireguard tiene comunicacion B-C Y A-C exacto no hay comunicacion entre A-B hasta que no configuras el BGP?
I run that with OSPF since a while already. Same way - 0/0 on the WG Allowed nets. Plus a little Route-Filtering. Works neatly and so much more stable than it used to be when I had used SSTP.
Wow !! There's the possibility to use bgp for road warrior ? How much increment the speed ? Theres a script of your tutorial ? Too much question ..... hehehehe Thanx for your great work :)
I use an emulator called EVE-NG, the cloud is really just a cloud PNG that hides a couple of routers behind it to act as the internet. But it looks nice ;D!
Ahhh yeah, this is another "Pro" feature, it allows you to upload images directly into your topology. Not worth the $$$ if you just want to do this, but it does make labs look a lot nicer.
I watch your awesome video multiple times to ensure I did not miss a step. Wrote a procedures manual for my setup to have as a handy reference for the topology I have. I have all three routers talking to each other and each router can get to the others LAN. iBGP is working and reflecting the routes. I threw in a road warrior which can connect and see all the networks distributed via iBGP. HOWEVER, my LAN clients (on the hub router), for example my desktop, cannot ping the other LAN addresses across the routers, it can ping the tunnel addresses on both sides of the tunnel, but again, not past the tunnel endpoints. This leads me to believe it has something to do with iBGP. I have gone through the settings over a dozen times and still cannot figure out why my local network clients cannot see the other LANs. Can you offer up any pointers? Thanks!
I have tried this but seem to be running into abit of a snag all is in order however when it seems like site c isnt routing site b traffic or pings to site a
Your video is awesome!. I configured BGP in a Mikrotik very fast. I only have a little problem. I would like to redirect "all traffic" from the other sites across my site. As you know, I need to mark traffic to send across Wireguard. I tried to enable default originate flag in always and in the remote site selected my routing table but not works. Could you please help me? Any idea? Thanks!!!
I wonder what to do, if public wifi is blocking "WG" like blocking UDP or something like that. Even using open ports did not made my device to handshake :/ Mostly airport wifi´s. Btw, thanks for your tutorials!
Hi I've got question about wireguard with DDNS build in option. When I've done config with DDNS and IPSEC connection between Mikrotik with DDNS and 3rd party router with static PUB IP everything is OK. When I'm trying to do the same thing but with wireguard it's not working and even hitting the firewall. Configuration is OK because when I use PUB IP with the same configuration is OK , so what's difference with DDNS IPSEC and DDNS Wireguard ?
Hey. Could you please do a video where you show how to connect 3 locations with EoIP tunnels over IPsec (do not merge them in a hub) and run OSPF on loopback interfaces on each office router? Then configure iBGP from each loopback and make server's traffic exchange via iBGP with even prefix filtering from wherever point you want? I was told this is good approach to connect 3 offices. Or some other approach to rock solid connections between different locations. Many thanks in advance!
The BGP part was interesting. It seemed l like quite a bit of extra work, and you never noted any potential need for firewall rules. Assuming traffic is coming on the connected routes one would still need some forward chain rules etc. In other words, achieving the same functionality, connecting routers, within wireguard ( allowed IPs, firewall rules, routes if necessary ) on the surface seems actually easier to me. We can also force any subnet through wireguard to use the WAN of another router. Being only a home user, I probably wont need BGP etc, but I think the value must come in economies of scale ( the more complex the connections between routers ) where BGP would really shine. Can you point out some other advantages to the BGP method vice just straight wireguard. Thanks!
@@TheNetworkBerg witam, tłumaczenie ok; dziękuję za odpowiedz; czy ten rodzaj tunelu jest bardziej wydajny niż ip-ip lub inne? uprzejmie proszę o odpowiedz pozdrawiam Daniel
Hey NetworkBerg! One more great video! Thank you. I have a question regarding the site-to-site connections setup. So you used different ports and two separate IP addresses on the Wireguard interface on Site-C to connect from there as the initiator of the VPN tunnels to the other two sites. What if you did this the other way around; that is: 1) you kept the port number common across all sites; 2) you had only one Wireguard interface with only one IP address on all sites; including Site-C and 3) connect from Site-A and Site-B as the initiators of the VPN communication to the same Wireguard interface (same public key; same port) on Site-C (using of course for all sites Wireguard IP addresses a /29 subnet or any other mask that would permit at least three IP addresses on the same network). Would that work?
Hello, Cite-C is not the initiator both Site-A and Site-B are initiators as only they have an endpoint and endpoint port set. You can setup dynamic routing using a single interface at Site-C (Meaning a single port across the board) but this needs a lot of tuning especially if you want to introduce OSPF. You will also in this case have to manually tweak every peer every time you want to advertise a new network as you will have to specify allowed-from addresses as Site-C (The Hub) cannot have 0.0.0.0/0 as an allowed-address to both Site-A and Site-B over its peers. You will experience routing loops if you do create the allowed-from addresses correctly and your routers will start to fall over.
@The Network Berg - i don't understand why we need to ticke bgp on output-redistribute since we got RR running. I don't this that is the same case on v6
Hmmmmm I agree that this should just push through with using an RR, but for this WG setup I had to redist routes. Let me tweak around a bit and see if there is any answer. Will see if I can export the lab for more people to play around with the setup. I initially just used EBGP with default originates which worked awesomely but wanted to try and incorporate with IBGP as well
Yeah it does become more complex if both ends sit behind a NAT, which is why most use-cases recommend at least one side having a static/public address. If both ends are on dynamic connections you could request for some port forwarding to be done to get this working if you do not manage the router where the NAT is happening on. Alternatively you could also connect using something like ZeroTier or to create a "VPN concentrator" on a cloud provider like AWS/Azure/Linode/Oracle VPS where they will basically give you a public IP and you can form VPN connections from all your MIkroTiks.
Yes, if you use a single interface you will have to define static neighbors and using ptp type, else you can follow the exact same steps in this video, I could make another video featuring OSPF if that would make things easier?
Yes please run an OSPF over Wireguard vid. I can't get it to work. Added static neighbours with the WG interface and a PTP template but stuck in INIT on one end and nothing at the other end. Probably missing something. Great videos.@@TheNetworkBerg
Hey guys, just pinning some useful links that you can use to configure Dynamic Routing with Wireguard on MikroTik (Sorry for some pops in the audio, I only realized after recording that the filter was touching the mic and whenever I would hit the table it would make a very slight pop
MikroTik WG:
help.mikrotik.com/docs/display/ROS/WireGuard
MikroTik BGP:
help.mikrotik.com/docs/display/ROS/BGP
MikroTik OSPF:
help.mikrotik.com/docs/display/ROS/OSPF
Always pleasure to see new video 😊
🎉🎉🎉🎉 awaiting for it, GURU JI
This video was awesome and fun to follow. you should consider doing a similar one for pfsense although the concept is very similar. A+ to you.
I managed to do this; I can interconnect two cities using a common broadband link and even mirror a private IP block, making the network of both places appear as if it were the same network
Hello,
everything works, ibgp works - it will break
now i will configure ospf as additional routers
thanks for the material
Regards
Daniel
can i like this video twice? :) thx, nice tutorial
That was pretty sweet! Using wiregaurd rather than Ipsec seems a more modern method. Also Ive noticed route flapping can occur if you share all routes over the tunnel. Would you be able to address how to mitigate this in a video please
buenas amigo gracias por el video ahora bien unas preguntas cuando usted crea el wireguard tiene comunicacion B-C Y A-C exacto no hay comunicacion entre A-B hasta que no configuras el BGP?
I run that with OSPF since a while already. Same way - 0/0 on the WG Allowed nets. Plus a little Route-Filtering. Works neatly and so much more stable than it used to be when I had used SSTP.
Wow !!
There's the possibility to use bgp for road warrior ?
How much increment the speed ?
Theres a script of your tutorial ?
Too much question ..... hehehehe
Thanx for your great work :)
you are so elegant man..! i love your video ..⬆
Thank you so much 😀
Can you make video explain and example for each mangle chain rule and action rule? I want to understand each how it works
Thanks for this beautiful work sir... God bless you so much, I'd like to ask how did you make this topology with that well designed internet ?
I use an emulator called EVE-NG, the cloud is really just a cloud PNG that hides a couple of routers behind it to act as the internet. But it looks nice ;D!
Means you downloaded that cloud PNG and uploaded that in your EVE
Yes I Know it's EVE but never seen that cloud in Eve tho 🤣😂
Ahhh yeah, this is another "Pro" feature, it allows you to upload images directly into your topology. Not worth the $$$ if you just want to do this, but it does make labs look a lot nicer.
I watch your awesome video multiple times to ensure I did not miss a step. Wrote a procedures manual for my setup to have as a handy reference for the topology I have. I have all three routers talking to each other and each router can get to the others LAN. iBGP is working and reflecting the routes. I threw in a road warrior which can connect and see all the networks distributed via iBGP. HOWEVER, my LAN clients (on the hub router), for example my desktop, cannot ping the other LAN addresses across the routers, it can ping the tunnel addresses on both sides of the tunnel, but again, not past the tunnel endpoints. This leads me to believe it has something to do with iBGP. I have gone through the settings over a dozen times and still cannot figure out why my local network clients cannot see the other LANs. Can you offer up any pointers? Thanks!
I have tried this but seem to be running into abit of a snag all is in order however when it seems like site c isnt routing site b traffic or pings to site a
Can you create another video with WG but with OSPF? For multiple remote sites
Awesome stuff. What software do you use for lab simulation?
It's called EVE-NG a network emulator similar to GNS3
@@TheNetworkBerg Thanks a lot.
Your video is awesome!. I configured BGP in a Mikrotik very fast. I only have a little problem. I would like to redirect "all traffic" from the other sites across my site. As you know, I need to mark traffic to send across Wireguard. I tried to enable default originate flag in always and in the remote site selected my routing table but not works. Could you please help me? Any idea?
Thanks!!!
please make video about wireguard client to server setup on hapac3 to make wifi users connect ecactly without cut or any problem
I wonder what to do, if public wifi is blocking "WG" like blocking UDP or something like that. Even using open ports did not made my device to handshake :/ Mostly airport wifi´s. Btw, thanks for your tutorials!
Hi I've got question about wireguard with DDNS build in option. When I've done config with DDNS and IPSEC connection between Mikrotik with DDNS and 3rd party router with static PUB IP everything is OK. When I'm trying to do the same thing but with wireguard it's not working and even hitting the firewall. Configuration is OK because when I use PUB IP with the same configuration is OK , so what's difference with DDNS IPSEC and DDNS Wireguard ?
Hey. Could you please do a video where you show how to connect 3 locations with EoIP tunnels over IPsec (do not merge them in a hub) and run OSPF on loopback interfaces on each office router? Then configure iBGP from each loopback and make server's traffic exchange via iBGP with even prefix filtering from wherever point you want? I was told this is good approach to connect 3 offices. Or some other approach to rock solid connections between different locations. Many thanks in advance!
Dear which is that cheapest wireguard service provider monthly
The BGP part was interesting. It seemed l like quite a bit of extra work, and you never noted any potential need for firewall rules. Assuming traffic is coming on the connected routes one would still need some forward chain rules etc. In other words, achieving the same functionality, connecting routers, within wireguard ( allowed IPs, firewall rules, routes if necessary ) on the surface seems actually easier to me. We can also force any subnet through wireguard to use the WAN of another router. Being only a home user, I probably wont need BGP etc, but I think the value must come in economies of scale ( the more complex the connections between routers ) where BGP would really shine. Can you point out some other advantages to the BGP method vice just straight wireguard. Thanks!
Wow❤❤❤❤
Is that method on mulvad
Things have changed allot in wiregaurd setups in ver 7.13.1 we need an updated video
Whhich vpn cheapest then mulvad as wireguard that support mikrotik
witam,
świetny materiał, rozumiem że z ospf też będzie działać?
pozdrawiam
Daniel
Tak, to będzie działać również z OSPF, przepraszam, jeśli tłumaczenie jest błędne przy użyciu tłumacza google
@@TheNetworkBerg witam, tłumaczenie ok; dziękuję za odpowiedz; czy ten rodzaj tunelu jest bardziej wydajny niż ip-ip lub inne?
uprzejmie proszę o odpowiedz
pozdrawiam
Daniel
Please enable OS7 prefix count option as soon as possible
Hey NetworkBerg! One more great video! Thank you.
I have a question regarding the site-to-site connections setup.
So you used different ports and two separate IP addresses on the Wireguard interface on Site-C to connect from there as the initiator of the VPN tunnels to the other two sites.
What if you did this the other way around; that is: 1) you kept the port number common across all sites; 2) you had only one Wireguard interface with only one IP address on all sites; including Site-C and 3) connect from Site-A and Site-B as the initiators of the VPN communication to the same Wireguard interface (same public key; same port) on Site-C (using of course for all sites Wireguard IP addresses a /29 subnet or any other mask that would permit at least three IP addresses on the same network). Would that work?
Hello, Cite-C is not the initiator both Site-A and Site-B are initiators as only they have an endpoint and endpoint port set. You can setup dynamic routing using a single interface at Site-C (Meaning a single port across the board) but this needs a lot of tuning especially if you want to introduce OSPF.
You will also in this case have to manually tweak every peer every time you want to advertise a new network as you will have to specify allowed-from addresses as Site-C (The Hub) cannot have 0.0.0.0/0 as an allowed-address to both Site-A and Site-B over its peers. You will experience routing loops if you do create the allowed-from addresses correctly and your routers will start to fall over.
@The Network Berg - i don't understand why we need to ticke bgp on output-redistribute since we got RR running. I don't this that is the same case on v6
Hmmmmm I agree that this should just push through with using an RR, but for this WG setup I had to redist routes. Let me tweak around a bit and see if there is any answer. Will see if I can export the lab for more people to play around with the setup. I initially just used EBGP with default originates which worked awesomely but wanted to try and incorporate with IBGP as well
Bro my wireguard show tx error I am using mulvad I need your help
Behind fw and NAT it doesn't work as described, it's very tricky to make it work properly
Yeah it does become more complex if both ends sit behind a NAT, which is why most use-cases recommend at least one side having a static/public address. If both ends are on dynamic connections you could request for some port forwarding to be done to get this working if you do not manage the router where the NAT is happening on. Alternatively you could also connect using something like ZeroTier or to create a "VPN concentrator" on a cloud provider like AWS/Azure/Linode/Oracle VPS where they will basically give you a public IP and you can form VPN connections from all your MIkroTiks.
Where has the role igbp rr client gone in ROS7? There is no igbp rr client in Inbox on Mac
/routing/bgp/connection> set local.role=
ebgp ebgp-customer ebgp-peer ebgp-provider ebgp-rs ebgp-rs-client ibgp ibgp-rr
They have removed client you can just use igbp it serves the same purpose.
@@TheNetworkBergthanks. I did try that but the session didn’t come up. I’ll try again though.
Can one alos run ospf via wireguard
Yes, if you use a single interface you will have to define static neighbors and using ptp type, else you can follow the exact same steps in this video, I could make another video featuring OSPF if that would make things easier?
@@TheNetworkBerg thanks alot 🙏🙏 for the response . Would give it a try
Yes please run an OSPF over Wireguard vid. I can't get it to work. Added static neighbours with the WG interface and a PTP template but stuck in INIT on one end and nothing at the other end. Probably missing something. Great videos.@@TheNetworkBerg
doh! Matter fixed it. Was firewall issue. Allowed ospf (89) input and bingo all good.
I want to redirect all the remote sites traffic to a firewall below the main router. What should I configure in the main router?