Hey there,
we're using an ER3-Lite to load balance between our two 100k/40k PPPoE connections. That works very well and we haven't any issues with the internet connection.
Let's assume the topology looks like this:
pppoe0: 192.0.2.1
pppoe1: 192.0.2.2
show ip route (the default routes) looks like this:
K *> 0.0.0.0/0 [0/0] via pppoe1 S 0.0.0.0/0 [1/0] is directly connected, pppoe1 inactive S 0.0.0.0/0 [100/0] is directly connected, pppoe0
However we now like to use wireguard to remote access this network. The installation process ist quiete easy, but we can only get a handshake with one of our both ips. We digged a litte bit deeper with tcpdump and found out that if we connect to wireguard using the ip 192.0.2.1 (pppoe0) the answer UDP packet leaves on the interface pppoe1 (192.0.2.2). But the firewall of my home networks router (German AVM FritzBox) blocks the answer from this different ip to this port and sends an ICMP filtered answer. In addition the latest connected link is the default interface. So when one link goes down and up afterwards this is the new default gateway, so we've to change our wireguard client config to connect to the different ip. Very annoying.
With tcp services like ssh there's no problem.
The main question is now: How to get the Edgerouter or Wireguard to respond on the interface the traffic comes in? Do we have to use firewall rules which will track the packets and throws it into the right routing table or is there a more elegant way to do it?
Here's our config. As you might see we've already played around with the static routes and metrics.
Thank you very much in advance
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify balance {
rule 10 {
action modify
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify balance {
rule 10 {
action modify
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
destination {
group {
address-group ADDRv4_pppoe0
}
}
modify {
table main
}
}
rule 30 {
action modify
destination {
group {
address-group ADDRv4_pppoe1
}
}
modify {
table main
}
}
rule 110 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
rule 10 {
action drop
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 20 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
rule 10 {
action drop
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 20 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action accept
protocol icmp
}
rule 40 {
action accept
destination {
port 3333
}
protocol tcp
}
rule 50 {
action accept
description WireGuard
destination {
port 51820
}
protocol udp
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
vif 7 {
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1500
pppoe 0 {
default-route force
description "DSL1"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password *******
user-id secret
}
}
}
ethernet eth1 {
duplex auto
speed auto
vif 7 {
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1500
pppoe 1 {
default-route force
description "DSL2"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id secret
}
}
}
ethernet eth2 {
address 10.10.0.1/24
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
wireguard wg0 {
address 172.16.1.1/24
listen-port 51820
mtu 1400
peer 0OcxuvnY8tvciYVos1Y9jbZf0nasGGd6IHsSfhVM/MGU= {
allowed-ips 172.16.1.10
description Client1
}
private-key ****************
route-allowed-ips true
}
}
load-balance {
group G {
interface pppoe0 {
route-test {
count {
failure 3
success 1
}
initial-delay 10
interval 10
}
}
interface pppoe1 {
route-test {
count {
failure 3
success 1
}
initial-delay 10
interval 10
}
}
lb-local enable
lb-local-metric-change disable
sticky {
source-addr enable
}
}
}
port-forward {
auto-firewall enable
lan-interface eth2
rule 1 {
description Server1
forward-to {
address 192.168.1.100
port 22
}
original-port 3322
protocol tcp_udp
}
wan-interface pppoe0
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppeo1 {
distance 101
}
next-hop-interface pppoe0 {
distance 100
}
next-hop-interface pppoe1 {
}
}
route 10.20.0.0/16 {
next-hop 10.10.0.2 {
description Network20
distance 1
}
}
route 192.168.0.0/16 {
next-hop 10.10.0.2 {
description Network192
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Network20 {
authoritative disable
subnet 10.20.0.0/16 {
default-router 10.20.0.1
dns-server 10.20.0.1
lease 86400
start 10.20.10.1 {
stop 10.20.20.254
}
}
}
shared-network-name Router-Bridge {
authoritative disable
subnet 10.10.0.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.0.100 {
stop 10.10.0.150
}
}
}
shared-network-name Network192 {
authoritative disable
subnet 192.168.0.0/16 {
default-router 192.168.5.254
dns-server 192.168.0.250
lease 86400
start 192.168.6.1 {
stop 192.168.10.254
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth2
name-server 8.8.8.8
options log-queries
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1000 {
description "Force our DNS Server"
destination {
port 53
}
inbound-interface eth2
inside-address {
address 10.10.0.1
}
log disable
protocol tcp_udp
source {
address !10.50.0.0/16
}
type destination
}
rule 5000 {
description "SNAT for outgoing Traffic"
outbound-interface pppoe0
protocol all
type masquerade
}
rule 5100 {
description "SNAT for outgoing Traffic"
outbound-interface pppoe1
protocol all
type masquerade
}
rule 5200 {
description "SNAT for internal Traffic (Hairpin NAT)"
outbound-interface eth2
protocol all
source {
group {
network-group PRIVATE_NETS
}
}
type masquerade
}
}
ssh {
port 3333
protocol-version v2
}
ubnt-discover {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
domain-name secret
host-name SECRET-ROUTER
login {
user admin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name Admin
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipv4 {
forwarding enable
pppoe disable
}
}
options {
reboot-on-panic true
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Berlin
traffic-analysis {
dpi disable
export enable
}
}