How to have Wireguard enabled on a single WAN interface in multi-WAN mode?

How to have Wireguard enabled on a single WAN interface in multi-WAN mode?

How to have Wireguard enabled on a single WAN interface in multi-WAN mode?
How to have Wireguard enabled on a single WAN interface in multi-WAN mode?
a week ago - last edited a week ago
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6

Hi,

I am using an ER605 as the main router on my home network in a multi-wan setup.

-wan 1 is connected to a fiber internet modem

-wan 2 is connected to a 5G modem

wan failover in is place: only wan 1 is used if available. wan 2 is used if wan 1 is down.

On my cellular connection, I am behing a CGNAT, which is problematic to access my homer servers. 

So I enabled a wireguard tunnel from my router to a remote VPS with a public IP, used as a gateway to the internet for my LAN servers.

This incoming access through the CGNAT now works well.

 

However, this setup is not yet satisfactory.

 

The issue I have is that I am unable to configure my router so that outgoing traffic goes through the wireguard tunnel only when wan 1 is down (ie when Wan 2 is actually used)

So far, outgoign traffic is going through wireguard in any case, which

-is limiting my bandwidth because my VPS server is limited in bandwidth.

-make me have to find a way to route incoming request to my LAN servers, through the VPS public IP (the one attached to my domain names based on DDNS) to either the WAN 1 router interface or WAN 2 router interface upon WAN 1 availability (which I did not manage to do so far)

 

What seems to be the ideal solution to me, would be to have wireguard enabled on WAN 2 only. Unfortunately, I have not found how to do so.

 

I need to add that my ER605 is managed through the OMADA controller.

 

Has anyone faced the same situation and foud the correct configuration?

 

Thanks for your help,

grang

  0      
  0      
#1
Options
3 Reply
Re:How to have Wireguard enabled on a single WAN interface in multi-WAN mode?
a week ago

Hi @grang 

Thanks for posting in our business forum.

grang wrote

 

The issue I have is that I am unable to configure my router so that outgoing traffic goes through the wireguard tunnel only when wan 1 is down (ie when Wan 2 is actually used)

So far, outgoign traffic is going through wireguard in any case, which

-is limiting my bandwidth because my VPS server is limited in bandwidth.

-make me have to find a way to route incoming request to my LAN servers, through the VPS public IP (the one attached to my domain names based on DDNS) to either the WAN 1 router interface or WAN 2 router interface upon WAN 1 availability (which I did not manage to do so far)

 

WG does not support load balance. But it could be used if the other peer did not specify the remote Endpoint. That is to say the router sets the peer settings with a specific Endpoint to start the connection. Other peer does not have a specific Endponit.

 

Natively does not support load balance means it cannot fall back to WAN 2 when WAN 1 is down.

 

A diagram may be needed if we need to further discuss this. But my initial reaction to this is not possible.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:How to have Wireguard enabled on a single WAN interface in multi-WAN mode?
a week ago

  @Clive_A 

Thanks for your feedback, even if I am kind of stuck now...

The key point in my case is indeed to have WG used only when I use WAN 2, which is in my router setup, when WAN 1 is down.

 

I was not expecting it to be impossible but rather that I did not find how to do it! (assuming that having 5G backup connection to temporarily take over a disrupted fiber connection was a pretty common use case and that CGNAT were most often blocking entrant connections to cellular endpoints)

 

Is there a way to suggest this feature for future evolutions? 

I guess such result could be achieved through different ways:

-options to "attach" wireguard to WAN interfaces directly in the wireguard menu

-possibility to define routing policies that refer to VPN (wireguard) interfaces

-perhaps others ways?

 

 

  0  
  0  
#3
Options
Re:How to have Wireguard enabled on a single WAN interface in multi-WAN mode?
a week ago

Hi @grang 

Thanks for posting in our business forum.

grang wrote

  @Clive_A 

Thanks for your feedback, even if I am kind of stuck now...

The key point in my case is indeed to have WG used only when I use WAN 2, which is in my router setup, when WAN 1 is down.

 

So you should configure Link Backup to disable WAN 1 if WAN 2 is up. So that the WG would not pass the WAN that is down.

 

grang wrote

  @Clive_A 

Thanks for your feedback, even if I am kind of stuck now...

The key point in my case is indeed to have WG used only when I use WAN 2, which is in my router setup, when WAN 1 is down.

 

I was not expecting it to be impossible but rather that I did not find how to do it! (assuming that having 5G backup connection to temporarily take over a disrupted fiber connection was a pretty common use case and that CGNAT were most often blocking entrant connections to cellular endpoints)

 

Is there a way to suggest this feature for future evolutions? 

I guess such result could be achieved through different ways:

-options to "attach" wireguard to WAN interfaces directly in the wireguard menu

-possibility to define routing policies that refer to VPN (wireguard) interfaces

-perhaps others ways?

 

 

As for the remote WG peer, extra settings may be needed to maintain the connection if one of the WANs is down.

 

There does not seem to be a good way to fix what you need unless the PBR or the Load Balance is available for the VPN.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options