I am on RUTX_R_00.07.19.2 with a RUTX50. Failover works when I disable my Wireguard VPN connection, VPN connection works when I disable all failover entries.
When both are enabled, the routing or firewall-rules prevent any clients connected to the RUTX to reach the internet (the RUTX can).
There are many similar threads and claims have been made that it was solved in earlier firmware versions. I believe it still stands and is easily reproducible.
Greetings,
To help us proceed with troubleshooting, we’ll need some additional details.
Please provide the following:
If possible, screenshots of these sections would be very helpful.
Ensure that no sensitive information is included in the screenshots.
Best Regards,
Justinas
Thanks Justinas for looking into this.
A bit of background:
I have 2 potential paths from the RUTX to the outside:
If mob1sa1 is in flight mode, the path is forced via wifi0. Neither the firewall rules nor the routing table change if I switch mob1sa1 in flight mode or make it active.
The routing table is below (Fritz is the WireGuard connection)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.1 0.0.0.0 UG 2 0 0 wlan0-3
172.16.0.0 0.0.0.0 255.255.240.0 U 2 0 0 wlan0-3
172.16.127.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
172.16.127.0 0.0.0.0 255.255.255.0 U 0 0 0 Fritz
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Fritz
The -redacted- wireguard configuration is below:
config interface 'Fritz'
option listen_port '51820'
option proto 'fireguard'
option mtu '1420'
option private_key '....yymY='
list dns '192.168.1.33'
list addresses '172.16.127.2/24'
option disabled '0'
config wireguard_Fritz 'FritzCon'
option endpoint_port '57871'
list allowed_ips '192.168.1.0/24'
option preshared_key '...hU='
option public_key '....zzjc='
option force_tunlink '0'
option endpoint_host 'blurps5x.myfritz.net'
option persistent_keepalive '25'
option route_allowed_ips '1'
option tunlink 'any'
Now the funny thing is that any client connected (wifi or cable) to the RUTX can reach the internet (through MOB1SA1 or wifi0) UNLESS Wireguard is enabled AND Failover has enabled interfaces (in either failover or load balancing mode).
So if I disable the wireguard tunnel, I can configure failover/loadbalancing and it works as expected. If I enable the tunnel and l have failover/loadbalancing enabled, the rutX can still reach the internet but no connected client can (yet they can reach both the RUTX as well as hosts in the wg tunnel).
Let me know if you need more info, hope we can get this fixed 
@Justinas @Teltonika: anything happening or are you just waiting for the topic to auto-close?
Greetings,
Sorry for the delayed response.
Your LAN (br-lan) is operating on the 172.16.127.0/24 subnet.
Your WireGuard Interface (Fritz) is assigned the IP 172.16.127.2/24
You have assigned the same subnet to both your local LAN and your VPN tunnel. Could you please try changing the VPN tunnel’s subnet and see if the issues persist when you turn on failover?
Please let me know of the results.
Best Regards,
Justinas
Thanks & Happy 2026! I was not aware that this needed to be outside the LAN subnet and just assumed it ought to be an available IP in the LAN. I’ve now set it to 192.168.205.1/24 and that makes a lot of difference: I can enable the failover networks and the clients can still access the internet via Wifi0. Tomorrow I’ll test with MOB1S1A1 and true failover and will report back.
I tested it today with failing over between MOB1S1A1 and WiFi0 and it worked as designed.
Thanks for solving the issue!
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.