Hi,
I am experiencing some troubles regarding the failover function. I am using a RUTXR1 currently with firmware RUTX_R_00_07.12.3.
I am using a wireguard tunnel which has been really stable with nothing to complain about which has been using SIM1 as a primary connection. I have now started to setup a redundant connection where the idea is it to use WAN fed from a fiber connection as a primary connection which will failover to MOB1S1A1. I have been using the default settings for the failover and added Flush connections on both interfaces for all available cases(Connected, Disconnected, Interface Up and Interface Down). I have tested this by removing the ethernet cable to the WAN-port and see a correct failover to MOB1S1A1 within seconds and as soon as I plug in the cable again it switches back to WAN. And in both cases the wireguard tunnel works perfectly. However, if I disconnect the fiber from the media converter which means that the WAN interface will still be up but the ping criteria for switching interfaces is not fulfilled I am getting a really strange behavior:
The failover status changes and it switches to MOB1S1A1 interface correctly but the wireguard tunnel stops working. I have tried to keep this case and reboot the RUTXR1 but without any success to get the tunnel working. As soon as I plug in the fiber or disconnecting the ethernet cable to WAN interface the tunnels starts working immediatly. If I connect something to the LAN-ports I get internet access from MOB1S1A1 even while the tunnel is down.
Have anyone else experienced this and have a solution?
Would you mind sharing your WireGuard configuration? In particular, what subnets are added in peer configuration, and whether “Route allowed IPs” is enabled. If you also have static routes configured, please share them.
From the description, it sounds like the WireGuard conntrack is not getting flushed, which could cause the issue.
If you have configured default route over WireGuard, then it’s also possible that a static route to your WireGuard peer is either not being added, or is added on incorrect interface. When the issue is present, could you also share your route table? It can be accessed via WebUI by navigating to Status → Routes → Static, or via SSH by using ip r command. Please remove all sensitive information like public IPs.
Thank you for the screenshots!
Could you try disabling Route Allowed IPs option in your WireGuard peer (leave the networks in Allowed IPs section) and add these routes in the Network → Routing → Static routes section as follows:
@Daumantas I agree your workaround “works” but not for the good reasons, it would be much cleaner to set the option nohostroute to 1 in the wg section of the interface thi flag is handled by the wireguard.sh script.
Besides if the wg tunnel hasn’t yet been built static routes cannot be added to the tables.
