We are having an issue with the following. We are using a RUT241 gateway that has a Wireguard connection to our own server. It is supposed to primarily connect over the wired WAN interface, but if that is not possible, revert to the mobile interface. Failover is configured as such. As long as the WAN is configured to use DHCP, everything is OK.
But as soon as the WAN is assigned a static IP address, the failover mechanism does not work as intended anymore. If the WAN cable is disconnected, the interface still registers as up. Failover routes all traffic over mobile, except traffic to our wireguard server, probably because it has its own route:
root@RUT241:~# ip route
default via 192.168.180.1 dev eth0.2 proto static metric 1 # <-- static WAN, but disconnected
default dev qmimux0 proto static scope link src 10.160.92.113 metric 3 1 # <-- Mobile, that works
10.160.92.113 dev qmimux0 proto static scope link metric 3
[wg server ip] via 192.168.180.1 dev eth0.2 metric 1 1 # <-- Special route for wg server, why?
[wg server ip] dev qmimux0 scope link metric 3 # <-- Special route for wg server, why?
[wg subnet] dev wg proto static scope link
[LAN subnet] dev br-lan proto kernel scope link src 192.168.1.1
[WAN subnet] dev eth0.2 proto static scope link metric 1
Is there a solution to have a robust Wireguard connection and a static WAN ip at the same time?
Tangentially, RUT240 does not have this problem (as long as “force link” is off). It’s routing with the same config is:
root@RUT240:~# ip route
default dev qmimux0 proto static scope link src 10.5.214.80 metric 4
10.5.214.80 dev qmimux0 proto static scope link metric 4
[wg server ip] dev qmimux0 scope link metric 4
[wg subnet] dev wg proto static scope link
[lan subnet] dev br-lan proto static scope link metric 1
i.e. it removes all WAN-related routing when WAN is physically disconnected.
There is a related topic on the old forum about this: Wireguard module adds static route for wg server IP? - Crowd Support Forum | Teltonika Networks
EDIT: on further experimentation, it seems that this issue only happens on boot and on first config. If the WAN has been online once, subsequent failover works. Examples:
- Set up static IP on WAN without cable connected → Wireguard connection breaks
- Reboot when WAN cable not connected → Wireguard connection never comes back up again
- WAN connected and working, disconnect cable → Wireguard is correctly “failed over” through Mobile.