Prerequisites
- RouterOS 7.x
- WireGuard interface already configured and connected
- The WireGuard peer on the server side has your assigned tunnel IPs in
AllowedIPs
Step 1: Create the Routing Table
This must exist before any mangle rules can reference it.
1/routing table add name=rtab-example fib
Step 2: Assign Tunnel IPs to the WireGuard Interface
Use whatever IPs your WireGuard server assigned to your peer.
1# IPv4
2/ip address add address=10.125.192.4/32 interface=NathanaelCH network=10.125.192.4
3
4# IPv6
5/ipv6 address add address=fd0e:ce2e:cafe:2c4::4/128 interface=NathanaelCH advertise=no
Step 3: Add Routes with pref-src
The pref-src is the key — it tells the router to use your tunnel IP as the source address so the WireGuard server accepts the traffic (matches AllowedIPs).
1# IPv4 default route in the custom table
2/ip route add dst-address=0.0.0.0/0 gateway=NathanaelCH pref-src=10.125.192.4 routing-table=rtab-example
3
4# IPv6 default route in the custom table
5/ipv6 route add dst-address=::/0 gateway=NathanaelCH pref-src=fd0e:ce2e:cafe:2c4::4 routing-table=rtab-example
Step 4: Add Domains to Address Lists
MikroTik resolves these periodically and keeps the IPs updated.
1# IPv4
2/ip firewall address-list
3add address=dpaste.org list=route-example
4add address=someotherdomain.com list=route-example
5
6# IPv6
7/ipv6 firewall address-list
8add address=dpaste.org list=route-example-v6
9add address=someotherdomain.com list=route-example-v6
Step 5: Mangle — Mark Matching Traffic
1# IPv4
2/ip firewall mangle
3add chain=prerouting dst-address-list=route-example action=mark-routing new-routing-mark=rtab-example passthrough=no
4
5# IPv6
6/ipv6 firewall mangle
7add chain=prerouting dst-address-list=route-example-v6 action=mark-routing new-routing-mark=rtab-example passthrough=no
Step 6: Source NAT
This NATs all outbound traffic through the tunnel to your assigned tunnel IP, so replies come back correctly.
1# IPv4
2/ip firewall nat
3add chain=srcnat out-interface=NathanaelCH action=src-nat to-addresses=10.125.192.4
4
5# IPv6
6/ipv6 firewall nat
7add chain=srcnat out-interface=NathanaelCH action=src-nat to-address=fd0e:ce2e:cafe:2c4::4
How It Works
- A LAN client resolves
dpaste.org— MikroTik populates the address list with the resolved IPs - Client sends a packet to one of those IPs
- Mangle rule matches the destination against the address list and stamps it with
rtab-example - Router looks up the route in
rtab-example— finds the default route via WireGuard withpref-src - Source NAT rewrites the source IP to the tunnel address
- WireGuard server accepts it (matches
AllowedIPs), forwards it, and routes the reply back
Adding More Tunnels
Just repeat with different names. For example a US tunnel:
1/routing table add name=rtab-us fib
2/ip address add address=10.x.x.x/32 interface=WG-US network=10.x.x.x
3/ip route add dst-address=0.0.0.0/0 gateway=WG-US pref-src=10.x.x.x routing-table=rtab-us
4/ip firewall address-list add address=us-only-site.com list=route-us
5/ip firewall mangle add chain=prerouting dst-address-list=route-us action=mark-routing new-routing-mark=rtab-us passthrough=no
6/ip firewall nat add chain=srcnat out-interface=WG-US action=src-nat to-addresses=10.x.x.x
Same pattern, different names and IPs. Rinse and repeat for v6.
Troubleshooting
| Symptom | Check |
|---|---|
| Packets marked but no route | Is the route disabled=no? Does /routing table have the fib flag? |
| “No route to host” on ping | Is the tunnel IP assigned to the WG interface? Is pref-src set? |
| Traffic goes out but no reply | Is src-nat in place? Does the server’s AllowedIPs include your tunnel IP? |
| Domain IPs not updating | MikroTik resolves on its own schedule — check /ip firewall address-list print where list=route-example to see resolved entries |
| Works for v4 but not v6 | Probably missing the v6 address on the interface, v6 route, or v6 src-nat — they’re completely separate stacks |