RouterOS 7双WAN环境下WireGuard仅可通过WAN3连接、WAN2无法连接的故障排查求助

阿华AIGC实验室

2026-4-21

各位大佬好，我现在遇到一个RouterOS 7的双WAN配置问题，折腾了好久没搞定，来求助大家！

我的设备有两个WAN口：WAN2对应ether3（IP是8.1.1.169/26），WAN3对应ether4（IP是9.1.1.149/25），Winbox用两个WAN IP都能正常访问，说明端口和基础网络通路没问题。我在上面搭了WireGuard服务，监听端口是13231，目前只能通过WAN3的IP成功连接，用WAN2的IP根本连不上。

下面是我的完整配置片段：

接口配置

/interface ethernet
set [ find default-name=ether3 ] comment="wan2" disable-running-check=no
set [ find default-name=ether4 ] comment="wan3" disable-running-check=no

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 public-key="7dUlL*****axiT0="

IP地址配置

/ip address
add address=8.1.1.169/26 comment="wan2" interface=ether3 network=8.1.1.128
add address=9.1.1.149/25 comment="wan3" interface=ether4 network=9.1.1.128
add address=10.15.8.1/24 interface=wireguard1 network=10.15.8.0

NAT配置

/ip firewall nat
add action=masquerade chain=srcnat comment="wan2" out-interface=ether3
add action=masquerade chain=srcnat comment="wan3" out-interface=ether4

Mangle标记与路由配置

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=8.1.1.128/26 in-interface=ether3 new-connection-mark=wan2conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=9.1.1.128/25 in-interface=ether4 new-connection-mark=wan3conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan2conn new-routing-mark=vrf2 passthrough=no
add action=mark-routing chain=output connection-mark=wan3conn new-routing-mark=main passthrough=no

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.1.1.129 pref-src="" routing-table=vrf2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=9.1.1.145 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

我做了抓包分析，结果如下：