CWX uses eBGP over WireGuard transport tunnels to interconnect all sites (LOK0–LOK9).
Each site has a private ASN and establishes eBGP sessions using the remote WireGuard /31 endpoint as the BGP neighbor address.
Because the backbone is full mesh, each prefix appears from many sites.
To avoid ECMP and enforce deterministic routing, CWX ranks routes based on AS-path length:
This applies consistently to both MikroTik and VyOS routers.
Shorter AS-paths represent:
By ranking based on path length:
if (bgp-path-len == 1) { set bgp-local-pref 200; accept; }
if (bgp-path-len > 1) { set bgp-local-pref 100; set distance 200; accept; }
if (bgp-path-len > 2) { set bgp-local-pref 80; set distance 220; accept; }
Explanation:
if (protocol bgp) { accept; }
accept
Advertised prefixes are controlled via:
IP → Firewall → Address Lists
This prevents leaking unnecessary prefixes.
This section now includes real commands based on your provided configuration.
set interfaces wireguard wg0 address '10.100.10.14/31'
set interfaces wireguard wg0 description 'wg-rbx'
set interfaces wireguard wg0 port '51834'
set interfaces wireguard wg0 peer to-rbx public-key '***************'
set interfaces wireguard wg0 peer to-rbx endpoint '10.100.10.15:51835'
set interfaces wireguard wg0 peer to-rbx allowed-ips '0.0.0.0/0'
set interfaces wireguard wg3 address '10.100.10.12/31'
set interfaces wireguard wg3 description 'wg-vukomerec'
set interfaces wireguard wg3 port '51832'
set interfaces wireguard wg3 peer to-vukomerec public-key '***************'
set interfaces wireguard wg3 peer to-vukomerec endpoint '10.100.10.13:51833'
set interfaces wireguard wg3 peer to-vukomerec allowed-ips '0.0.0.0/0'
The pattern is always:
wgX local-ip /31
wgX → peer remote-ip:port
set firewall ipv4 name WAN-IN default-action 'drop'
set firewall ipv4 name WAN-IN rule 10 action 'accept'
set firewall ipv4 name WAN-IN rule 10 state established 'enable'
set firewall ipv4 name WAN-IN rule 10 state related 'enable'
set firewall ipv4 name WAN-IN rule 20 action 'accept'
set firewall ipv4 name WAN-IN rule 20 protocol 'udp'
set firewall ipv4 name WAN-IN rule 20 destination port '51820-51840'
set policy as-path-list DIRECT_AS_PATH rule 10 action 'permit'
set policy as-path-list DIRECT_AS_PATH rule 10 regex '^[0-9]+$'
This regex = exactly one ASN → direct neighbor.
set policy route-map PREFER_DIRECT_IN rule 10 action 'permit'
set policy route-map PREFER_DIRECT_IN rule 10 match as-path DIRECT_AS_PATH
set policy route-map PREFER_DIRECT_IN rule 10 set local-preference '200'
Fallback rule:
set policy route-map PREFER_DIRECT_IN rule 20 action 'permit'
set policy route-map PREFER_DIRECT_IN rule 20 set local-preference '150'
set protocols bfd peer 10.100.10.13
set protocols bfd peer 10.100.10.15
set protocols bfd peer 10.100.10.17
set protocols bfd peer 10.100.10.19
set protocols bfd peer 10.100.10.28
set protocols bgp system-as '65005'
set protocols bgp address-family ipv4-unicast network '10.100.254.15/32'
set protocols bgp address-family ipv4-unicast network '10.198.32.0/22'
set protocols bgp neighbor 10.100.10.13 remote-as '65003'
set protocols bgp neighbor 10.100.10.13 description 'to-vukomerec'
set protocols bgp neighbor 10.100.10.13 address-family ipv4-unicast route-map import 'PREFER_DIRECT_IN'
set protocols bgp neighbor 10.100.10.13 bfd
Another example:
set protocols bgp neighbor 10.100.10.15 remote-as '65000'
set protocols bgp neighbor 10.100.10.15 description 'to-rbx'
set protocols bgp neighbor 10.100.10.15 address-family ipv4-unicast route-map import 'PREFER_DIRECT_IN'
set protocols bgp neighbor 10.100.10.15 bfd
This shows exactly how CWX routers implement eBGP over WireGuard
The CWX BGP backbone is built around:
This ensures a stable and predictable routing environment while maintaining full redundancy across all CWX transport tunnels.