Hell All,
I'm new here and also a MikroTik newbie. I need your help with following problem:
I have setup a Wireguard with a HEX s and a fritzbox (site to site) This is working very well. Now I would like to pass my Apple TV(192.168.2.115) thru the VPN (my fritzbox has 192.168.178.1 this is also the DNS to internet). I would like to use the location of fritzbox. How can I setup the route or gateway? I have tried several things but it was not working. Is there also a possibility to change the route/gateway by SSH (would like to switch it by my smarthome system)
Thanks for your help.
Re: VPN - device routing
If I understand correctly and the Wireguard addresses are from the 192.168.178.0/x subnet, then the following should be done:
1. Add a new routing table
2. Create a default route to WG gateway in that table
3. Add a routing rule to lookup traffic from 192.168.2.115 only in that table
1. Add a new routing table
2. Create a default route to WG gateway in that table
3. Add a routing rule to lookup traffic from 192.168.2.115 only in that table
Code: Select all
/routing table add fib name=thr_WG
/ip route add dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=thr_WG
/routing rule add action=lookup-only-in-table src-address=192.168.2.115 table=thr_WG-
-
darkside9009
just joined
- Posts: 4
- Joined:
Re: VPN - device routing
Hello,
thank you for your reply. I have trieb, but it didn't work.
But there is also a question how to setup the gateway and DNS in Apple TV?
My IPs are:
My Internet modem 162.168.2.1 (here in Germany)
Apple TV has the IP: 192.168.2.115
My fritzbox in other country has: 192.168.178.1
My Mikotik Hex S, where the wireguard is running has: 192.168.2.5
Which IP should I change in Apple TV for the gateway and DNS?
And do I need to setup something special in the wireguard config/peer?
thank you for your reply. I have trieb, but it didn't work.
But there is also a question how to setup the gateway and DNS in Apple TV?
My IPs are:
My Internet modem 162.168.2.1 (here in Germany)
Apple TV has the IP: 192.168.2.115
My fritzbox in other country has: 192.168.178.1
My Mikotik Hex S, where the wireguard is running has: 192.168.2.5
Which IP should I change in Apple TV for the gateway and DNS?
And do I need to setup something special in the wireguard config/peer?
Re: VPN - device routing
Maybe it would be best if you exported your config and posted it here to see what is going on:
/export file=anynameyouwish (minus sensitive information)
/export file=anynameyouwish (minus sensitive information)
-
-
darkside9009
just joined
- Posts: 4
- Joined:
Re: VPN - device routing
Hello,
here is my config:
here is my config:
Code: Select all
# 2024-04-29 18:34:20 by RouterOS 7.12.1
# software id = 5A7M-MRJ4
#
# model = RB760iGS
# serial number = xxxxxx
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-COMP
add listen-port=56460 mtu=1420 name=WG-PL-FritzBox
add listen-port=13232 mtu=1420 name=WG-PRV-SERVER
add listen-port=21520 mtu=1420 name=wg1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/routing table
add disabled=no fib name=thr_WG
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface wireguard peers
add allowed-address=192.168.5.2/32 comment="MacMini" interface=\
WG-PRV-SERVER public-key="xxxxxxxxx"
add allowed-address=192.168.5.3/32 comment="DS Phone" interface=\
WG-PRV-SERVER public-key="xxxxxxxx"
add allowed-address=192.168.5.4/32 comment=MacBook interface=WG-PRV-SERVER \
public-key="xxxxxxxx"
add allowed-address=192.168.111.0/24 comment=WG-COMP endpoint-address=\
11.11.11.11 endpoint-port=13231 interface=WG-COMP persistent-keepalive=25s \
public-key="xxxxxxxxxxx"
add allowed-address=192.168.178.0/24 client-dns=192.168.178.1 comment=\
"WG PL Fritz!Box" endpoint-address=homffff.ddns.net endpoint-port=55014 \
interface=WG-PL-FritzBox persistent-keepalive=25s preshared-key=\
"xxxxxxxx" private-key=\
"xxxxxxxxx=" public-key=\
"r/eX/xxxxxxxxxxxxx"
/ip address
add address=192.168.2.5/24 interface=ether2 network=192.168.2.0
add address=192.168.5.1/24 interface=WG-PRV-SERVER network=192.168.5.0
add address=192.168.113.60 interface=WG-COMP network=192.168.113.0
add address=192.168.178.0/24 interface=WG-PL-FritzBox network=192.168.178.0
/ip dns
set servers=192.168.2.1
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.111.0/24 \
src-address=192.168.2.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.2.0/24 \
src-address=192.168.111.0/24
add action=accept chain=output disabled=yes dst-port=13231 protocol=udp
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat dst-address=192.168.111.0/24
add action=masquerade chain=srcnat dst-address=192.168.178.0/24 src-address=\
192.168.178.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.111.0/24 gateway=WG-COMP \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.178.0/24 gateway=\
WG-PL-FritzBox pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
pref-src="" routing-table=thr_WG suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.2.115 table=\
thr_WG
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
Re: VPN - device routing
Without looking at your config, the problem I see is that your modem is giving you a private IP as a WAN address to the HEX, but then why do your LAN subnet devices have the same LAN structure???
modem=192.168.2.1
Hex WAN IP provided by modem is 192.168.2.5 makes sense!
AppleTV=192.168.2.115 wrong!
So before anything you need to have an actual LAN subnet and not use the WAN subnet.
The other mystery is that you have multiple wireguard interfaces not mentioned, I hate hidden facts.
Do you also host wireguard on your device ??
If so does that mean your upstream modem/router ( NOT actually a modem, another hidden fact ) can port forward Ports to your hex ??? Assuming it gets a public IP ???
modem=192.168.2.1
Hex WAN IP provided by modem is 192.168.2.5 makes sense!
AppleTV=192.168.2.115 wrong!
So before anything you need to have an actual LAN subnet and not use the WAN subnet.
The other mystery is that you have multiple wireguard interfaces not mentioned, I hate hidden facts.
Do you also host wireguard on your device ??
If so does that mean your upstream modem/router ( NOT actually a modem, another hidden fact ) can port forward Ports to your hex ??? Assuming it gets a public IP ???
-
-
darkside9009
just joined
- Posts: 4
- Joined:
Re: VPN - device routing
sorry, I don't want to hide any facts. The problem is how to tell all details, and which informations are really needed.
So I can create another subnet for my devices, but how should I route them? The question is also who is then my gateway/DNS? And how to setup the rules routes?
So I can create another subnet for my devices, but how should I route them? The question is also who is then my gateway/DNS? And how to setup the rules routes?
Who is online
Users browsing this forum: eugenq and 23 guests