Broadcast traffic via wireguard

surfparadise · July 26, 2022, 11:33am

Hi,

I need to enable broadcast traffic via wireguard vpn.
I enabled proxy-arp on bridge and on port eth2 (included in the bridge and where my lan switch is connected with mikrotik router).
If I try to ping 255.255.255.255 or ex:172.16.200.255 from my wireguard client but the ping fail.

Could you help me on this subject please?

Thanks

mkx · July 26, 2022, 12:03pm

Wireguard is L3 point-to-point tunnel, so no broadcasts.

anav · July 26, 2022, 1:53pm

What type of traffic are you trying to achieve. Wireguard is not a PUSH function its a connection path between two points.
One end has to PULL, ask for information, the other side responds.

surfparadise · July 26, 2022, 3:03pm

Thanks for the answers.

I try to play games with my remote friends. I need brodcast traffic for present the ‘room’ inside the game.

Which method is better to use in this case?

anav · July 26, 2022, 3:04pm

Maybe zerotier ???

anserk · July 26, 2022, 4:57pm

If both routers are Mikrotik, you can use EoIP on top of WireGuard, it’s very easy to set up. I successfully used it in the past as a proof of concept.

Interfaces - Add - EoIP, use MTU 1500. Remote address is WireGuard IP from the remote side. Tunnel ID can be anything but needs to match the other side. Repeat the same steps on the other side.
Bridge - Ports - Add your EoIP interface. Repeat on the other side. This will extend your L2 LAN across the VPN. If needed, you could instead create a new bridge and put specific interfaces there that you want to bridge together. But then they would not be part of the main LAN bridge.

The MTU on EoIP should be manually set to 1500, otherwise it will automatically lower it, which will lower MTU on the bridge and cause issues and slowness.

As with any L2 stretching you need to be aware of potential issues. Make sure you block DHCP (destination UDP 67), otherwise hosts can get a wrong IP from the other side. There are several ways to block it. I blocked it before it leaves EoIP, so that it doesn’t even get sent over VPN.
Bridge - filters - forward chain - out interface: eoip - MAC protocol IP - IP protocol udp, dst port 67. Action - drop.
Repeat on the other side.

The packets will be fragmented, there is no way around it since you have MTU 1500 on the LAN bridge, but WireGuard tunnel can’t fit 1500. For lighter traffic it shouldn’t be an issue. In my tests even heavier traffic was working fine, just higher CPU usage on the routers.

You could enable EoIP tunnel just for gaming and then disable it when done.

surfparadise · July 26, 2022, 5:12pm

Seems it doesn’t be available for 951G-2HnD (yet?).
There is any way to use zerotier without the native package?

…we have only just 1 router…

Zacharias · July 26, 2022, 5:13pm

Zerotier is available only in ARM devices with ROS v7.

You could use EoIP as suggested earlier or BCP https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)

surfparadise · July 26, 2022, 5:42pm

Anyway seems that I can achieve the result without the router. Just configure 2 clients devices and point to zerotier service…