My remote Mikrotik is 1500 miles away and I want to try wireguard. My problem is both LANs are 192.168.100.0/24 so I need to change the remote site from my understanding. I’m going to try changing the devices to 192.168.200.xxx to keep it simple.
My DHCP server assigns IPs based on MAC so I think I can edit those with the new addresses, add 192.168.200.1 to ether 2 (LAN to the switch), then use
ipconfig/release and /renew on each PC to get the .200.xxx address.
I have not used safe mode and want to confirm if I set it before these changes and the changes cause me to loose connection from a PC there running winbox that the router will reject the changes and go back to the .100.xxx scheme after 9 minutes.
thanks
Changing remote LAN should be safe, because if you’re going to be connected to router remotely, that will be from WAN. So no matter how much you mess up remote LAN, it shouldn’t affect your ability to connect to router and correct it.
One tip for renumbering, export the whole configuration, open it in text editor and find all places with “192.168.100.”, to be sure that you don’t miss any.
So no matter how much you mess up remote LAN, it shouldn’t affect your ability to connect to router and correct it.
Maybe for a normal person but I always find a way to shoot myself in the foot. I had a rule blocking me from WAN access, once I figure that out I was able to get in that way. Being a dyslexic typist does not help either.
Thanks for the tip on export, I’ve got something goofed up in my guest wifi network at the remote site so I’m going through my main site which works to do a comparison.
The hAPs can ping each other and PCs on opposite sites but the PCs can’t see each other, is this normal under wireguard?
I had this working under L2TP way back v6.2 but it quit after an update.
Wireguard just gives you simple interfaces, it doesn’t do anything special. It’s like another ethernet port (not exactly, because WG is point to point and doesn’t use ARP, but that’s not much difference). So what matters are routes, firewall, …
Another backup method I have used is the freebie offering of Remote Winbox, third party but also a very easy SSTP backup in case you are afraid of screwing up wireguard LOL.
Another option (just in case) is to have access to a PC at the remote location that has remote access software such as TeamViewer, AnyDesk, etc. As long at you have not totally messed up internet access for that LAN, you can access that remote PC via remote access software (no special router config required). That gives you access to a computer on the LAN that can have WinBox (or a terminal program for you CLI fans). If you screw up your remote access to the router, a local PC accessed via TeamView may give you a back door.
A second VPN possibility sounds easier and more environment friendly
Besides, if that second vpn will not work anymore, chances are 100 to 1 that PC will not respond anymore either.
I used team viewer and then went with anydesk, but around Christmas they bombarded me with update offers so I took it off. I use splashtop for my paid version and have been testing remote utilities, seems to work well. A license is only $99 so I may add that as my backup. I use tight VNC on the LAN but I have problems with copy and paste.
Did you make an APCO post about uniforms recently? your call sign looks familiar. I’m a 2 way tech on the APCO ANSI standards revision committee.
[quote=Sob post_id=905797 time=1642269571 user_id=33312]
So you had a nice trip? [/quote]
Yes except for the 40 degree drop in daily high temps.
What’s weird is I can put //192.168.100.225 in IE and see my video camera system at the main site from here at the remote site which is now 192.168.200.0/24.
\192.168.100.220 does not see my main NAS, but IP scan in winbox sees all .100.xxx IPs.
If there’s at least something passing through tunnel, then tunnel itself should be ok. Check firewalls on both routers and also on involved devices, they can have own firewalls and block traffic from other subnet.
thanks SOB, I’ll look at the rules and post them if nothing stands out, which it probably won’t.
Really appreciate you and sindy taking time to help out in this forum.
I had to do a hard reset on site 1 this week after I lost internet access, turned out to be a cable modem / ISP issue where I was getting a 192.168.100.1 address for my WAN which kept me from getting into the hAP.
site 1 WAN 72.xxx.xxx.xxx
/ip/address> pr
ADDRESS NETWORK INTERFACE
1 192.168.100.1/24 192.168.100.0 bridge
2 10.10.10.1/24 10.10.10.0 GUEST BRIDGE
3 D 72.xxx.xxx.xxx 72.xxx.xxx.0 ether1 WAN
4 10.0.0.1/30 10.0.0.0 wireguard1
/ip/route> pr
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 72.xxx.xxx.1 1
DAc 10.0.0.0/30 wireguard1 0
DAc 10.10.10.0/24 GUEST BRIDGE 0
DAc 72.xxx.xxx.xxx ether1 WAN 0
DAc 192.168.100.0/24 bridge 0
0 As 192.168.200.0/24 10.0.0.2 1
Even though winbox shows my wireguard interface as running and a link up time with not down time I can't ping 10.10.10.x from either side.
The 10.10.10.0 range is for the guest network on the AP.
Not what is needed.
Please add export of both configs.
Confirm both MT devices at both ends have public IPs as well or is one of them behind an ISP router??
