Hi,
I experiment with wireguard at work and decided to use second mikrotik router just for wireguard tunnels
So i have
LAN : 192.168.0.0/24
MT1 : 192.168.0.12 - main router in network, DHCP server, default gateway for LAN ( static WAN IP)
MT2 : 192.168.0.33 - second router for wireguard tunnels only, manual ip, no DHCP server (different static WAN IP)
MT2: wg tunnel ip 10.0.2.1
Connect to MT2 from home LAN: 192.168.188.0/24
wg tunnel ip 10.0.2.2
To get ping echo from work LAN i can :
manually add route to selected computers i’m interested in at work lan
route add 192.168.188.0 MASK 255.255.255.0 192.168.0.33 metric 2
as i don’t want to change route tables manually for all computers in work LAN i try to do variant 2
add two routes in MT1 (default gateway in work LAN )
ip->routes
dst-address 192.168.188.0/24 gateway 192.168.0.33
dst-address 10.0.2.0/24 gateway 192.168.0.33
So, second way is seems working for some time so i added two more peers and tunnels for coworkers and it seems that it brokes somehow variant 2 as suddenly some peers get response from work LAN, some don’t
And if my home computer don’t get ping back from office LAN, i can disable and enable static routes in route list in MT1(office) to 192.168.188.0/24 (my home lan) and ping starts works again
So how to properly add second router to the LAN, please help or guide to topic, as it very hard to find on forum how to solve this.
I think it is A second gateway on another router in same LAN problem
but maybe it have some wireguard specifics, i don’t sure
It could be firewall on main router. If you don’t have routes on individual devices in work LAN, they will try to communicate with WG subnet via their default gateway (main router). Main router knows that the subnet is available via the second router, so it will send icmp redirects to LAN devices, to tell them that they can send those packets to second router directly. If they accept, it will work. If not, you’ll get asymmetric routing, where second router will be sending packets to LAN devices directly, but they will send theirs to main router. Stateful firewall on main router will see only half of connection, will mark those packets as invalid, and if you have default firewall, it will drop them. You can either add some exception to that rule, of you can mark such packets (from LAN subnet to WG subnet) as untracked in raw.
Thanks, Sob, learned about assymmetrric routing , clearly the possible cause.
and i have found your answer for practically same qustion as mine here: http://forum.mikrotik.com/t/routing-traffic-for-specified-domains-to-a-different-gateway/146125/1
Only difference is raspberry pi was used as second router and openvpn instead of wireguard.
Looks like not so rare question
will try to tackle it
Srcnat in other thread can be used for outgoing connections, it won’t work like this for incoming ones. Well, it would work on WG router, but you’d lose ability to see original source addresses. It doesn’t matter in other thread, because there it was traffic to internet, so there was NAT anyway.