Fios Router -> PC / Devices (192.168.1.X)
Fios Router -> 4011 Router 7.1beta3 (192.168.1.X - WAN Port 1) -> Laptop (192.168.88.X - LAN Port 2) / 4011 (192.168.88.1 - LAN)
*Fios Router is connected to Port 1 (WAN) on the 4011, while the laptop is connected to Port 2 (LAN) on the 4011. Fios router provides DHCP on 192.168.1.X subnet, while 4011 provides DHCP on 192.168.88.X subnet.
Wireguard: VPN provider is Mullvad. Used the following config that they provide that i edited (thanks to redskilldough for the original post on how to set it up):
[Interface]
PrivateKey = aaaabbbb
Address = 10.1.1.1/32,aaaa:bbbb:cccc::1:23ab/128
DNS = 1.1.1.1
[Peer]
PublicKey = zzzzyyyy
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 2.2.2.2:3333
I did the following steps to setup Wireguard on 4011:
- Wireguard -> New Interface. Left defaults and added private key (aaaabbbb) from config file -> Apply -> OK
- Wireguard -> Peers -> Added public key (zzzzyyyy), endpoint: 2222, endpoint port: 3333, allowed address (allowedips): 0.0.0.0/0 -> Apply -> OK
*The configuration file lists 0.0.0.0/0 for Allowed Address, I believe this means that all clients can use the VPN? - IP -> Address -> New Address -> Address=10.1.1.1/32 (from interface config), Interface=wireguard -> Apply -> OK
*I currently have my wireguard (10.1.1.1), ether1 (address=192.168.1.85/24 / network=192.168.1.0), and bridge (address=192.168.88.1/24 / network=192.168.88.0) addresses in the list - IP -> Firewall -> NAT tab -> Add -> Chain=scrnat, Out. Interface=wireguard, action=masquerade -> Apply -> OK
*My understanding is that masquerade allows all the clients traffic to route through the VPN - Terminal -> *I'm not exactly sure how this works, i think this is new for ROS 7?Code: Select all
/routing table add name=mullvad
- IP -> Firewall -> Mangle -> Chain=prerouting, Source Address=192.168.88.X (laptop), Action=mark routing, New Routing Mark=mullvad
* Does this just mark all the traffic coming from the laptop as 'mullvad' traffic, and then the next step routes this traffic to the VPN? - Terminal: * My understanding of this route is that it will route all traffic through wireguard.Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=wireguard1@main routing-table=mullvad
I also disabled fasttrack as this just slows everything down to a crawl.
Issue: All the traffic is being routed through wireguard for the defined IP (laptop), but the laptop can't access any of the PCs in the WAN. Without wireguard setup everything works perfectly fine, which makes sense based on the routing. I tried adding a route a few different ways without success, any help would be appreciated!
EDIT: It looks like if I setup a new mangle i can access the other LAN: IP -> Firewall -> Mangle -> chain=prerouting, src address: 192.168.88.X (laptop), dst address: 192.168.1.0/24, action=mark routing, new routing mark=main - is this the correct solution?