Hi there,

I've upgraded my hAP AC2 recently to the latest stable version and setup Wireguard on it.

Since then, I have severe connection issues. I cannot really isolate it.
Ping goes up to 1 sec, timeouts, then gets stable again, and it repeats...
Connections get interrupted, etc.
I get the same result via eth, 5ghz, 2.4ghz.

The router is connected to a cable modem in bridge mode.
If I connect to the modem directly with my laptop, there are no issues.

I thought it's related to memory problems (viewtopic.php?p=1076550#p1076550) but it's working fine for others.

I'm not sure my config (attached) causes any problems.
Could anyone maybe have a look? I don't have the experience yet...

Appreciate your help, thanks a lot!

Yeah lots wrong LOL

First mistake two bridges.
Why three wireguard interfaces, only need one. Your whole wireguard setup is messed up as well including routes.
REMOVE Vlans and vlan mode from wifi setting!!
Wireguard does not use vpn pool!
Normally a VLAN is not a bridge port, ( removed )!
You created interface vlan20, but in dhcp-server AND IP address, you incorrectly named the interface bridge-vlan20
Missing /interface bridge vlan settings.
Some bizarre .87 subnet showed up in server-networks and removed. also dont put netmask in.
MISSING firewall rules.
Dstnat and srcnat rules wrong.


Changes Mostly.

# model = RBD52G-5HacD2HnD
# serial number = "hidden"
/interface bridge
add comment=defconf name=bridge vlan-filtering=yes

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface vlan
add interface=bridge name=vlan20 vlan-id=20 comment="guest wifi"
add interface=bridge name=vlan10 vlan-id=10 comment="home LAN"
/ip pool
add name=dhcp ranges=192.168.1.5-192.168.1.254
add name=dhcp_pool3 ranges=192.168.25.2-192.168.25.254
/ip dhcp-server
add address-pool=dhcp interface=vlan10 lease-time=10m name=defconf
add address-pool=dhcp_pool3 interface=vlan20 lease-time=5m name=dhcp1

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=Guest-Wlan pvid=20

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=Guest=Wlan vlan-ids=20


/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=vlan10 list=LAN
add interface=vlan20 list=LAN

/ip address
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.25.1/24 interface=vlan20 network=192.168.25.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.25.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.25.1

/ip firewall filter
add action=accept chain=inpug comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input interface=vlan10
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule in very very last }
++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding:" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else'

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
sdd action=masquerade chain=srcnat comment="Hairpin NAT \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24 { remove if not required }

NOTE: Hairpin nat only required if vlan10 users (same subnet as server) have to access server by URL/domain name (aka via the public IP of the router )

add action=dst-nat chain=dstnat dst-port=11194 protocol=tcp to-addresses=\
192.168.1.1 to-ports=1194 in-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=13231 protocol=udp to-addresses=\
192.168.1.1 to-ports=13231 in-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=13233 protocol=udp to-addresses=\
192.168.1.1 to-ports=13233 in-interface-list=WAN

NOTE: If your WANIP is not static but dynamic then you have to change in-interface-list=WAN to dst-address-list=MyWANIP

Where
/firewall address-list
add interface=domainname or URL (of public IP - could be ip cloud name for example) list=MyWANIP

Yeah lots wrong LOL

Thanks for the honest correction!
I need to check your response in detail, but already started changed it.
I will report back

Changes Mostly.

I'm almost there (I think) - internet is working normally again. Thank you!
I tried to use only one bridge and wireguard interface.

However, I'm not sure about Wireguard and Firewall rules, I might need a bit of help.
I'm unsure which of the existing rules I should have kept.

I can connect to Wireguard with the phone (Peer 192.168.32.3), but cannot access the router (192.168.1.1) or Internet.
I assume some rules are missing.

Note: Peers "laptop" and "phone" are "roadwarriors" and "camper" and "tessin" are networks that I want to connect to.
(They basically connect into my home network).

Could maybe have another look, I've attached the current config.

Sure but you need more info about tessin and camper. Do you simply mean they represent subnets on your Router??

1. Any reason ether4 on bridge ports is not setup as the others?

2. Need to add wireguard to Interfac list members
add interface=wireguard list=LAN

3. TESSIN and CAMPER interfaces make no sense to me as they are not local subnets, NOR are they on the wireguard interface subnet.
The config is hosed in respect to these phantom networks.
REMOVE until you can explain better and then can match up config to reality.

4. Remove this default old static DNS setting..
/ip dns static
add address=192.168.1.1 name=router.lan

5. ORDER in firewall rules could be better .................... default rules THEN admin rules!!!
Will fix your input chain didnt realize the RW was you needing access to Config, so will do this properly!!

/ip firewall address-list
add address=192.168.1.X/32 list=Authorized comment="local admin PC wired"
add address=192.168.1.Y/32 list=Authorized comment="local admin laptop wifi"
add address=192.168.1.Z/32 list=Authorized comment="local admin smartphone wifi"
add address=192.168.32.2/32 list=Authorized comment="remote admin laptop"
add address=192.168.32.2/32 list=Authorized comment="remote admin smartphone"

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow WireGuard" \
dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

6. Missing Rules and you have a duplicate NAT rule, only need one.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding:" \
connection-nat-state=dstnat
add action=accept chain=forward comment="admin LAN access" in-interface-list=LAN out-interface-list=LAN src-address=Authorized
add action=drop chain=forward comment="drop all else"

Nice, now Wireguard is working too, thank you!
I think I understood most of the changes, but I'll read it up in detail once complete.
I've added ssh and webfig access from inside the LAN.

Sure but you need more info about tessin and camper. Do you simply mean they represent subnets on your Router??

Regarding those two peers, I'll explain what I want to do:

Tessin is a house (remote) with it's own LAN (192.168.88.x).
Camper is a Camper Van (remote) with it's own LAN (192.168.44.x)

Both have a couple of devices that need to send data to my Home Network (the one we are configuring here, 192.168.1.x).
I am using Wireguard to let them connect to my Home network if they are online (as it works in both directions, this is fine).

I want to:
- Connect to machines in my home network (192.168.1.1) from machines in the Camper/Tessin networks.
- Connect to machines in the Camper/Tessin networks from my Home network.

So, in contrast to these road warrior setups, it's a site-to-site setup, and I followed this tutorial:
https://www.youtube.com/watch?v=CH10spRyGpU which was previously working.

As far as I understood, I can now just leave the peers like this:

add allowed-address=192.168.33.2/32,192.168.88.0/24 comment=tessin interface=\
wireguard persistent-keepalive=25s public-key=\
"xxx="
add allowed-address=192.168.34.2/32,192.168.44.0/24 comment=camper interface=\
wireguard persistent-keepalive=25s public-key=\
"xxx="

However, in order to access the remote machines from home, don't I need the interfaces, so I use routes like this:

add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=tessin \
pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.44.0/24 gateway=camper \
pref-src="" routing-table=main suppress-hw-offload=no

I've attached the current config again.

Sorry, it does not compute.

Where are these machines located?
What router are they connected to?
What kind of ISP connection do they have.
Are they ON all the time?

Where did you come up with IP addresses for their wireguard?
How did you configure them for wireguard etc.

Too many missing pieces for me to begin to look at the config yet.

Sorry for the confusion, I wanted to link to this video: https://www.youtube.com/watch?v=P6f8Qc4EItc

It's just normal Home Networks, connected to the internet.
The IPs I'm referring to are just the internal IPs, they all have one external public IP.

The one we are talking about is what I refer to with 192.168.1.1
Tessin is also a Mikrotik Router with a bridged modem containing a sim card.
Camper is a Teltonika RUT950 with a sim card.

I just configured them as Wireguard Peers. The connected to my Home network automatically.

I have no idea what you mean by home network.................
However if I was to set this up for you this is how I would do,

1. Keep the single wireguard interface, but we will give it additional IP addresses "=)

/interface wireguard peers { no change required to peers !!! }
add allowed-address=192.168.32.3/32 comment=phone interface=wireguard \
public-key="UZXquc84Thv6JoowYRIRdaqlJLdm7OlCWOJxgJNxpTw="
add allowed-address=192.168.32.2/32 comment=laptop interface=wireguard \
public-key="SggrfWgs2oTchMartmfYXJYrtinlAt18iDQap5zl4FA="
add allowed-address=192.168.33.2/32,192.168.88.0/24 comment=tessin interface=\
wireguard persistent-keepalive=25s public-key=\
"3uhxfGpqbFB69rEzm0btJjRJeHhuOehV7wD4dITCv2Y="
add allowed-address=192.168.34.2/32,192.168.44.0/24 comment=camper interface=\
wireguard persistent-keepalive=25s public-key=\
"OzGXhRTwcwWov75oyPnvzIhrf7KvaSaLiuZKm3tGwA4="

2. Add the necessary interface addresses..........

/ip address
add address=192.168.1.1/24 comment=defconf interface=vlan10 network=\
192.168.1.0
add address=192.168.25.1/24 interface=vlan20 network=192.168.25.0
add address=192.168.32.1/24 interface=wireguard network=192.168.32.0
add address=192.168.33.1/24 interface=wireguard network=192.168.33.0
add address=192.168.34.1/24 interface=wireguard network=192.168.34.0

3. Yes we need to add routes I probably removed earlier but you have them in your new config but note the router sees errors and has no clue about them hence *D and *C in gateway!!
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard pref-src="" \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.44.0/24 gateway=wireguard pref-src="" \
routing-table=main suppress-hw-offload=no

4. Now to adjust firewall rules.
YOU didnt pay attention, I set up the firewall address list so you could configure the router locally. You took that out and can only configure it remotely ????
Also need two add another list!

/ip firewall address-list
add address=192.168.1.X/32 list=Authorized comment="local admin PC wired"
add address=192.168.1.Y/32 list=Authorized comment="local admin laptop wifi"
add address=192.168.1.Z/32 list=Authorized comment="local admin smartphone wifi"
add address=192.168.32.2/32 list=Authorized comment="remote admin laptop"
add address=192.168.32.2/32 list=Authorized comment="remote admin smartphone"
add address=192.168.33.2/32 list=REMOTE-WG
add address=192.168.34.2/32 list=REMOTE-WG

Check the input chain rule, and this will make sense to you!!

5. You forgot the forward chain rule I had added ????
add action=accept chain=forward comment="admin LAN access" in-interface-list=LAN out-interface-list=LAN src-address=Authorized

In any case here is a revamped forward chain ruleset.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding:" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Remote WG users to LAN" in-interface=wireguard scr-address-list=REMOTE-WG dst-address=192.168.1.0/24
add action=accept chain=forward comment="LAN users to Remote WG" in-interface-list=LAN src-address=192.168.1.0/24 out-interface=wireguard dst-address-list=REMOTE-WG
add action=accept chain=forward comment="admin to all" in-interface-list=LAN src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

I had a business trip, sorry for the late answer.

I have no idea what you mean by home network.................

Not sure what the right word is, just a normal home router (cablemodem) with internal network.

Anyway, I think I got most of it working now!
But I'm not sure if I confused some of the lines or the order, from this thread.

The camper peer/network now connects via Wireguard, and it's machines can access machines in my home network.
However, from inside the Home Network (machine with IP in 192.168.1.x) I cannot ping or access the machines in the camper network (192.168.44.x).
Have I missed something in the rules?

Everything looked good until I reached FW rules, mostly out of order...........
(i) moved fastrack rule down to be with other forward chain rules.
(ii) moved wirguard handshake rule to first of admin rules.
(iii) removed wg remote from access to Router for config purposes, I am assuming that those are networks that have
no business configuring your router, so only kept the src list of authorized!
(iv) also one should not allow all users of vlan10 to access config ONLY the admin.... thus added some to the srce address list!
(v) I think I see where the missing connectivity stems from!!
I gave the access to the wrong syllable. Its not that the machine needs connectivity to the wireguard address, it needs access to the LAN subnet where the other machines are located.
Kinda matching the IP routes and allowed IPs..... ( we could have just given access to wireguard-simpler, as I normally do on the outbound side, so will give you two options..........)

/ip firewall address-list
add address=192.168.32.2 comment="remote admin laptop" list=Authorized
add address=192.168.32.3 comment="remote admin smartphone" list=Authorized
add address=192.168.1.X comment="local admin PC"
add address=192.168.1.Y comment="local admin laptop wifi"
add address=192.168.88.0/24.2 list=REMOTE-Machines
add address=192.168.44.0/24 list=REMOTE-Machines

/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
{ admin rules }
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=\
Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding:" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Remote WG users to LAN" dst-address=\
192.168.1.0/24 in-interface=wireguard src-address-list=REMOTE-Machines
{option 1} add action=accept chain=forward comment="LAN users to Remote Machines \
dst-address-list=REMOTE-Machines in-interface-list=LAN out-interface=wireguard \
src-address=192.168.1.0/24
{option 2} add action=accept chain=forward comment="LAN users to Remote Machines \
src-address=192.168.1.0/24 out-interface=wireguard \
add action=accept chain=forward comment="admin to all" in-interface-list=LAN \
out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="drop all else

Everything looked good until I reached FW rules, mostly out of order...........
(i) moved fastrack rule down to be with other forward chain rules.
(ii) moved wirguard handshake rule to first of admin rules.
(iii) removed wg remote from access to Router for config purposes, I am assuming that those are networks that have
no business configuring your router, so only kept the src list of authorized!
(iv) also one should not allow all users of vlan10 to access config ONLY the admin.... thus added some to the srce address list!
(v) I think I see where the missing connectivity stems from!!
I gave the access to the wrong syllable. Its not that the machine needs connectivity to the wireguard address, it needs access to the LAN subnet where the other machines are located.
Kinda matching the IP routes and allowed IPs..... ( we could have just given access to wireguard-simpler, as I normally do on the outbound side, so will give you two options..........)

I wasn't sure about the order of rules, thanks for the correction!
I also specified in Authorized who should be allowed to access the admin interface.
I also noticed that I probably need to isolate vlan20, the guest network.

I think I integrated all the corrections now, however, I still cannot access 192.168.44.1 (RUT950 in the camper network) from 192.168.1.28 (laptop in the home network).
Do I need anything like a NAT setting or other rules on the camper/rut950 side?

Also, the other way around doesn't seem to work. I cannot access e.g. 192.168.1.21 from 192.168.44.158.
I figured I need routes on the RUT950 too: But without success... do you have any idea what could be missing?

Before looking at any more configs, there is no problem from the other wireguard, you can reach 192.168.88 no problem from your machine and vice versa?
If so then there is nothing wrong with the setup on the MT, its whatever router thingy or windows server at the end of the 192.168.44 subnet.

Is that what you mean by RUT950??

That is where your problem lies. The route does not look correct, wouldnt it be 192.168.1.0/24

Also, you are using the wrong addressing, I though that router was given wireguard 192.168.34

Also you didnt make any of the changes I made on my last post # 11,

Sorry, I've uploaded the old config by mistake.

At the moment I cannot test 192.168.88.x as I have to reconfigure it first (it has the wrong keys now). But it's 2 hours away.

I'm unsure which IP I have to use for the routing config on the RUT950 (correct, that's the other router).
I guess then I have to use the IP of the tunnel, which would be 192.168.34.2.

Regarding the netmask, I can only specify IP and netmask separately, that's why it looks like it's the IP:

yeah that route looks better........ and if not try 192.168.34.1 as an alternative.

(1) Remove sourcenat rule not required.

from
/ip firewall nat
add action=masquerade chain=srcnat comment="defcon: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=13231 in-interface-list=WAN \
protocol=udp to-addresses=192.168.1.1 to-ports=13231

TO:
/ip firewall nat
add action=masquerade chain=srcnat comment="defcon: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=13231 in-interface-list=WAN \
protocol=udp to-addresses=192.168.1.1 to-ports=13231

(2) You have old routes you need to get rid of...
from
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=*D pref-src="" \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.44.0/24 gateway=*B pref-src="" \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard \
pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.44.0/24 gateway=wireguard \
pref-src="" routing-table=main suppress-hw-offload=no

TO:

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard \
pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.44.0/24 gateway=wireguard \
pref-src="" routing-table=main suppress-hw-offload=no

(3) Either leave winbox address blank, as you provide reasonable limited access already to winbox by
a. mac-winbox limited to LAN
b. src-address-list firewall input rules

OR simply add the applicable wireguard subnet too.

/ip service
......
set winbox address=192.168.1.0/24,192.168.32.0/24
....

Thank you!
I've also added these changes.

From the home network (192.168.1.x) I can now access hosts in the camper network (192.168.44.x).
However, I cannot access any machines in my home network, from camper (e.g. if I try to connect from 192.168.44.158 to 192.168.1.21).

The config on the Teltonica RUT950 (camper) is - if that helps:
Do you have maybe any clue what could be wrong here?

yeah that route looks better........ and if not try 192.168.34.1 as an alternative.

I think I found the problem, I need to add the IP of the peer to REMOTE_MACHINES:
I'm not sure how this works, but the other entries might then be obsolete if it just uses the Peer IP.

If that works, that means maybe at the other router you are source natting the outputs so they dont actually come from .44 they are coming from 34.2 ???
IN that case adding it to remote-machines should allow that traffic to reach LAN devices on the MT LAN.

Allowed IPs on that router should be
allowed ips: 192.168.1.0/24, 192.168.34.0/24

Where is persistent keep alive on that router as well ???

Thank you for the hints!

You were right, I've removed source NAT, and it works with the initial rules!
I've also added persistent keepalive and corrected the allowed IPs.

It looks like now everything is working fine .

I will check it again in detail to really understand it.
Thank you very much for the support!

@anav,

ok one more question - as you noticed I have two Networks 192.168.1.1/24 (my House) and 192.168.44.1/24 (a Camper Van) which I connect.
The reason is that the Camper Van is sending environmental data, battery percentage, etc from 192.168.44.158 to 192.168.1.25 (a database).
So the Camper is connecting via the internet/wireguard (it has a Sim Card) from outside to my house.

However, if I'm at home, it falls back to my Home Wifi (which is 'wlanbt') so that I don't use up the data volume of my Camper simcard.
In this case however, it's inside 192.168.1.1/24 and cannot reach 192.168.1.25 again because of the route on RUT950 which points to
the wireguard interface, which is not connected.

I wondered, how I could achieve this, in the simplest way possible.

1. Let them connect to this wireguard peer from the inside of 192.168.1.1/24 as well?
2. Create a different WIFI/Vlan for it? Probably doesn't make any sense.
3. Dynamically change the config on the RUT950 via script, if it's connected to wlanbt (disable wireguard, disable route) - prone to msitakes.

What would you suggest as the cleanest way?

oh, looks like it's already connecting
shouldn't it then be able to access the other machines as well, since traffic will go through the tunnel in the same way?

Yes, I can see the dilemma!!

What router brand and model do you have in the camper?
Is it dual wan capable, can you link to a user guide?

Im starting to think that SourceNATing the camper van wireguard outward bound traffic may be a key to an approach.
So when wireguard is up....... the MT router gets traffic solely from the wireguard address, and then returns it to the peer and the camper van unsourcenats that to the camper van device.

Then we do, if possible on your camper van router a Second WAN, as a failover backup to primary thus MT ROUTER WIFI LAN becomes a second WAN input on camper device.
Pull the sim card and the router looks to wifi for input and get an IP on the MT LAN, as its WANIP.

Then we change the route on the MT Router for the camper van device to its .44 address.
Something like that anyway.

Problem is the ROUTER DEVICE needs to be able to initiate traffic to the same device over two possible routes......... CONFIRM PLEASE!!
Starting to sound scripty to me.
If wifi user is active use route A (to WIFI LANIP, otherwise use Route Wireguard)

This morning, I noticed that the Camper was actually able to send messages to my database.
So it somehow connected. And right now I can also reach its machines.

In the Mikrotik Peers Status it says the IP 192.168.1.15 is connected:

In the Teltonica RUT950 status (Camper router) it says it's connected to the external IP of my home network:
So I'm not sure what is happening now.
Here are the routes on the Camper (Teltonica interface) - maybe it changes the order dynamically:
The router is a Teltonica RUT950: https://wiki.teltonika-networks.com/view/RUT950_Manual

Right now I'm thinking about getting another sim card for it though, so it wouldn't make a difference at all.
Maybe that's the easier way, I also wouldn't have to change it when driving somewhere...

That router does zerotier natively which may be another avenue of possibiblity.
It joins networks at level 2, so no firewall rules apply.
The question though remains, what happens when you are local with wifi............. it may integrate really well and be the right path, just dont have any experience with zerotier.
\
In other words it may be possible to put the subnet in a zerotier network without any impact on local operations........... but dont know.

As it seems to work out of the box, I think I will just leave it as is... and hope it stays like that

ZeroTier defaults to Layer 3 (IP). Layer 2 needs to be configured explicitly.

You know more than I, but AMMO was fairly explicit on setting up the subnets to be part of zerotier.

Subnets = IP = L3, or did i miss somthing?

viewtopic.php?t=208101#p1078367

I'm not familiar with Zerotier, but it sounds interesting.
Not sure if there are any benefits though, I have to read into it.

Subnets = IP = L3, or did i miss somthing?

Yes rip van Larsa you missed the last 60 years where Zerotier was released putting all assigned subnets into the same L2 space.

Okay, don Anav! Anyhow, that's just the internal carrier (aka zerotier virtual ethernet switch) but I do understand it's somewhat confusing when reading the docs..