Community discussions

MikroTik App
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Thu Jan 26, 2023 4:09 pm

Hello everyone,

I was trying to follow viewtopic.php?p=980241 to get this working, but didn't succeed, however @anav advised to open a new thread.
Worth mentioning is the fact that the Wireguard tunnel is established between 2 MikroTik routers.
So attached you can find my config, but I'll also reiterate my /ip/route/print detail output:
Please bear in mind, some entries are disabled in my config ( I used to use mangle rules to loadbalance 2 WAN connections).
****@MikroTik] > /ip/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; 
+ - ecmp 
 0   s   ;;; Default ISP2
         dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=8.8.8.8 immediate-gw=10.144.18.137%eth2 - WAN2 - LTE check-gateway=ping distance=2 scope=30 
         target-scope=11 suppress-hw-offload=no 

 1  As   ;;; Default ISP1
         dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=1.1.1.1 immediate-gw=51.148.77.137%PPPoE - ZEN check-gateway=ping distance=1 scope=30 target-scope=11 
         suppress-hw-offload=no 

 2  As   ;;; Monitor ISP1
         dst-address=1.1.1.1/32 routing-table=main pref-src="" gateway=51.148.77.137 immediate-gw=51.148.77.137%PPPoE - ZEN distance=1 scope=10 target-scope=10 
         suppress-hw-offload=no 

 3  As   ;;; Monitor ISP2
         dst-address=8.8.8.8/32 routing-table=main pref-src="" gateway=10.144.18.137 immediate-gw=10.144.18.137%eth2 - WAN2 - LTE distance=1 scope=10 target-scope=10 
         suppress-hw-offload=no 

   DAc   dst-address=10.144.18.128/28 routing-table=main gateway=eth2 - WAN2 - LTE immediate-gw=eth2 - WAN2 - LTE distance=0 scope=10 suppress-hw-offload=no 
         local-address=10.144.18.136%eth2 - WAN2 - LTE 

   DAc   dst-address=51.148.77.137/32 routing-table=main gateway=PPPoE - ZEN immediate-gw=PPPoE - ZEN distance=0 scope=10 suppress-hw-offload=no 
         local-address=x.x.x.x%PPPoE - ZEN 

   DAc   dst-address=172.16.10.0/23 routing-table=main gateway=BRIDGE immediate-gw=BRIDGE distance=0 scope=10 suppress-hw-offload=no local-address=172.16.11.1%BRIDGE 

 4  As   dst-address=192.168.11.0/24 routing-table=main pref-src="" gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=1 scope=30 target-scope=10 
         suppress-hw-offload=no 

   DAc   dst-address=192.168.88.0/24 routing-table=main gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=0 scope=10 suppress-hw-offload=no 
         local-address=192.168.88.2%WG-MikroTik-GB 

   DAc   dst-address=192.168.188.0/30 routing-table=main gateway=MGMT-VLAN immediate-gw=MGMT-VLAN distance=0 scope=10 suppress-hw-offload=no 
         local-address=192.168.188.2%MGMT-VLAN 

 5   s   ;;; Failover ISP2
         dst-address=0.0.0.0/0 routing-table=to_ISP1 pref-src="" gateway=8.8.8.8 immediate-gw=10.144.18.137%eth2 - WAN2 - LTE check-gateway=ping distance=2 scope=30 
         target-scope=11 suppress-hw-offload=no 

 6  As   ;;; Routing ISP1
         dst-address=0.0.0.0/0 routing-table=to_ISP1 pref-src="" gateway=1.1.1.1 immediate-gw=51.148.77.137%PPPoE - ZEN check-gateway=ping distance=1 scope=30 
         target-scope=11 suppress-hw-offload=no 

 7   s   ;;; Failover ISP1
         dst-address=0.0.0.0/0 routing-table=to_ISP2 pref-src="" gateway=1.1.1.1 immediate-gw=51.148.77.137%PPPoE - ZEN check-gateway=ping distance=2 scope=30 
         target-scope=11 suppress-hw-offload=no
You do not have the required permissions to view the files attached to this post.
Last edited by BrianRS on Fri Mar 24, 2023 2:03 pm, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Thu Jan 26, 2023 5:42 pm

Hi Brian,
Couple of things.

1. Context, a network diagram is helpful but more so a bit on requirements....

You have two MT routers involved.
Do they both have reachable public IPs?
Is one specifically used as a server for initial connection and the other a slave?
Should they both be capable of initiating a connection?
Does one have a bunch of road warriors attached besides the R1 to R1 connection, and if so to which router.
Finally......
Identify users/devices or groups of users/devices needing the WG tunnel.
From where to where?
Include the admin as you may want to traverse the tunnel from R1 to R2, to be able to config R2 or if local at R2 to configure R1, or remotely from a laptop, or an iphone when away from R1 or R1 and configure both......... In other words, you should describe the user requirements..........

You should get a spidey sense tinkling that you forgot something...................
Yup, you need to post both configs LOL.
++++++++++++++++++++++++++++++++++++++

With the additional information one can understand context and one can fix all the errors I see so far. :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Thu Jan 26, 2023 5:51 pm

In addition the firewall rules on this router shown are woefully lacking and needs help!!
Is it internet facing (public IP from providers modem) or private facing and thus connected to LAN of ISP modem router ??
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Sat Jan 28, 2023 10:18 am

Hey anav,

Thanks for your prompt response.
See attached a basic diagram to which I will add some context below:

- assume that the config I provided belongs to MikroTik R1
- both MT routers have reachable public IPs
- also my desire is to have R1 as "server" and R2 as "slave"
- for now it will suffice to have only R1 initiate connections
- I'm not fully onboard with the "road warrior" concept but you might have noticed the oVPN setup on the config, which serves me the purpose of accessing my LAN over the internet (at some point I might migrate this to WG for performance reasons)
- at the moment, the (Wireguard) requirement is that PC3 has to have the ability to switch between ISP A and ISP B on demand, let's say by manually enabling/disabling a routing rule on R1
- I'm not sure what are you trying to achieve with "admin" traversing the tunnel from R1 to R2 and vice-versa, because as it stands I am able to access both routers via the WG tunnel (or the oVPN tunnel) using the one and only user defined on the router, which is not "admin"
- no, I'm not getting any "tinkling" that I forgot anything, as I don't see the point (at least at this stage) for providing the config for R2, device works as it should and allows traffic via the WG tunnel.
- I'm all for additional information to aid with the fix, but I'm also a huge supporter of useful information that brings value over data dumps.

In addition the firewall rules on this router shown are woefully lacking and needs help!!
Is it internet facing (public IP from providers modem) or private facing and thus connected to LAN of ISP modem router ??

Yes, I admit the FW needs hardening, it's something I kept postponing.
Indeed both routers are internet facing, no ISP router involved (not a fan of double NAT)

I hope this paints a clearer picture now, and brings more valuable information to the table.
Thank you in advance for considering to help with this.

Many thanks,
B
Last edited by BrianRS on Fri Mar 24, 2023 1:01 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Sat Jan 28, 2023 4:06 pm

Okay but as stated I need to see the config of both routers not just one.
Also the user requirements are poorly defined partially due to mixing up config and requirements.
A users needs should be expressed without noting any part of a config
a. by changing or removing route on R1 - has no merit in user requirements
b. optiion to select ISPA or ISPB, is two vague.......
better and clearer for example is
- user PC3 requires access to remote LAN on R2.
- user PC3 requires access to remote R2 WAN (when, or under what circumstances)
-user PC3 requires access to local R1 WAN (when, or under what circumstances).

In other words, I could not discern from "needs to switch from iSPA to ISPB", as clear direction of what the requirement may be........
Is it internet? Is it LAN access? Also not clear on when/why the switch is needed........

For example, it is easy to send a user or subnet to internet at a remote router but not so easy to make it optional.
Suggesting that using wifi connection (different subnet on R1) is a quick/neat way of letting users decide how to reach R2.
Wired is local, wifi is via wireguard.
OR, you can use a different wired subnet exclusively for wireguard and thus a person simply changes their ethernet cable to a different port on a managed switch (same concept as wifi but wired change).
Both are better options in general than having to change the config of the router to achieve traffic based on the users whimsy at any given moment, just not practical.
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Jan 31, 2023 12:38 am

Hey avanv, thanks again for willing to help with this, and sorry for the late replies.

Attached is the so desired config from R2 (I'm yet to understand how this helps you have a better understanding about my challenge)
And yes, that FW also needs TLC.

I'm getting confused when you keep referencing in your replies "users". You seem to call users, the LAN clients bound to the router (or maybe even peers in WG or oVPN). There is no other actual user accessing or managing R1 & R2 but me. There are of course more LAN clients/devices that are bound to each router, but for diagram simplicity and focus on my challenge with Wireguard, they have been disregarded. I must say I'm a little bit surprised that my choice of words, IPS A or B instead of the industry standard WAN terminology has given a person of your calibre a challenge in understanding my point. In other words, you tell me off for using ISP A or B instead of R1 or R2 WAN , but then you call LAN clients/devices as users, baffling!

My suspicion is that you want to understand my real life requirements as to why (user) PC3 has to have the ability to go out into the internet on demand, either via R1 WAN or R2 WAN (aka ISP A or ISP B). One simple answer to that, will be the ability to access (on demand) geo-restricted content assuming that R2 is located in a different country.

I believe you when you say it's easy to route one IP or even a subnet via a different WAN through a LAN2LAN tunnel, but when you say "not easy to make it optional" I'm wondering, surely the rule/setting that enables this action can be manually enabled or disabled on the R1 router, right?

I can't really get my head around your WiFi vs Wired analogy for this scenario.
Let me enforce some conditions for the R1 LAN client that needs to traverse the WG tunnel and go out via R2 WAN on demand
- this client (or user if you like) is part of the R1 LAN subnet and cannot change (it could be either a wired or wireless, but never conditioned)
- this client will go out to internet via R1 WAN by default and will only be (forced) routed through the tunnel to R2 WAN on my request
- I do not mind having to manually change config on the R1 router for this re-route to happen

Many thanks,
Brian
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Jan 31, 2023 12:45 am

There is no such router functionality UPON MY REQUEST, does not compute unless you are going to be creating scripts for certain conditions???
There should be no need to enter the config to make changes on the fly........... seems like a bizarre approach but.........
Hope to have another look.

The admin is just but one user LOL. People can be users, devices can be users...........
The requirements for any config stem from user requirements
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Jan 31, 2023 1:19 am

@anav once again, thank you for following up, and let me give you a little example off-topic about on demand:

- if I want one user/device to not be able to access the internet, or even a certain port over the internet (for example port 80 or 443) as of this moment, I will just winbox into the router and enable a pre-configured FW rule, and the user/client will cease to enjoy browsing the internet, right?

I need the similar approach to address my challenge. The router doesn't have to have this "on demand" functionality, this was a figure of speech to overemphasise the need for this to be enabled/disabled by manual intervention, the router doesn't need to compute anything of this kind, the trigger will be the human interaction.

Many thanks,
Brian
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Jan 31, 2023 3:56 pm

Got it, seems like your putting yourself in a position to play whackamole LOL.
It seems you have 'bad' users.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Wed Feb 01, 2023 12:58 am

Just to be clear,
You want to route all traffic for one USER/DEVICE on R1, to go to R2 via wireguard ( aka to its LAN and to its WAN )
Since you use site A and B, but then R1 and R2.......... I can easily get confused LOL ( A=R1, and B=R2 )

What is the single IP??

Confirm. NO traffic originating from, R2 going to R1??
Confirm. Only one IP going to R1 to R2
Confirm. You do not wish to be able to config R2 from R1 or vice versa if the admin is located at either site.

Confirm you want to be able to as easily as possible to modify the config so that
current IP from R1 to R2 is changed so that its now a normal subnet IP not going through WG?
New IP from R1 to R2 is allowed through WG?

or something else??
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Sun Feb 05, 2023 1:16 am

Hey anav,

I can't stress enough, thanks for helping out.

You want to route all traffic for one USER/DEVICE on R1, to go to R2 via wireguard ( aka to its LAN and to its WAN )
yes, as if that user/device would be part of R2 LAN and its default gateway is R2 WAN interface

Since you use site A and B, but then R1 and R2.......... I can easily get confused LOL ( A=R1, and B=R2 )
I was under the impression that the diagram I provided in the beginnings elucidated this mystery

What is the single IP??
does it matter? I thought that I'm getting advice on what I'm missing/doing wrong, at best some hints on how to fix it, not the actual config on a plate, but let's use 172.16.11.110 for example.

Confirm. NO traffic originating from, R2 going to R1??
well, it is flowing nicely at the moment, as I said currently it's "a 2 way street" between R2 and R1 via the WG tunnel, and I would like to keep it like that for the moment.

Confirm. Only one IP going from R1 to R2
yes, meaning one IP using R2 WAN interface as a gateway for internet, as and when I enable/disable this from the config on R1, but this doesn't mean "else drop all"

Confirm. You do not wish to be able to config R2 from R1 or vice versa if the admin is located at either site.
again, as I stated above, traffic is currently flowing both ways between R1 and R2 as long as there is an active WG handshake, so I can access R1 from R2 and vice-versa over the VPN tunnel.

Confirm you want to be able to as easily as possible to modify the config so that
confirm (I don't understand why this is such a big fuss / no-no matter)

current IP from R1 to R2 is changed so that its now a normal subnet IP not going through WG?
what do you mean? I'm not sure I'm getting your point here...

New IP from R1 to R2 is allowed through WG?
I assume we're talking again about the same IP required to travel the tunnel to R2, or...?

or something else??
So to sum it up again, one IP/user/device from R1 LAN (172.16.11.110) needs to have the ability ("on demand") to go through the Wireguard tunnel and use R2 WAN interface as a default GW to internet, but all other IPs/users/devices connected to these 2 routers are using their local router WAN interface as a default gateway to internet.


Many thanks,
B
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Feb 07, 2023 8:57 pm

#bump

Anyone else, any piece of advice??

Many thanks,
B
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Feb 07, 2023 9:09 pm

You can set it up that a specific user only uses the WAN at the other router via WG.

The issue is on demand. Its a yes or no proposition.
One option is to allow the user to fall back to normal local WAN if wireguard tunnel is down.

As I stated there is no option for a user to decide which WAN they want to go through on their PC.
That is why I suggested setup wireguard on an exclusive wifi connection that only that user has the SSID password for.
If they want wireguard internet go through WIFI.

Alternatlivey is user can be provided with a managed switch at their desk, they can change physical ports to determine which wan they are using local or wireguard.

+++++++++++++++++++++++++++

Finally, if you want to do so from your desk as admin. So many ways.
Setup up tunnel to his IP, and disable it and the router will route that person to the local WAN. Enable for traffic times and disable it other times.

Disable the IP route required for the access and the user will not have a route to the tunnel.......

So you have to be clear as well, if the user is not to have wireguard internet access, should the user then get NO internet or local internet access.
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Wed Feb 22, 2023 6:45 pm

Hello again and sorry for the delay in response, I've been away....

You can set it up that a specific user only uses the WAN at the other router via WG.
Can I please have an example of how would I achieve this?

The issue is on demand. Its a yes or no proposition.
One option is to allow the user to fall back to normal local WAN if wireguard tunnel is down.
aka - tunnel up >> user using remote router WAN, - tunnel down - user uses local router WAN; then Yes, let's do that,

As I stated there is no option for a user to decide which WAN they want to go through on their PC.
I never requested this. The need was that this would be controlled via Winbox management interface.

That is why I suggested setup wireguard on an exclusive wifi connection that only that user has the SSID password for.
If they want wireguard internet go through WIFI.
The client in question connects via wired interface, so this is out of perspective.

Alternatlivey is user can be provided with a managed switch at their desk, they can change physical ports to determine which wan they are using local or wireguard.
Again, there should be no change/interaction from the user's end, all needs to be triggered/enabled from Winbox by authorised "user"

+++++++++++++++++++++++++++
Finally, if you want to do so from your desk as admin. So many ways.
Setup up tunnel to his IP, and disable it and the router will route that person to the local WAN. Enable for traffic times and disable it other times.
Yes please, this is what I need, can you please give me an example of the config required to achieve this?

Disable the IP route required for the access and the user will not have a route to the tunnel.......
That could work too, I can try this or the above, and chose whichever is convenient...

So you have to be clear as well, if the user is not to have wireguard internet access, should the user then get NO internet or local internet access.
User should definitely have Internet access via both router WANs (or via tunnel or with tunnel down)


Many thanks,
Brian
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Wed Feb 22, 2023 7:05 pm

Good methinks we are narrowing down the use case LOL.................

You can set it up that a specific user only uses the WAN at the other router via WG.
Can I please have an example of how would I achieve this?


(1) Instead of forcing a subnet out WG, we can do the same for an individual IP address, eazy peazy.

+++++++++++++++++++++++++++

The issue is on demand. Its a yes or no proposition.
One option is to allow the user to fall back to normal local WAN if wireguard tunnel is down.
aka - tunnel up >> user using remote router WAN, - tunnel down - user uses local router WAN; then Yes, let's do that,


(2) This is the natural way a routing rule can work for you. You force the user in (1), out the wirguard tunnel with the following rule.
/routing rule src-address=IPofUSER action=lookup table=useWG

action=lookup means that if the table useWG becomes unavailable, the router will then look at the main table for another route! DONE!!!!
action=lookup-only-in-table means that if WG is down, the router will NOT look elsewhere for an alternate route.

Therefore, the use of a table, an additional IP router, and a routing rule, I think it achieves your aim.

++++++++++++++++++++++++++++++++++++++++++

Finally, if you want to do so from your desk as admin. So many ways.
Setup up tunnel to his IP, and disable it and the router will route that person to the local WAN. Enable for traffic times and disable it other times.
Yes please, this is what I need, can you please give me an example of the config required to achieve this?

Disable the IP route required for the access and the user will not have a route to the tunnel.......
That could work too, I can try this or the above, and chose whichever is convenient...



(3) Now the use case has an additional element. It appeared we had solved your requirements by providing a way the user was always connected via the WG tunnel and if was not available was shunted back to the local WAN for internet. All done automagically, hands off by both user and admin!!

However, it appears you want to also be able to turn off the user access to the WG tunnel whenever you want to............ OVERLORD type control.
This requires you to access the config of the router and the easiest thing to do is disable the additional route.

/routing rule
add action=lookup disabled=yes src-addressIPofUSER table=useWG


In this way the tunnel remains available just not for the individual as he doesnt get forced out the WG tunnel for internet queries.
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Thu Mar 16, 2023 7:28 pm

hey @anav

sorry for the very late reply, I've been away and not had time to tinker with this...
plus... now I have a second ISP/WAN for R1 (so recursive routing and load balancing with mangle rules) which might be the cause why "/routing rule src-address=172.16.11.32 action=lookup-only-in-table=WG" does not work

I suppose you might want to see the whole config, right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Thu Mar 16, 2023 11:07 pm

Normally its a good idea to solve issues before piling on new stuff LOL.
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Mar 21, 2023 2:31 pm

Yes @anav,

In principle that's how I like to approach problems too, however my ISP's upload bandwidth is so minimal, I took the opportunity it arises to make use of this LHGG LTE6 kit to have some room to wiggle.

So now, would you like me to update the R1 uploaded config and the diagram, maybe we can move fwd with this?

Many thanks,
B
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Tue Mar 21, 2023 2:42 pm

That would be a start!
 
User avatar
BrianRS
newbie
Topic Author
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Fri Mar 24, 2023 1:13 pm

Hey @anav,

I have actually found out I can achieve this using one simple mangle rule:

add action=mark-routing chain=prerouting dst-address-list=!LAN new-routing-mark=WG passthrough=no src-address-list=FireTV

I'm not sure though if I'm exploiting full performance, as hi-res streams seem to buffer regularly, is it technical limitation due to tunnelling or there's a better way to achieve this?
To put it in perspective, bandwidth limitation is out of the question at R2 end (WAN), and also there is no buffering if the same source is accessed from outside the tunnel, directly through R1's WAN interface, despite R1 having a 25/5 Mbps bandwidth cap on DSL WAN which is what WG seems to use consistently (not sure if it's coincidence or actual configuration).

So it works but at the moment I'm not sure if it's limitation or misconfiguration regarding performance! You might now understand the reason I wanted this, given the source-list name :-D

However, I must admit that I'm well impressed how nice the recursive routing works in conjunction with load-balancing via PCC, more so with the help from @Amm0 I got the scripts working for dynamically updating the routing table with the gateways in use for both WANs, as and when they change.

I've already updated (post edit) the R1 config file and I'll update the diagram to reflect the status quo!

P.S. FW has also had some TLC. 8)

Thanks again for all the help!
Last edited by BrianRS on Fri Mar 24, 2023 4:02 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18884
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Fri Mar 24, 2023 2:34 pm

Awesome it would be nice to have a summary post where you state here is what I wanted to accomplish and here is the final config.......
 
keskol
just joined
Posts: 24
Joined: Thu Apr 06, 2023 11:46 pm

Re: Route ALL traffic for 1 LAN IP from site A (via Wiregard tunnel) to site B

Sat Oct 14, 2023 1:05 pm

Hi @BrianRS do you mind sharing your working config as I am trying to achieve the similar?
Thanks!

Who is online

Users browsing this forum: Google [Bot] and 25 guests