Community discussions

MikroTik App
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Wireguard on mikrotik AND on PC attached to it

Fri Mar 17, 2023 9:17 am

We would like to setup the following:

Image
https://ibb.co/1Qzm9YX

Image



So our aim is to have the Mikrotik to join our existing wireguard network, and also have that the PC attached to the Mikrotik to join the same wireguard, without the need to install a wireguard client on the PC: the reason here is that the "PC" will be actually a stupid device where we cannot install wireguard: imagine the "PC" it is a webcam connected to the Mikrotik by DHCP, or with a fixed IP): note that we are aware we can have the "PC" attached to the mikrotik able to access the wireguard by using a dedicated subnet (mikrotik on
192.168.88.1
, and the PC on
192.168.88.2
, with the PC routing all traffic on the wireguard), but since we do need to access *all* ports and protocols of the "PC" we would prefer to have it assigned the wireguard IP
10.77.1.152
(so to avoid have to setup a kind of "DMZ" to route all incoming traffic to the "PC" on
192.168.88.2
.

The question is: is this possible?

We are able, of course, to have the mikrotik join the wirguard: e.g. from the "Laptop" (and all other peers connected to the Wireguard) we are able to successfully reach the Mikrotik at http://10.77.1.151

The peer configuration in the Wireguard server 10.77.1.1 is set to allow the Mikrotik peers to have both 10.77.1.151 and 10.77.1.152, so we are able, for example, to assign the IP
10.77.1.152
to a wireguard ethernet, so to be able to reach also the ip
10.77.1.152
from the "Laptop" (and all other peers connected to the Wireguard) .

Thanks in advance for your help!



here another copy of the above image in case the above get removed:
Image
https://ibb.co/1Qzm9YX
Last edited by Fraxx on Fri Mar 17, 2023 6:39 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on mikrotik AND on PC attached to it

Fri Mar 17, 2023 4:13 pm

sorry no images are being shown, and do you have a config on the MT to show?
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Fri Mar 17, 2023 6:39 pm

sorry no images are being shown, and do you have a config on the MT to show?
yes, sorry,
I've fixed it now
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on mikrotik AND on PC attached to it

Fri Mar 17, 2023 11:10 pm

Why do you have the private LANs identical behind both routers that can get confusing fast and not a good idea generally.
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Mon Mar 20, 2023 10:26 am

> Why do you have the private LANs identical behind both routers that can get confusing fast and not a good idea generally.

that's the whole point:

now we do have a LAN: the PC has a IP 192.88.1.254 and the Miktorik 192.88.1.1; the PC is using the Wireguard peer on the Mikrotik (10.77.1.151), in a NAT like, to reach the Laptop (10.77.1.10) and all other peers in the wireguards on 10.77.1.0/24, and we've set Mikrotik to forward all incoming traffic to the PC (in the so called 'dmz'), and it works of course, but we would like the cited different setup.

Why? because what here is called "PC" it will be a "special" hardware that we prefer to have the same IP as a wireguard peers, or... to make this option more reasonable/attractive, imagine we have more then one "PC": so, on the right side of the image schema, we would like to have, for example:

* PC1 with IP 10.77.1.152
* PC2 with IP 10.77.1.153
* PC2 with IP 10.77.1.154


with the actual setup, the "dmz" we forward all incoming traffic only in one PC, while we want to reach (from the Desktop) all PC1, PC2, PC3.
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Mon Mar 20, 2023 10:30 am

btw, I see we are able to assign the IP 10.77.1.152 to a specific ethernet in the Mikrotik (since the wireguard 'server' is setup to allow not just 10.77.1.151 to the wireguard client/peer, but also 10.77.1.152, 10.77.1.153, 10.77.1.154) if that can help somehow
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on mikrotik AND on PC attached to it

Mon Mar 20, 2023 2:09 pm

Sorry no capiche.
Do not use wireguard as a LAN subnet on routers.
Clearly for single devices, the wireguard address is its address.

For users on routers, they dont have a wireguard address and the subnet of wireguard on the router is to be able to ping devices, and create routes etc...
So again its not clear what you are attempting to do.
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Wed Mar 22, 2023 10:46 am

Hi, thanks for your feedback
For users on routers, they dont have a wireguard address and the subnet of wireguard on the router is to be able to ping devices, and create routes etc...
I am not able to understand this line, sorry :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on mikrotik AND on PC attached to it

Wed Mar 22, 2023 1:07 pm

If you want to to span the same subnet over wireguard be clear about it. One does not span data transfer using wireguard addresses.
Your best bet is using zerotier first.
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Thu Mar 23, 2023 12:12 pm

If you want to to span the same subnet over wireguard be clear about it. One does not span data transfer using wireguard addresses.
Your best bet is using zerotier first.
sorry, bro, but I see from all your answers you either don't get the whole point or have not much to add
Last edited by Fraxx on Thu Mar 23, 2023 7:03 pm, edited 1 time in total.
 
Fraxx
just joined
Topic Author
Posts: 7
Joined: Fri Mar 17, 2023 8:49 am

Re: Wireguard on mikrotik AND on PC attached to it

Thu Mar 23, 2023 12:15 pm

here you see what we have in mind is not so absurd https://www.softether.org/4-docs/2-howt ... Bridge_VPN

Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard on mikrotik AND on PC attached to it

Thu Mar 23, 2023 12:34 pm

Like I said, WG is a peer to peer construct, so no issue connecting the three cities to NY router to router .
Like I said, no issues connecting disparate subnets such as 10.0.1 and and 10.0.2 from satellite office to 10.0.1 at MAIN branch.

But you cannot connect subnets 10.0.0 from satellite to 10.0.0 MAIN for multiple reasons.
a. If a user puts in a destination of 10.0.0.X intending to go to MAIN the router will not L3 route it because its local traffic at L2
b. Allowed IPs will not work because the IP address is local.
c. All sorts of problem at the receivend what do to do with what look lik local packets coming out of the tunnel and how to route what look like local packets back into the tunnel
JUST a HOT mess.

The other two satellite offices are fine, for Tokyo you are in effect trying to join the same subnet (span) vice different subnets visiting each other.
Suggesting change the VLAN subnet at Satellite Tokyo to 10.0.3.0/24 and will be good to go.

In any case as you suggested, I dont seem to have much to add here, so hopefully someone else will chime in. Nice diagram by the way!

Who is online

Users browsing this forum: abdulschizo, Amazon [Bot], DMITRYB, fibracapi, Majestic-12 [Bot] and 86 guests