Tue Apr 18, 2023 4:09 pm
Simple method to get you up and running.
Select the Site that you control directly or best internet connection!!
Yup if only one site had an accessible WANIP, it would still work.
All three units would wireguard into the one router and all would be able to reach the others....... One Wireguard interface.
Main Router
/ip address
192.168.50.1/24 interface=wireguard-main network=192.168.50.0
/allowed-addresses=192.168.50.2,subnetA,subnetB ( assuming subnets A,B are on peer router 2 )
/allowed-addresses=192.168.50.3,subnetC,subnetD ( assuming subnets C,D are on peer router 3 )
/allowed-addresses=192.168.50.4,subnetE,subnetF ( assuming subnets E,F are on peer router 4 )
/allowed-addresses=192.168.50.5 ( remote admin peer laptop )
/allowed-addresses=192.168.50.6 ( remote admin peer iphone/ipad)
/ip route
add address=subnetA dst=address=wireguard-main routing-table=main
add address=subnetB dst=address=wireguard-main routing-table=main
add address=subnetC dst=address=wireguard-main routing-table=main
add address=subnetD dst=address=wireguard-main routing-table=main
add address=subnetE dst=address=wireguard-main routing-table=main
add address=subnetF dst=address=wireguard-main routing-table=main
/firewall rules (input chain)
add action=accept chain=input dst-port=listening port protocol=udp
add action=accept chain=input in-interface=wireguard-main src-address-list=admins
/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins
/firewall rules forward chain
add chain=forward action=accept in-interface=wireguard-main out-interface-wireguard main comment=relay
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-main { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-main out-interface=LAN { limit by src remote address or by out interfaces allowed access, may have several rules here }
Router2
/ip address
192.168.50.2/24 interface=wireuard-two network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetC,subnetD.subnetE,subnetF,subnetX,subnetY ( assuming subnets X,Y are on Main router )
pesistent-keep-alive=35s
/ip route
add address=subnetX dst=address=wireguard-two routing-table=main
add address=subnetY dst=address=wireguard-two routing-table=main
add address=subnetC dst=address=wireguard-two routing-table=main
add address=subnetD dst=address=wireguard-two routing-table=main
add address=subnetE dst=address=wireguard-two routing-table=main
add address=subnetF dst=address=wireguard-two routing-table=main
/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-two src-address-list=admins
/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins
/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-two { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-two out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }
Router3
/ip address
192.168.50.3/24 interface=wireguard-three network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetE,subnetF,subnetX,subnetY
pesistent-keep-alive=40s
/ip route
add address=subnetX dst=address=wireguard-three routing-table=main
add address=subnetY dst=address=wireguard-three routing-table=main
add address=subnetAdst=address=wireguard-three routing-table=main
add address=subnetB dst=address=wireguard-three routing-table=main
add address=subnetE dst=address=wireguard-three routing-table=main
add address=subnetF dst=address=wireguard-three routing-table=main
Router4
/ip address
192.168.50.4/24 interface=wirguard-four network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetC,subnetD,subnetX,subnetY
pesistent-keep-alive=45s
/ip route
add address=subnetX dst=address=wireguard-four routing-table=main
add address=subnetY dst=address=wireguard-four routing-table=main
add address=subnetAdst=address=wireguard-four routing-table=main
add address=subnetB dst=address=wireguard-four routing-table=main
add address=subnetC dst=address=wireguard-four routing-table=main
add address=subneD dst=address=wireguard-four routing-table=main
/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-four src-address-list=admins
/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins
/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-four { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-four out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }
+++++++++++++++++++++++++++++
Example user on Router4 subnetF, wants to access server on Router 2 Subnet A.
1. Router 4
a. Route exists for such traffic and tells router the route is through wireguard-four interface.
b. Firewall rule allows subnet G to enter Tunnel
c. Router matches dst-address to existing allowed address and peer ( main router )
d. Traffic is sent to Router MAIN.
2. MAIN
a. traffic from subnetF is filtered from corresponding peer and incoming subnet F source address is matched and allowed to exit the tunnel
b. subnet F traffic is now, relatively speaking, on the LAN side of MAIN,
c. Router has an IP route for the destination traffic to subnet A through wireguard interface-main
d. Router has a firewall rule to allow traffic from wireguard interface to re-enter wireguard interface (relay)
e. Router seaches for destination address on peer list and matches to PEER (Router 2) and sends traffic to correct peer
3. Router2
a. traffic coming in on the tunnel from Router MAIN haas source address subnet of subnet F, which is on the allowed list and thus traffic exits the tunnel
b. subnet F traffic is now relatively speaking, on the LAN side of Router2
c. firewall rules determine if the traffic is allow to any LAN subnets (forward chain) or Router (input chain)
d. Return traffic is automagic as IP routes ensures the return traffic for destination subnet F has a route back into the tunnel!