{ linked fromNew User Pathway To Success Config Success-viewtopic.php?t=182373}
Please find the following potential Solutions attempting to get two locations to communicate for discovery/cast situations and other useful scenarios.
The first four examples discuss how to connect UNFI controller to UNIFI Access Points using wireguard with EOIP and VXLAN, then by DHCP options, and finally by the preferred DNS/DHCP combination. The fifth example is a way to connect a device at one location to a device at another location for mDSN services using EOIP and Wireguard. The sixth example covers a work-around for when one cannot change LANIP subnets on both sides of a WG tunnel.
1. UNIFI Controller to UNIFI APs -via Wireguard and EOIP.-viewtopic.php?p=990837#p990836
2. UNIFI Controller to UNIF APs -via Wireguard and VXLAN-viewtopic.php?p=990834#p990837
3. UNIF Controller to UNIFI APs -via Wireguard and DHCP Option-viewtopic.php?p=990834#p990838
4. UNIFI Controller to UNIF APs -via Wireguard and DNS+DHCP-viewtopic.php?p=990834#p990839
5.mDSN DiscoveryBetween Home and Office Devices -viewtopic.php?p=990834#p990840
6.Identical SubnetsUsing WG Between Two Locations -viewtopic.php?p=990834#p990947
Discovery & Cast With Wireguard
Last edited byanavon Fri Mar 24, 2023 2:45 pm, edited 19 times in total.
Re: DISCOVERY/CAST WIREGUARD EOIP VXLAN UNIFI ETC
1. Unifi Controller to Unifi APs via Wireguard & EOIP
SOLUTION METHOD ONE: EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.
a. Setup the WG
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
Setup EIOP tunnel over wireguard.
R1 - VLANS 10,20,30 are on the bridge vlan20 is the subnet unifi controller is on.
R2 - VLANS 5,20,40 are on the bridge, VLAN 20 is the same subnet and where the APs exist.
Both Routers provide DHCP on the subnets.
R1 - ether4-HomeR1 R2-ether3-VHomeR2
Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321
Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321
Router One
/interface bridge ports
add bridge=bridge interface=ether4-HomeR1
add bridge=bridge interface=eoip-to-TWO pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-HomeR1 vlan-ids=20
Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-VHomeR2 pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether3-VHomeR2 vlan-ids=20
c.PROBLEM: HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.
Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0
Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes(aka ether4-HomeR1
R1 /interface bridge ports ---> add bridge=bridge interface=eoip-to-TWOtrusted=no
R2桥——>名称= vlan-filterin /接口g=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes(aka ether2-VHomeR2)
R2 /interface bridge ports ---> add bridge=bridge interface=eoip-to-ONEtrusted=no
In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
The bridge settings ensure that there is no possibility of conflict with DHCP assignments between the two subnets connected over the EOIP tunnel.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SOLUTION METHOD ONE: EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.
a. Setup the WG
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
Setup EIOP tunnel over wireguard.
R1 - VLANS 10,20,30 are on the bridge vlan20 is the subnet unifi controller is on.
R2 - VLANS 5,20,40 are on the bridge, VLAN 20 is the same subnet and where the APs exist.
Both Routers provide DHCP on the subnets.
R1 - ether4-HomeR1 R2-ether3-VHomeR2
Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321
Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321
Router One
/interface bridge ports
add bridge=bridge interface=ether4-HomeR1
add bridge=bridge interface=eoip-to-TWO pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-HomeR1 vlan-ids=20
Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-VHomeR2 pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether3-VHomeR2 vlan-ids=20
c.PROBLEM: HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.
Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0
Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes(aka ether4-HomeR1
R1 /interface bridge ports ---> add bridge=bridge interface=eoip-to-TWOtrusted=no
R2桥——>名称= vlan-filterin /接口g=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes(aka ether2-VHomeR2)
R2 /interface bridge ports ---> add bridge=bridge interface=eoip-to-ONEtrusted=no
In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
The bridge settings ensure that there is no possibility of conflict with DHCP assignments between the two subnets connected over the EOIP tunnel.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Last edited byanavon Sun Mar 19, 2023 10:28 pm, edited 5 times in total.
Re: DISCOVERY/CAST WIREGUARD EOIP VXLAN UNIFI ETC
2. Unifi Controller to Unifi APs via Wireguard & VXLAN
SOLUTION METHOD TWO: VXLAN OVER WIREGUARD
[/b][/color]a. create wireguard connectivity as per normal and then
b. create the VXLAN tunnel within the WG tunnel ( vxlan never concerns its self with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.
For those not familiar with VxLAN, it's an tunneling protocol which wraps layer 2 frame into a UDP packet at layer 3.
Diagram courtesy of Charles D.
......
SCENARIO, Span subnet like EOIP over two separate locations.
Facts:
VLAN B - LANB on R1 where unifB controller resides and LANB on R2 where two unifi APs reside AP1-B and AP2-B
It is thought (but not verified) that the underlying Network (in this case Wireguard) should have a higher MTU (min 1522, we will use1550)
SO in our example we are going to create one vxlan tunnel between VLAN B on R1 to VLAN B on R2.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
a. setup the wg tunnel
/MT Device One info
/interface wireguard
listening port 15551 mtu=1550 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2, interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1550 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24, endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now lets provide context to the configuration and indentify key components.
R1 VLAN B - 192.168.2.0/24 , unifi controller = 192.168.2.15,
R2 VLAN B - 192.168.2.0/24 , unifi APs AP1-B = 192.168.2.25 AP2-B = 192.168.2.35
R1 unifi controller on ether4-C, R2 unifi-APs on ether5-AP and ether6-AP
VLANx Settings
Step1:Assign vxlan interface name.
R1: Interface name=ConrollerB
R2: Interface name=AP-B
Step2:Allocate VTEP to the underlying structure
R1: VTEP --> interface=ControllerB remoteIP=192.168.50.2 { since the remote IP wireguard address of R2 is 50.2 }
R2: VTEP --> interface=AP-B remoteIP=192.168.50.1 { since the remote IP wireguard address of R1 is 50.1 }
Step3:Assign vxlan parameters as required. The first iteration of this solution will be to span the same subnet.
R1 (interface ControllerB) --> vni=1001 port=9472
R2 (interface AP-B) --> vni=1001 port=9472
Add both vxlan interfaces to the single bridge on each router and connect/associate to the applicable VLAN interface.
R1
/interface bridge port
add bridge=bridge interface=ether4-C pvid=20
add bridge=bridge interface=ControllerB pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=ControllerB,ether4-C vlan-ids=20
Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.
R2
/interface bridge port
add bridge=bridge interface=ether5-AP1 pvid=20
add bridge=bridge interface=ether6-AP2 pvid=20
add bridge=bridge interface=AP-B pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=AP-B,ether5-AP1,ether6-AP2 vlan-ids=20
c.PROBLEM:HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.
Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0
Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R1 /interface bridge ports ---> add bridge=bridge interface=Controller-Btrusted=no
R2桥——>名称= vlan-filterin /接口g=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R2 /interface bridge ports ---> add bridge=bridge interface=AP-Btrusted=no
In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
The bridge settings ensure that there is no possibility of conflict with DHCP assignments between the two subnets connected over the vxlan tunnel.
SOLUTION METHOD TWO: VXLAN OVER WIREGUARD
[/b][/color]a. create wireguard connectivity as per normal and then
b. create the VXLAN tunnel within the WG tunnel ( vxlan never concerns its self with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.
For those not familiar with VxLAN, it's an tunneling protocol which wraps layer 2 frame into a UDP packet at layer 3.
Diagram courtesy of Charles D.
......
SCENARIO, Span subnet like EOIP over two separate locations.
Facts:
VLAN B - LANB on R1 where unifB controller resides and LANB on R2 where two unifi APs reside AP1-B and AP2-B
It is thought (but not verified) that the underlying Network (in this case Wireguard) should have a higher MTU (min 1522, we will use1550)
SO in our example we are going to create one vxlan tunnel between VLAN B on R1 to VLAN B on R2.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
a. setup the wg tunnel
/MT Device One info
/interface wireguard
listening port 15551 mtu=1550 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2, interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1550 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24, endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now lets provide context to the configuration and indentify key components.
R1 VLAN B - 192.168.2.0/24 , unifi controller = 192.168.2.15,
R2 VLAN B - 192.168.2.0/24 , unifi APs AP1-B = 192.168.2.25 AP2-B = 192.168.2.35
R1 unifi controller on ether4-C, R2 unifi-APs on ether5-AP and ether6-AP
VLANx Settings
Step1:Assign vxlan interface name.
R1: Interface name=ConrollerB
R2: Interface name=AP-B
Step2:Allocate VTEP to the underlying structure
R1: VTEP --> interface=ControllerB remoteIP=192.168.50.2 { since the remote IP wireguard address of R2 is 50.2 }
R2: VTEP --> interface=AP-B remoteIP=192.168.50.1 { since the remote IP wireguard address of R1 is 50.1 }
Step3:Assign vxlan parameters as required. The first iteration of this solution will be to span the same subnet.
R1 (interface ControllerB) --> vni=1001 port=9472
R2 (interface AP-B) --> vni=1001 port=9472
Add both vxlan interfaces to the single bridge on each router and connect/associate to the applicable VLAN interface.
R1
/interface bridge port
add bridge=bridge interface=ether4-C pvid=20
add bridge=bridge interface=ControllerB pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=ControllerB,ether4-C vlan-ids=20
Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.
R2
/interface bridge port
add bridge=bridge interface=ether5-AP1 pvid=20
add bridge=bridge interface=ether6-AP2 pvid=20
add bridge=bridge interface=AP-B pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=AP-B,ether5-AP1,ether6-AP2 vlan-ids=20
c.PROBLEM:HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.
Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0
Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R1 /interface bridge ports ---> add bridge=bridge interface=Controller-Btrusted=no
R2桥——>名称= vlan-filterin /接口g=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R2 /interface bridge ports ---> add bridge=bridge interface=AP-Btrusted=no
In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
The bridge settings ensure that there is no possibility of conflict with DHCP assignments between the two subnets connected over the vxlan tunnel.
You do not have the required permissions to view the files attached to this post.
Last edited byanavon Tue Mar 21, 2023 7:27 pm, edited 6 times in total.
Re: DISCOVERY/CAST WIREGUARD EOIP VXLAN UNIFI ETC
3. Unifi Controller to Unifi APs via Wireguard & DHCP Option
SOLUTION METHOD THREE: USE DHCP OPTION 43
a. create wireguard connectivity as per normal and then
b. create the DHCP Option settings on R2 for the unifi Access Points.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unific controller IP.
a. Setup WG as per usual.
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now that wireguard is setup letsSETUP DHCP optionsfor R2
Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20
DHCP server settings for Router 2 LANB
Create an OPTION , call it Option UNIFI
select code 43
select unifi IP address 10.10.10.15 we need to add 0104 in front of it according to searches.
so enter this for the value entry---->0x0104 '10.10.10.15'
Hit Apply and OK, The MT router will convert this to HEX and a raw value!!
Then Go to DHCP NETWORKS.
select LANB
select tab DHCP Options
select UNIFI.
Now the DHCP server at R2, will provide the AP with a local IP (offer) as well as inform the APs of the unifi controller IP address........
The APs will now send traffic to that IP and we must provide a path there.
c. Now lets ensure that path exits.
Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24
Hence in R2 we add a route
/ip route
添加dst = 10.10.10.0/24 gwy = =主要WG-Client表
Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs
Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.
At R1 we need to ensure allowed IPs for peer router2 include192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1
At R1 we need corresponding firewall rule
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unifi controller
At R1 we need to ensure a route back into the tunnel for traffic from unifi controller to unifi APs.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main
Finally at R1 we need to allow the traffic.
add action=accept chain=forward out-interface=WG-Server src-address=10.10.10.0/24 dst-address=192.168.168.0/24
SOLUTION METHOD THREE: USE DHCP OPTION 43
a. create wireguard connectivity as per normal and then
b. create the DHCP Option settings on R2 for the unifi Access Points.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unific controller IP.
a. Setup WG as per usual.
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now that wireguard is setup letsSETUP DHCP optionsfor R2
Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20
DHCP server settings for Router 2 LANB
Create an OPTION , call it Option UNIFI
select code 43
select unifi IP address 10.10.10.15 we need to add 0104 in front of it according to searches.
so enter this for the value entry---->0x0104 '10.10.10.15'
Hit Apply and OK, The MT router will convert this to HEX and a raw value!!
Then Go to DHCP NETWORKS.
select LANB
select tab DHCP Options
select UNIFI.
Now the DHCP server at R2, will provide the AP with a local IP (offer) as well as inform the APs of the unifi controller IP address........
The APs will now send traffic to that IP and we must provide a path there.
c. Now lets ensure that path exits.
Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24
Hence in R2 we add a route
/ip route
添加dst = 10.10.10.0/24 gwy = =主要WG-Client表
Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs
Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.
At R1 we need to ensure allowed IPs for peer router2 include192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1
At R1 we need corresponding firewall rule
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unifi controller
At R1 we need to ensure a route back into the tunnel for traffic from unifi controller to unifi APs.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main
Finally at R1 we need to allow the traffic.
add action=accept chain=forward out-interface=WG-Server src-address=10.10.10.0/24 dst-address=192.168.168.0/24
Last edited byanavon Sun Mar 19, 2023 10:27 pm, edited 5 times in total.
Re: DISCOVERY/CAST WIREGUARD EOIP VXLAN UNIFI ETC
4. Unifi Controller to Unifi APs via Wireguard & DNS+DHCP
SOLUTION METHOD FOUR(preferred option): Use DNS and DHCP
a. create wireguard connectivity as per normal and then
b. create the IP DNS SETTINGS and DHCP SERVER SETTINGSon Router 2.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unifi controller IP.
a. Setup WG as per usual.
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now that wireguard is configured, letsSETUP the DHCP and DNS for R2
Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 domain=ammo.homegateway=192.168.168.1
/ip dns static
add address=10.10.10.15 name=unifi.ammo.hometype=A
THE KEY: The assumption is that the unifi APs are looking for two ways to connect to the unif controller!
(i)via DHCP option 43 contents. In this case there is no option 43 indicated ( this solution was provided by Method 3 on a previous post)
(ii)via injecting a domain name.Each device on the subnet will ask for DHCP configuration and will get, the IP address and mask, the gateway, the DNS server and the name of the"local" domain. The AP is then expecting to see a local domain. Then the AP asks DNS to return an address specifically for unifi.domain.nameand in this case will then receive10.10.10.15. Thus the AP now has the ip information for the unifi controller.
c. Now lets ensure that path via WG from router to router exists as the APs will be searching for the UNIFI destination IP.
Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24
Hence in R2 we add a route
/ip route
add dst=10.10.10/24 gwy=WG-Client table=main
Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs
Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.
At R1 we need to ensure allowed IPs for peer router2 includes192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1
At R1 we need corresponding firewall rule to allow incoming wireguard traffic.
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unif controller
AT R1 we need to ensure a route back into the tunnel for the return traffic back to the APs.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main
Finally At R1 we need to allow the return traffic from controller to APs, to enter WG.
ad action=accept chain=forward out-interface=WG-Server src-address=10.10.10.0/24 dst-address=192.168.168.0/24
SOLUTION METHOD FOUR(preferred option): Use DNS and DHCP
a. create wireguard connectivity as per normal and then
b. create the IP DNS SETTINGS and DHCP SERVER SETTINGSon Router 2.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unifi controller IP.
a. Setup WG as per usual.
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Now that wireguard is configured, letsSETUP the DHCP and DNS for R2
Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 domain=ammo.homegateway=192.168.168.1
/ip dns static
add address=10.10.10.15 name=unifi.ammo.hometype=A
THE KEY: The assumption is that the unifi APs are looking for two ways to connect to the unif controller!
(i)via DHCP option 43 contents. In this case there is no option 43 indicated ( this solution was provided by Method 3 on a previous post)
(ii)via injecting a domain name.Each device on the subnet will ask for DHCP configuration and will get, the IP address and mask, the gateway, the DNS server and the name of the"local" domain. The AP is then expecting to see a local domain. Then the AP asks DNS to return an address specifically for unifi.domain.nameand in this case will then receive10.10.10.15. Thus the AP now has the ip information for the unifi controller.
c. Now lets ensure that path via WG from router to router exists as the APs will be searching for the UNIFI destination IP.
Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24
Hence in R2 we add a route
/ip route
add dst=10.10.10/24 gwy=WG-Client table=main
Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs
Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.
At R1 we need to ensure allowed IPs for peer router2 includes192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1
At R1 we need corresponding firewall rule to allow incoming wireguard traffic.
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unif controller
AT R1 we need to ensure a route back into the tunnel for the return traffic back to the APs.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main
Finally At R1 we need to allow the return traffic from controller to APs, to enter WG.
ad action=accept chain=forward out-interface=WG-Server src-address=10.10.10.0/24 dst-address=192.168.168.0/24
Last edited byanavon Sun Mar 19, 2023 10:40 pm, edited 11 times in total.
Re: DISCOVERY/CAST WIREGUARD EOIP VXLAN UNIFI ETC
5. mDSN Discovery Between Home and Office Devices.( help from others )
SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to use Third Subnet to "stitch" two separate subnets.
d. Apply Bridge Filter Rules to limit/allow mDNS traffic.
a. Setup the WG
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Setup EIOP tunnel over wireguard.
R1 - VLANS 5,15,25 are on the bridgevlan15is the subnet where the PC resides (on ETHER4-PC), that wants to discover OFFICE devices (windows) at R2
R2 - VLANS 10,20,30 are on the bridge,VLAN 20is the subnet where Office devices are located at ETHER3-OFFICE on R2
R1+R2 - common VLAN to createvlan55
Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321
Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321
Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-PC vlan-ids=15
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20
c. Creating Intermediary Subnet and add to Bridge VLAN55
Add: VLAN55 ( as tagged vlan and EOIP interface becomes a hybrid (port) interface )
/interface vlan
add interface=bridge name=VLAN55 vlan-id=55 (R1)
add interface=bridge name=vlan55 vlan-id=55 (R2)
/ip address
add address=10.10.55.1/30 interface=VLAN55 network=10.10.55.0 (R1)
add ip-address=10.10.55.2/30 interface=vlan55 network=10.10.55.0 (R2)
Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-PC vlan-ids=15
添加桥= =缩短”标记e,eiop-to-TWO vlan-ids=55
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20
添加桥= =缩短”标记e,eiop-to-ONE vlan-ids=55
Creating the necessary Routing.This is the secret sauce where multi-cast traffic from PC (vlan20) gets routed to R2 vlan55IP and thus untagged vlan15 traffic is now on the same bridge as VLAN20.
R1 dst-address=vlan20 gwy=10.10.55.2 table=main
R2 dst-address=vlan15 gwy=10.10.55.1 table=main
d. Apply Bridge filters to allow/restrict to mDNS traffic.
R1 - Ensure that Return traffic ( originated as multicast out, unicast return) is permitted back into R1. Needed otherwise return traffic would not be recognized and thus dropped.
This means that the unicast return traffic will be handled in normal IP filters. For the multicast traffic to be permitted and to ensure we limit traffic over the EOIP interface we need to use Bridge Filters. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R1 to R2.
/ip firewall filter
add action=accept chain=forward in-interface=VLAN55 src-address=192.168.15.0/24 dst-address=192.168.20.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=accept out-interface=eoip-to_TWO mac-protocol=ip dst-address=224.0.0.25 ip-protocol=udp dst-port=5353
action=drop out-interface=eoip-to_TWO mac-protocol=ip
R2 - Ensure that Return traffic from R2 (unicast return) is permitted out of R2. Since the destination is outside the local subnet IP firewall filtering will be required. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R2 to R1
/ip firewall filter
action=accept out-interface=vlan55 src-address=192.168.20.0/24 dst-address=192./168.15.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=drop out-interface=eoip-to-ONE mac-protocol=ip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For another excellent article on mDSN and wireguard --->viewtopic.php?t=194842
SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to use Third Subnet to "stitch" two separate subnets.
d. Apply Bridge Filter Rules to limit/allow mDNS traffic.
a. Setup the WG
/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
b. Setup EIOP tunnel over wireguard.
R1 - VLANS 5,15,25 are on the bridgevlan15is the subnet where the PC resides (on ETHER4-PC), that wants to discover OFFICE devices (windows) at R2
R2 - VLANS 10,20,30 are on the bridge,VLAN 20is the subnet where Office devices are located at ETHER3-OFFICE on R2
R1+R2 - common VLAN to createvlan55
Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321
Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321
Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-PC vlan-ids=15
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20
c. Creating Intermediary Subnet and add to Bridge VLAN55
Add: VLAN55 ( as tagged vlan and EOIP interface becomes a hybrid (port) interface )
/interface vlan
add interface=bridge name=VLAN55 vlan-id=55 (R1)
add interface=bridge name=vlan55 vlan-id=55 (R2)
/ip address
add address=10.10.55.1/30 interface=VLAN55 network=10.10.55.0 (R1)
add ip-address=10.10.55.2/30 interface=vlan55 network=10.10.55.0 (R2)
Router One
/interface bridge ports
add bridge=bridge interface=ether4-PC pvid=15
add bridge=bridge interface=eoip-to-TWO pvid=15
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-TWO,ether4-PC vlan-ids=15
添加桥= =缩短”标记e,eiop-to-TWO vlan-ids=55
Router Two
/interface bridge ports
add bridge=bridge interface=ether3-OFFICE pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
添加桥= =缩短”标记e untagged=eiop-to-ONE,ether2-OFFICE vlan-ids=20
添加桥= =缩短”标记e,eiop-to-ONE vlan-ids=55
Creating the necessary Routing.This is the secret sauce where multi-cast traffic from PC (vlan20) gets routed to R2 vlan55IP and thus untagged vlan15 traffic is now on the same bridge as VLAN20.
R1 dst-address=vlan20 gwy=10.10.55.2 table=main
R2 dst-address=vlan15 gwy=10.10.55.1 table=main
d. Apply Bridge filters to allow/restrict to mDNS traffic.
R1 - Ensure that Return traffic ( originated as multicast out, unicast return) is permitted back into R1. Needed otherwise return traffic would not be recognized and thus dropped.
This means that the unicast return traffic will be handled in normal IP filters. For the multicast traffic to be permitted and to ensure we limit traffic over the EOIP interface we need to use Bridge Filters. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R1 to R2.
/ip firewall filter
add action=accept chain=forward in-interface=VLAN55 src-address=192.168.15.0/24 dst-address=192.168.20.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=accept out-interface=eoip-to_TWO mac-protocol=ip dst-address=224.0.0.25 ip-protocol=udp dst-port=5353
action=drop out-interface=eoip-to_TWO mac-protocol=ip
R2 - Ensure that Return traffic from R2 (unicast return) is permitted out of R2. Since the destination is outside the local subnet IP firewall filtering will be required. The drop rule is stop any other traffic, cast or otherwise such as DHCP discovery (any leakage) from R2 to R1
/ip firewall filter
action=accept out-interface=vlan55 src-address=192.168.20.0/24 dst-address=192./168.15.0/24 src-port=5353 protocol=udp
/interface bridge filter
action=drop out-interface=eoip-to-ONE mac-protocol=ip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For another excellent article on mDSN and wireguard --->viewtopic.php?t=194842
Last edited byanavon Sun Mar 26, 2023 4:02 am, edited 4 times in total.
Re: DISCOVERY/CAST WIREGUARD
6. Identical Subnets Using WG Between Two Locations(not my solution - dont have the smarts)
SOLUTION METHOD: ADDING VIRTUAL SUBNETS VIA NETMAP
The basic scenario is one where two locations joined via wireguard (172.22.0.0/24) have the same LANIP structure and both cannot be changed.
A user on one needs access to a device on the other and so on.
The concept will be to create two virtual subnets, one at either end, and the function netmap to link opposite ends. We do this by using netmap and creating virtual subnets as placeholders.
So on R1, with local subnet A1, we virtually create subnet B.
So on R2, with local subnet A2, we virtually create subnet C.
在R1 netmap本地子网sourcnat translate local A1 to remote C
Then on R2 we reverse netmap to translate C to A2.
On R2 we netmap the local subnet in sourcenat to translate local A2 to remote B.
Then on R1 we reverse the netmap to translate B to A1.
For R1 routing we route C out wireguard and assign peers accordingly (the virtual subnet C at the other end - covers dst and incoming address).
For R2 routing we route B out wireguard and assign peers accordingly (the virtual subnet B at the other end - covers dst and incoming address).
There is one important "CATCH" as this is a workaround solution.The catch is that the users will have to put the identical
IP address ending for the device they want to reach but with the virtual subnet structure.
EXAMPLE
R1 LANA1:192.168.5.0/24
R1 Virtual LANB: 192.168.1.0/24
R2 LANA2:192.168.5.0/24
R2 Virtual LANC: 192.168.2.0/24
Therefore, if a User on R1 wants to reach a device on R2 192.168.5.56
they should think 2 as in 192.168.2. 56
Conversely if a User on R2 wants to reach a device on R1 192.168.5.78
they should think 1 as in 192.168.1.78
Logical Explanation:
Everyone on R1 must see A2 as C, no matter whether for outgoing or incoming connection, and everyone on R2 must see A1 as B, again no matter whether for outgoing or incoming.
Over the Wireguard tunnel, the config ensures B is talking to C
R1 CONFIG
/ip nat
add action=netmap chain=srcnat src-address=192.168.5.0/24 to-addresses=192.168.2.0/24
add action=netmap chain=dstnat src-address=192.168.1.0/24to-addresses=192.168.5.0/24
/ip route
add dst-address=192.168.2.0/24gwy=wireguard-interface table=main
/interface wireguard peers
add allowed-address=172.22.0.2/32,192.168.2.0/24interface="WireGuard " public-key=\
R2 CONFIG
/ip nat
add action=netmap chain=srcnat src-address=192.168.5.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=dstnat src-address=192.168.2.0/24to-addresses=192.168.5.0/24
/ip route
add dst-address=192.168.1.0/24gwy=wireguard-interface table=main
/interface wireguard peers
add allowed-address=172.22.0.0/24,192.168.1.0/24interface="WireGuard " public-key=\ persistent-keep-alive=30
SOLUTION METHOD: ADDING VIRTUAL SUBNETS VIA NETMAP
The basic scenario is one where two locations joined via wireguard (172.22.0.0/24) have the same LANIP structure and both cannot be changed.
A user on one needs access to a device on the other and so on.
The concept will be to create two virtual subnets, one at either end, and the function netmap to link opposite ends. We do this by using netmap and creating virtual subnets as placeholders.
So on R1, with local subnet A1, we virtually create subnet B.
So on R2, with local subnet A2, we virtually create subnet C.
在R1 netmap本地子网sourcnat translate local A1 to remote C
Then on R2 we reverse netmap to translate C to A2.
On R2 we netmap the local subnet in sourcenat to translate local A2 to remote B.
Then on R1 we reverse the netmap to translate B to A1.
For R1 routing we route C out wireguard and assign peers accordingly (the virtual subnet C at the other end - covers dst and incoming address).
For R2 routing we route B out wireguard and assign peers accordingly (the virtual subnet B at the other end - covers dst and incoming address).
There is one important "CATCH" as this is a workaround solution.The catch is that the users will have to put the identical
IP address ending for the device they want to reach but with the virtual subnet structure.
EXAMPLE
R1 LANA1:192.168.5.0/24
R1 Virtual LANB: 192.168.1.0/24
R2 LANA2:192.168.5.0/24
R2 Virtual LANC: 192.168.2.0/24
Therefore, if a User on R1 wants to reach a device on R2 192.168.5.56
they should think 2 as in 192.168.2. 56
Conversely if a User on R2 wants to reach a device on R1 192.168.5.78
they should think 1 as in 192.168.1.78
Logical Explanation:
Everyone on R1 must see A2 as C, no matter whether for outgoing or incoming connection, and everyone on R2 must see A1 as B, again no matter whether for outgoing or incoming.
Over the Wireguard tunnel, the config ensures B is talking to C
R1 CONFIG
/ip nat
add action=netmap chain=srcnat src-address=192.168.5.0/24 to-addresses=192.168.2.0/24
add action=netmap chain=dstnat src-address=192.168.1.0/24to-addresses=192.168.5.0/24
/ip route
add dst-address=192.168.2.0/24gwy=wireguard-interface table=main
/interface wireguard peers
add allowed-address=172.22.0.2/32,192.168.2.0/24interface="WireGuard " public-key=\
R2 CONFIG
/ip nat
add action=netmap chain=srcnat src-address=192.168.5.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=dstnat src-address=192.168.2.0/24to-addresses=192.168.5.0/24
/ip route
add dst-address=192.168.1.0/24gwy=wireguard-interface table=main
/interface wireguard peers
add allowed-address=172.22.0.0/24,192.168.1.0/24interface="WireGuard " public-key=\ persistent-keep-alive=30
Who is online
Users browsing this forum: No registered users and 1 guest