Hi,
The following is only if you are running the Mikrotik as a Bridge Device
inside your ISP router LAN. Acting as a Wireguard server for remote
clients, (and possibly not doing much else)
Note: Many of Anav's comments still apply.
(If you are doing something else, please ignore all this)
1. Give the Mikrotik a fixed IP address within your ISP routers Lan Address range.
The following from your config is an invalid address.
** This from your provided config is invalid**
/ip address
add address=10.0.1.0/24 comment=defconf interface=bridge network=10.0.1.0
****
Assuming the IP Range is 10.0.1.0/24, perhaps give it 10.0.1.3/24 (allowing your ISP router to be on 10.0.1.1)
In the ISP router, Port forward 13231 to the IP address of the Mikrotik.
Test the following, and make it work.
Connect to the mikrotik via wireguard, and ping 192.168.100.1 from your phone.
(If not answering, Check wireguard tx, rx, last handshake values)
Next:
You have at least a couple of options here.
1. You Nat the unencrypted traffic coming from the wireguard client into
the local Lan. (and to the internet beyond as required) Because
nothing else in your network will know what to do with a
192.168.100.2 IP address.
Good if you only want your wireguard clients to have visibility into
the LAN, but the LAN not to have visibility into your wireguard
clients.
2. You rejig the Lan and wireguard address assignments so they are
compatible with each other. (LAN usually stays the same)
I tend to use this option.
Devices on the LAN and Wireguard can connect to each other. (firewall
rules on devices permitting)
If you don't have a lots of devices on the LAN and only a few
Wireguard clients I would carve out a /27 range (30 odd devices)
eg Using the Lan Range 10.0.1.0/24
Assign 10.0.1.192/27 for Wireguard (10.0.1.192 to 10.0.223)
Assign 10.0.1.193/27 to the Mikrotik Wireguard interface.
Give 10.0.1.194/24 to your first wireguard client (And set allowed Address on Mikrotik).
* Also need to rejig wireguard peer, not shown *
Reconfigure your ISP router DHCP server to not hand out IP addresses
in this range.
Move any statically assigned devices in this range.
Then (This bit makes it work) Enable Proxy Arp on the Bridge
interface of the Mikrotik. You should now be able to ping your ISP router from your phone connected via wireguard.
(Make sure you are not using wifi on your phone, but rather 4g etc)
When any device (including ISP router) on the LAN wants to connect to
a wireguard device say 10.0.1.194, it will ARP for the mac address of
this device. The Mikrotik will respond to the ARP and give its IP
address.
Device sends packet the Mikrotik's Mac address, Mikrotik routes it to
10.0.1.194. And similarly for traffic in the other direction.
3. Another option might be to use some form of 1:1 Nat, eg NetMap.
The following is only if you are running the Mikrotik as a Bridge Device
inside your ISP router LAN. Acting as a Wireguard server for remote
clients, (and possibly not doing much else)
Note: Many of Anav's comments still apply.
(If you are doing something else, please ignore all this)
1. Give the Mikrotik a fixed IP address within your ISP routers Lan Address range.
The following from your config is an invalid address.
** This from your provided config is invalid**
/ip address
add address=10.0.1.0/24 comment=defconf interface=bridge network=10.0.1.0
****
Assuming the IP Range is 10.0.1.0/24, perhaps give it 10.0.1.3/24 (allowing your ISP router to be on 10.0.1.1)
In the ISP router, Port forward 13231 to the IP address of the Mikrotik.
Test the following, and make it work.
Connect to the mikrotik via wireguard, and ping 192.168.100.1 from your phone.
(If not answering, Check wireguard tx, rx, last handshake values)
Next:
You have at least a couple of options here.
1. You Nat the unencrypted traffic coming from the wireguard client into
the local Lan. (and to the internet beyond as required) Because
nothing else in your network will know what to do with a
192.168.100.2 IP address.
Good if you only want your wireguard clients to have visibility into
the LAN, but the LAN not to have visibility into your wireguard
clients.
2. You rejig the Lan and wireguard address assignments so they are
compatible with each other. (LAN usually stays the same)
I tend to use this option.
Devices on the LAN and Wireguard can connect to each other. (firewall
rules on devices permitting)
If you don't have a lots of devices on the LAN and only a few
Wireguard clients I would carve out a /27 range (30 odd devices)
eg Using the Lan Range 10.0.1.0/24
Assign 10.0.1.192/27 for Wireguard (10.0.1.192 to 10.0.223)
Assign 10.0.1.193/27 to the Mikrotik Wireguard interface.
Give 10.0.1.194/24 to your first wireguard client (And set allowed Address on Mikrotik).
Code:
/ip address add address=10.0.1.193/27 comment=wireguard interface=wireguard1 network=10.0.1.192* Also need to rejig wireguard peer, not shown *
Reconfigure your ISP router DHCP server to not hand out IP addresses
in this range.
Move any statically assigned devices in this range.
Then (This bit makes it work) Enable Proxy Arp on the Bridge
interface of the Mikrotik.
Code:
/interface bridge set bridge arp=proxy-arp(Make sure you are not using wifi on your phone, but rather 4g etc)
When any device (including ISP router) on the LAN wants to connect to
a wireguard device say 10.0.1.194, it will ARP for the mac address of
this device. The Mikrotik will respond to the ARP and give its IP
address.
Device sends packet the Mikrotik's Mac address, Mikrotik routes it to
10.0.1.194. And similarly for traffic in the other direction.
3. Another option might be to use some form of 1:1 Nat, eg NetMap.
Statistics: Posted by rplant — Fri Mar 22, 2024 11:25 am