How to Forward traffic from bridge to Wireguard VPN network

I am currently working on mikrotik rb750gr3

in this scenario i want to access internet from Router1 directly without DMZ.

And also want to access Router2's network from bridge via wireguard route

But i installed scenario shown below i couldn't access router2's network
When i listen bridge and the interface which i plugged into my pc
Tcpdump shows me There is no traffic passing through them
But i can access internet there is no dump occurs on tcpdump

tcpdump -i br-wan
tcpdump -i lan2

Does this switch board forward traffic only hardware based?
How can i access Router2 Network ?
Any help would be appreciated..

wan,lan1 and lan2 ports bridged together.

Here is my exact scenario:

are those switches built into the routers or are they separate devices? Which devices run openwrt?

Router1 and Router2 are ISP's routers

mt7621 switches >> RB750gr3

sorry for confusion

So what runs openwrt? The switches? This is not a good choice for running vpns - switches don’t have sufficient cpu power for this task.

Or are you saying that the switches are internal to the rb750gr3 devices? Are those running openwrt?

1 Like

Mikrotik rb750gr3 runs OpenWrt
it uses MT7621 IC so i called this switch

Yes swithches are internal to the rb750gr3

Ok. So those devices are not running in router mode? I’m basing this on the fact that the isp router lan and the PCs connected to the ‘tik have the subnet.

Router1 and Router2 running in router mode.

on RB750gr3 devices i bridged wan lan1 and lan2 ports together
I don't have much experience with routing and bridging. This bridge configuration seems not in routing

If the ports are bridged, the router is not routing. A bridge is basically a software switch.

Beyond that, a router must have different subnets across the routing engine (usually wan/lan). Here you have the same subnets, so routing is impossible.

You want to be using routing and not bridging. Best bet is to reset your ‘tiks to default and then configure based on routing (not bridging). Then you can enable a vpn to route between the two networks.


but my aim is to achieve this scenario without setting DMZ IP as mikrotik devices on ISP's router or PAT
and also don't want to PAT on rb750gr3 devices.

Is there any other solution without seperating wan and lan subnets ?

And I wonder why tcpdump can't listen to this interfaces in the above scenario?

You can add static routes on the lan hosts or the ISP routers. E.g on right side via
If you do it on the routers, there will be asymmetric routing, but central management.
If you do it on lan hosts, you'll have to replicate it on all of them and some might not support adding static routes.

Thanks but Static route adding disabled by ISP

and i cannot able to add static routes to hosts
this prohibited by system administration

It would work if you can convince the PC endpoints that the OpenWrt / WireGuard box is their default route. That will require either setting them to static IP or disabling/replacing the DHCP server in the existing main routers with a DHCP service in OpenWrt that advertises the different route.

1 Like

Since your ISP routers do not support static routes, you have 2 options:

  1. run the OpenWrt devices in NAT masquerading mode as I suggested earlier
  2. Use static routes on the hosts of all the relevant machines on each network as suggested by @mk24 .

The first option is simple -- everything lives behind the OpenWrt router and things 'just work'

The second option may be more complex -- you have to set routes on every device that needs to be able to connect to, or return traffic to a host on the other side of the VPN. This means that you need to do this on every relevant machine on both sides of the VPN. In some cases, you can simply set an additional route in a given system. In other cases, you may need to use a manual/static IP assignment (rather than DHCP) to handle it. And if you need to have certain traffic traverse the tunnel while other traffic bypasses it, things get a bit more complicated still.

You don't necessarily need to set DMZ... all you need to do is set a single port forward.

Why not?

1 Like