in this scenario i want to access internet from Router1 directly without DMZ.
And also want to access Router2's network from bridge via wireguard route
But i installed scenario shown below i couldn't access router2's network
When i listen bridge and the interface which i plugged into my pc
Tcpdump shows me There is no traffic passing through them
But i can access internet there is no dump occurs on tcpdump
tcpdump -i br-wan
tcpdump -i lan2
Does this switch board forward traffic only hardware based?
How can i access Router2 Network ?
Any help would be appreciated..
Ok. So those devices are not running in router mode? I’m basing this on the fact that the isp router lan and the PCs connected to the ‘tik have the subnet.
on RB750gr3 devices i bridged wan lan1 and lan2 ports together
I don't have much experience with routing and bridging. This bridge configuration seems not in routing
mode.
If the ports are bridged, the router is not routing. A bridge is basically a software switch.
Beyond that, a router must have different subnets across the routing engine (usually wan/lan). Here you have the same subnets, so routing is impossible.
You want to be using routing and not bridging. Best bet is to reset your ‘tiks to default and then configure based on routing (not bridging). Then you can enable a vpn to route between the two networks.
Thanks
but my aim is to achieve this scenario without setting DMZ IP as mikrotik devices on ISP's router or PAT
and also don't want to PAT on rb750gr3 devices.
Is there any other solution without seperating wan and lan subnets ?
And I wonder why tcpdump can't listen to this interfaces in the above scenario?
You can add static routes on the lan hosts or the ISP routers. E.g on right side 10.10.20.0/24 via 10.10.30.2
If you do it on the routers, there will be asymmetric routing, but central management.
If you do it on lan hosts, you'll have to replicate it on all of them and some might not support adding static routes.
It would work if you can convince the PC endpoints that the OpenWrt / WireGuard box is their default route. That will require either setting them to static IP or disabling/replacing the DHCP server in the existing main routers with a DHCP service in OpenWrt that advertises the different route.
Since your ISP routers do not support static routes, you have 2 options:
run the OpenWrt devices in NAT masquerading mode as I suggested earlier
Use static routes on the hosts of all the relevant machines on each network as suggested by @mk24 .
The first option is simple -- everything lives behind the OpenWrt router and things 'just work'
The second option may be more complex -- you have to set routes on every device that needs to be able to connect to, or return traffic to a host on the other side of the VPN. This means that you need to do this on every relevant machine on both sides of the VPN. In some cases, you can simply set an additional route in a given system. In other cases, you may need to use a manual/static IP assignment (rather than DHCP) to handle it. And if you need to have certain traffic traverse the tunnel while other traffic bypasses it, things get a bit more complicated still.
You don't necessarily need to set DMZ... all you need to do is set a single port forward.
