Overcoming overlapping "ancillary" subnets in site to site routing setup

I have two sites, site1 and site2, linked with a wireguard site to site link. Each site provides its own internet connection (VDSL on one, cellular 4G on the other), and also has unrestricted visibility of all the other site (via the wireguard link) too. site1 is on 192.168.252.0/22 and site2 is on 192.168.43.0/24. This works well.

Unfortunately the modems for each site claim addresses within 192.168.1.0/24 and cannot be moved/reconfigured. Normally this would still be OK, as the modems would usually private (not routed) to their respective routers. But in this instance I somehow need to be able to access the webpages of the cellular modem from either site to be able to manage the 4G account (they implemented mandatory 2FA via SMS :frowning_face: ).

I'm not really a networking expert, but I don't believe I can achieve this with simple routing (because the two modem subnets overlap), and as the cellular modem at site2 claims the entire /24 and issues the router an IP address via DHCP, I don't think I can do anything with subnetting either, even though the modems are at opposite ends of their subnets.

At this point a picture is probably worth a thousand words. Site1 modem is the ISP-supplied VDSL router in passthrough mode, and site2 modem is the USB 4G cellular dongle:


The most obvious solution I can think of would be to put the modem webpages behind reverse http proxies running on the routers. Then I can access the modem webpages from either of the LANs (ie site1.lan or site2.lan) via the http proxies, and continue to keep the modem subnets private to just the modem/routers.

I wondered about switching the routers from uhttpd to (maybe) nginx to run their LUCI web interfaces, which could open up using nginx's reverse proxy facilities. Or maybe just install something like haproxy on each router. I don't know what would be the advantages / disadvantages of each approach though.

So, would those solutions work? Did I miss anything simpler? What do the experts recommend?

1 Like

What makes you unable to use plain routing?
A route to 192.168.1.252/30 is preferable over 192.168.1.0/24.
So, both routes can coexist and split traffic properly.
You only need to specify the allowed IPs in the WG peer section accordingly.

If there's still some sort of conflict, configure WAN on 2-nd router statically as 192.168.1.2/30.
Then 192.168.1.252/30 and 192.168.1.0/30 would be entirely different routes.

Be sure to enable masquerading on the upstream interface for traffic routed from the VPN.

As a last resort, you can just create a simple redirect aka port forwarding.
In any case, no reverse proxy should be necessary.

2 Likes

This is why I'm not a networking expert! But I did experiment with routing before posting, and I couldn't get it to work. I'll work through it again with your comments to help me, and see if I can get it working. I'll report back either way - thanks for the help

1 Like

Hi @vgaetera you were completely right about the routing solution being the correct one.

I'd missed the need to allow the IPs across the WG link, but also it turns out that the cellular modem was rewriting its URL as "ik40.home", rather than continuing to use the IP address I originally accessed it on.

So I also needed to add "ik40.home" to the site2 hostnames (so it could provide lookups for browsers in site1) and then whitelist "home" as an acceptable domain to return RFC1918 addresses in site1, etc etc.

So in summary, a couple of interesting extra quirks, but your routing solution was the answer I needed. Many thanks!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.