It's likely best to do it phone BTH app - so you can test it first. But doing it via CLI, "/ip/cloud/set back-to-home-vpn=enabled" is identical, except your phone would not then have the first user.One only needs the APP to create the first user ( the smartphone itself ). It automatically turns on BTH VPN, and creates the first two entries!
I had thought one needed to manually turn on BTH VPN in ip cloud first.
Router running BTH gets the .1 address (i.e. the back-to-home WG interface), with the first peer getting .2 (with peer information in top-level /ip/cloud), then any "shared users" / n-th peers are number .3, .4, .5, ... (with the peer stored in /ip/cloud/back-to-home-users, or the same named button in winbox).1. When creating the the tunnel from the phone it would appear that two peers are created, the actual smartphone itself 192.168.216.3 and..........
a. the first peer, 192.168.216.2 appears to be the MT cloud relay peer reference and it has two entries I dont understand:
peer user, (ones smartphone), the dynamic client peer setting has two entries I dont understand.
Dunno exactly... But the lower it is the sooner BTH can re-calculate status. And, since OTHER devices's NAT might be involved, it ensure any OTHER NAT connection mapping do not get flushed and remained tracked.i. persistent keep alive of 5 seconds??
I can understand on the client device of having a persistent keep alive, what is the purpose of this one ???
I suppose the router needs to keep pinging the mt cloud server for some reason??
It's the IPv6 version of BTH fixed private IP range, so same as 192.168.216.2. And fc00::/8 is like 10.x.x.x,... private ranges for IPv6, so Mikrotik reuses some of the private/non-routable IPv6 for BTH use. But it ensure each peer always gets a fixed BTH IP address for IPv6 too, which you might want for any IPv6 routing over WG. The ::2, ::3 should follow same numbering as IPv4.ii. allowed address of: fc00:0:0:216::2/128
what does this actually mean, or translate to.
Is this so that the router accepts any traffic from the MT cloud bTH server and why doesnt the actual IP suffice ??
To be able to accept traffic from Mikrotik BTH proxy servers when proxied. And also the more "traditional" use when your router has a public IP. So needed BOTH proxied and direct modes.c. responder box is checked?
Why, on normal wireguard this is not utilized from what I recall??
What is the purpose of this being checked? ( on both the .2 (MT cloud peer) and .3, the iphone 1st master peer)
Because they don't want to have two places to manage BTH, and most dynamic entires (outside DHCP) work like this - i.e. you disable dynamic config via the other/actual config option that caused it to be enable. Since the WG peers got created by via /ip/cloud and /ip/cloud/back-to-home-users, that how they removed/changed too. Now nothing stops you from "copy" a BTH peer shown under /interface/wireguard/peer, and adding it as new one to make it static - although I haven't tested that.d. dynamic nature of peer?
Why cannot we make any of the peers peer static with one button selection...............
Correct. And it's also dynamic, so firewall rule is removed if BTH is disabled/"revoked" in /ip/cloud2. In terms of firewall rules, I see that the router automatically gets an input rule for wireguard, and assuming this covers the case if router does have a public IP and thus devices can talk directly to the router.
It's allowed since there [yet another] dynamic config item to add the back-to-home WG interface as a LAN interface-list (/interface/lists) - so the default firewall rule that allows LAN, allows BTH by default.3. Although LAN was checked for bth client access, I do not see any forward firewall rule allowing this????
Blocking LAN access happens indirectly via /ip/firewall/address-list (back-to-home-lan-restricted-peers) and dynamic config in /ip/firewall/filter that drops based on the address-list. So by checking the "Allow LAN" button for a user, controls whether the BTH peer's IP address gets added to that ip address-list in firewall.
Statistics: Posted by Amm0 — Sun Jan 12, 2025 6:40 pm