Draw a diagram.
I envisage
a. getting a private WANIP from the ISP router on its subnet ( assuming its a single subnet capable device not vlans ).
This is also the LANIP of the HEX on the ISP LAN.
Now you can allow local subnet users to wireguard, but you have no way to router ISP users through this wireugard connection, they only have access out the ISP LAN gateway.
The hex users can either go out the ISP wan, or the wireguard tunnel if that is the purpose.
For users coming in firewall rules play into whether or not
I don't want other users on the ISP subnet to access the VPN, exept for those directly connected to MT ports. But I'd like them to access VPN while staying in the ISP subnet
a. the user can config the hex router, connect to the local subnet, connect to the ISP subnet via the normal gateway.. ( in which case the ISP router will need static routes for any subnets that connect to ISP users, that the ISP doesnt know about )
If I figured correctly the devices connected to MT on a port towards which I passed the vlan transparently are NOT allowed to reach the VPN tunnel, because they are ignored by MT router who acts as a switch for them.
BUT what if I create a subnet on Mikrotik on the same segment of the ISP router, with absolutely NO ROUTING AND FIREWALL RULES? Just a merely redirect of every packet from and to the two subnets... The DHCP server will be the ISP device, so any conflict will be avoided. But, this way, I can intercept packets (obv only from devices connected to MT) and redirect them as I wish. Could be possible??
Statistics: Posted by BannHead — Tue Feb 25, 2025 4:01 pm