Community discussions

MikroTik App
 
fofo302
just joined
Topic Author
Posts: 1
Joined: Sun Nov 13, 2022 8:46 pm

Bridge wifi though Wireguard LTE

Sat Nov 19, 2022 10:23 pm

Hi guys,
I work on a trucking company where we installed camera systems on the trucks, these recordings are normally downloaded via WiFi when the truck comes back to the yard.

In the event of an accident the truck does not come to the yard, so we have to send a technician over to download the videos, this is costly... so we want to build a data extraction solution usign mikrotik, this will be battery powered inside a pelican enclosure.
This enclosure would be shipped to the accident site and powered on close to the truck. The goal is to extract the videos from the truck and make them available to a remote computer.

Once powered on, mikrotik will need to connect as a client to the cameras AP, would this be possible with dinamic SSIDs? (each camera system generates an SSID starting with some fixed letters followed by random numbers, for example: DW-12513. In the accident site only one device will be in range, or choose the one with stronger signal)

Once Mikrotik is connected to the camera system, we need to access this remotely... Since data extraction will take place on the field LTE connectivity is to be used, we think using a wireguard road warrior setup is the best way to have remote connection, would it be possible to use wireguard through LTE to bridge the wifi connection to a remote server?

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14490
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge wifi though Wireguard LTE

Tue Nov 22, 2022 12:27 am

As long as your MT device at the site has access to the internet and the wireguard server at your end has a reachable WANIP, yes should be possible.

Rough idea provided below. Not sure how the bridge thingy will work but assuming it will be configed to one WLAN which we will put on a vlan for simplicity and easy configuration/identification.
Also not sure how camera post data dump works, does the camera auto look for an IP, or does an admin at home base reach out to the camera etc..........
Use of vlans is internal to the remote site MT and will not be seen by camera or by home base MT.......(transparent).

 nov/20/2022 21:30:58 by RouterOS 7.6
# serial number = *******
/interface bridge
add comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
/interface vlan
add name=vlan10-local interface=bridge vlan-id=10
add name=vlan50-camera interface=bridge vlan-id=50
/interface wireless
WIRELESS AS REQUIRED TO CONNECT TO CAMERA LETS USE WLAN1
/interface wireguard
add listen-port=51820 mtu=1420 name=portable-wg
/interface wireless
AS REQUIRED
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list members
add interface=ether1  list=WAN
add interface=cellular list=WAN {whatever the name of the cellular interface is}
add interface=portable-wg list=WAN  { automatically adds wireguard to sourcenat such that any wireguard traffic will get the IP  of the wireguard interface (much easier to deal with when having multiple sites etc.)
add interface=vlan10-local list=LAN
add interface=vlan50-camera list=LAN
/ip pool
add name=dhcp ranges=10.0.20.2-10.0.20.10
add name=dhcp-wlan ranges=10.0.50.2-10.0.50.10
/ip dhcp-server
add address-pool=dhcp interface=vlan10-local name=local
add address-pool=dhcp-wlan  interface=vlan50-cameara name=wlan-server
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=WLAN1 pvid=50
/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge  untagged=WLAN1 vlan-ids=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface wireguard peers
add allowed-address=11.11.11.0/24,SUBNET AT HOME MIKROTIK, endpoint-address=IPCLOUD_name_Mikrotik**.**.**.** endpoint-port=\
    51820 interface=portable-wg  persistent-keepalive=30s public-key=\
    "*************************"
/ip address
add address=10.0.20.1/24  interface=vlan10-local network=10.0.20.0
add address=10.0.50.1/24  interface=vlan50-camera  network=110.0.50.0
add address=11.11.11.2/24 interface=portable-wg network=11.11.11.0  { assumes home base mikrotrik wg address is 11.11.11.1/24)
/ip cloud
set ddns-enabled=yes
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input in-interface=portable-wg ( so an admin at home mikrotik can access router config during hookup if necessary )
add action=drop chain=input comment="drop all else" 
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface=vlan10-local out-interface=cellular WAN  (in case remote site user needs real internet access )
add action=accept chain=forward in-interface=portable-wg out-interface=vlan50-camera  { allow Admin at home mikrotik subnet to reach camera }
add action=accept chain=forward in-interface=vlan50-camera  out-interface=portable-wg   { in case its the camera that reaches out to specific IP at home base ?? }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=cellular gateway  (may already be created dynamically)
add dst-address=subnet at home mikrotik/24  gwy=portable-wg table=main 
{ need to add route for any subnet at home base that the camera will reach out to OR a site user will reach out to,  and any subnet at homebase that will require access to cameras - should match up with allowed IPs as well }
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: aleab, Bing [Bot], erlinden, voytecky and 76 guests