On Tue, 2023-11-07 at 15:25 +0000, Andrew Oakeley wrote:
You need to ensure packets coming in one interface go back out the same interface. That's all it is.
Thanks heaps for that very detailed response. Step D was the main missing piece, it all made a lot more sense with that in there.
A-D above is normally combined with 2 rules on the input/output chain also so packets on the input chain (i.e. destined for the router at the starlink end, not being forwarded through the router) also go back up the wireguard tunnel.
The normal case for these two routers is that anything for the other router goes over the wireguard link via a very ordinary route entry. Everything else finds its own way home by being directly connected or default routed out the uplinks. So I *think* these two are not needed in my specific case. I like how little needs to be done on the non-Starlink end. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160