Description
## Summary
The MikroTik router at cloud-seven (mikrotik-cloud7) has an active WireGuard tunnel (peer address 10.10.2.1) but does not currently route the 10.10.0.0/16 subnet to LAN clients. This means devices on the cloud-seven WiFi (192.168.3.x / 192.168.2.x) cannot reach Hydra body machines at their WireGuard IPs (10.10.100.x range).
## What we need
Configure the cloud-seven MikroTik to route 10.10.0.0/16 (excluding 10.10.8.0/23) through its WireGuard interface for all LAN clients — the same configuration already in place at mobile-kit.
In practice this means: LAN traffic destined for 10.10.0.0/16 should be forwarded via the WireGuard peer and masqueraded behind the router's WireGuard IP (10.10.2.1).
## Reference: mobile-kit (working)
mobile-kit routes 10.10.0.0/16 (excl. 10.10.8.0/23) via WireGuard and NATts all outbound 10.110.0.0/20 LAN traffic behind the router's WireGuard IP. Every device on the mobile-kit LAN can reach remote bodies without any per-device VPN config.
## Why
Without this routing, iPads and other kiosk heads on the cloud-seven network cannot stream from remote bodies (e.g. cosmic-pretzel-98 at 10.10.100.12). Confirmed: iPad at 192.168.3.8 on cloud-seven gets 'Cannot reach 10.10.100.12 — no WireGuard route' during diagnostics.
## Router details
- Router: mikrotik-cloud7 (MikroTik, RouterOS 7.21.3)
- WireGuard tunnel: online, peer address 10.10.2.1
- LAN subnets: 192.168.2.0/24, 192.168.3.0/24
- Target route: 10.10.0.0/16 excl. 10.10.8.0/23 → via WireGuard interface