Secure Twin port for active traffic control

Dec 20th 2025

Access Gate offers extensive access control capabilities for infrastructure asset. It does so without requiring expensive rewiring or re-addressing, but instead creating an overlay network.

This how-to guide is designed for network administrators who are connecting Access Gate.

Step 1: Selecting the overlay range

The overlay range is a range of addresses reserved for assets protected by Access Gate. Each asset underlay (real?) address corresponds to one matching overlay address.

The default set-up in Access Gate is to use the 100.64.0.0/16 overlay range (it belongs to the CGNAT reserved range, and should not typically conflict with existing IP ranges).

An overlay range is a bidirectional mapping (“binat”) over the matching underlay range. When required, more than one overlay range can therefore be specified, to match multiple underlay.

Overlay ranges are defined in the Access Gate user interface:

Virtual Network Ranges

In this example, we define two overlay networks over two different ranges:

  • from 100.64.0.0/22 to 172.31.112.0/22 (a VLAN on the current site)
  • from 100.64.0.0/22 to 100.127.252.0/22 (a secure WiFi network)

Note that for the binats to be functional, the size of network masks must match, and the overlay and underlay range must not overlap.

Step 2: Create the interconnect network

The interconnect network is a small network (we recommend only a 29 prefix) which should only contains your edge routers and Access Gates.

By default, we recommend the 100.65.0.0/29 network (also part of the CGNAT range), since it does not conflict with the default overlay.

This network needs to be configured in your edge routers, for example in a Mikrotik Router:

/interface/vlan/add name=vlan-aginterco vlan-id=100
/ip/address/add address=100.65.0.1/29 interface=vlan-aginterco

Back to the settings page in Access Gate, the gateway address is configured as a "secure twin interface":

Once the port type is selected, you can enter the values:

An ICMP ping request can then be used to ensure the gateway is up and running.

Route the overlay range via Access Gate

The entire overlay range is now protected by Access Gate, and the router can forward all traffic. Once the interconnect is configured as per the previous paragraph, a single route should be inserted in the router. For example, continuing the configuration of the same router:

/ip/route
 add comment="overlay (2 nets)" dst-address=100.64.0.0/12 gateway=100.65.0.6

It is often easier to record a single route for the entire CGNAT range and let Access Gate manage the different sub-ranges and routes for all the vnets it owns. Should you already use the CGNAT range for internal purposes, routes for smaller ranges can be inserted into the router.

Set up split DNS

Access Gate provides a dynamic name resolution service for all assets registered in the inventory – no further configuration required.

Two options are possible for local networks:

  1. Configuring the existing DNS server for split DNS
  2. Configuring Access Gate as a split DNS provider

As the first option depends mostly of your existing provider, we focus here on the second one.

In the settings page, configure the DNS resolver to point to your existing DNS resolver (or keep the default public and privacy-preserving Quad9 one).

A DNS server is running by default on the gateway port (100.65.0.6 in this how-to). This can be confirmed by requesting an address from an existing asset (10.0.0.10 in this example):

dig @100.65.0.6 10.0.0.10.blacklab.tr-sec.net

A response in the 100.64.0.0/12 range (for example 100.64.0.10) confirms the DNS is operating correctly. The DHCP server configuration (typically on the router) is now updated to match:

/ip/dhcp-server/network
 add address=10.0.0.0/16 dns-server=100.65.0.6 gateway=10.0.0.1