I am having some issues with packets leaving my internal network to VPN users. Let me summarize it.
In my internal network (192.168.10.0/24) I have an OPNSense virtual appliance (192.168.10.61) where computers on the internet connect using OpenVPN (10.10.9.0/24). This is installed as service, and the VPN connects as soon as the network is available on the "road warrior" users (Always on VPN).
From the outside to the inside everything is working nice, the problem is form the inside to the VPN users. If I do a PING or a UNC path to any of the VPN users, sometimes it works, sometimes it fails. When I do a PING I noticed that I get a few requests time out then I get the replies. Working with the Mikrotik packet sniffer, during the request time out of PING there is nothing in the Packets window. It is like packets get lost somewhere.
In the Mikrotik ports I have some Hyper-V hosts, and I also noticed that VMs running on these Hyper-V hosts are having time issue, in that it times out. I get alerts from my monitoring system every few minutes. Ports are in Bridge mode.
Mikrotik has two public IPs, cables were checked, route has been configured so everything going to the VPN users (10.10.9.0) has to pass trough the OPNSense appliance (192.168.10.61). I just don't know what to do anymore. Nothing has changed as far as configurations and network goes except the old router with Mikrotik.
Here are my configs just in case someone can help out. Fasttrack is disabled.
Code: Select all
# 2024-02-01 13:47:40 by RouterOS 7.13.2
# software id = 7WQ9-KEY5
#
# model = RB5009UG+S+
# serial number = HEP0926CA13
/ip firewall address-list
add address=<IP LIST 1> list="IPsec Allow IPs"
add address=<IP LIST 2>list="IPsec Allow IPs"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=192.168.9.0/24
add action=accept chain=input src-address-list="IPsec Allow IPs"
add action=accept chain=input comment="Allow OPNSense VPN subnets" dst-address=10.10.9.0/24 src-address=192.168.10.0/24
add action=accept chain=forward dst-address=10.10.9.0/24 src-address=192.168.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="IPsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Policy based routing for VPS Blog on RDS_PPPOE_02" in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=no \
src-address=192.168.10.7
add action=mark-connection chain=input comment="Policy based routing for ICMP on RDS_PPPOE_02" connection-state=new in-interface=RDS_PPOE_02 new-connection-mark=\
PPPOE_02_WAN-Connection passthrough=no protocol=icmp
add action=mark-connection chain=forward disabled=yes in-interface=RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection passthrough=yes protocol=icmp
add action=mark-connection chain=postrouting disabled=yes new-connection-mark=PPPOE_02_WAN-Connection out-interface=RDS_PPOE_02 passthrough=yes protocol=icmp
add action=mark-routing chain=output connection-mark=PPPOE_02_WAN-Connection new-routing-mark=PPPOE_02 passthrough=no protocol=icmp
add action=mark-routing chain=prerouting comment="Policy based routing for SMTP Server on RDS_PPPOE_02" in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=no \
src-address=192.168.10.55
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=RDS_PPOE_01
add action=dst-nat chain=dstnat comment="Sophos UTM9 Proxy" connection-mark="" dst-address=<PUBLIC_IP_01> dst-port=443,80,8080,8443 in-interface=RDS_PPOE_01 protocol=tcp \
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment=OPNSense connection-mark="" dst-address=<PUBLIC_IP_01> dst-port=8400,8600,8511 in-interface=RDS_PPOE_01 protocol=tcp to-addresses=\
192.168.10.61
add action=dst-nat chain=dstnat comment="SMTP on ROCLJVKRSMTP" dst-address=<PUBLIC_IP_02> dst-port=25,465,587 in-interface=RDS_PPOE_02 protocol=tcp to-addresses=\
192.168.10.55
add action=src-nat chain=srcnat out-interface=RDS_PPOE_02 routing-mark=PPPOE_02 src-address=192.168.10.55 to-addresses=<PUBLIC_IP_02>
add action=dst-nat chain=dstnat comment="VPS Blog" connection-mark="" dst-address=<PUBLIC_IP_02> dst-port=80,443 in-interface=RDS_PPOE_02 protocol=tcp to-addresses=\
192.168.10.7
add action=src-nat chain=srcnat out-interface=RDS_PPOE_02 routing-mark=PPPOE_02 src-address=192.168.10.7 to-addresses=<PUBLIC_IP_02>
/ip route
add comment="SophosUTM VPN" disabled=no distance=1 dst-address=10.10.10.0/24 gateway=192.168.10.10 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="OpenSense_VPN 1" disabled=no distance=1 dst-address=10.10.9.0/24 gateway=192.168.10.61 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="OpenSense_VPN 2" disabled=no distance=1 dst-address=10.10.11.0/24 gateway=192.168.10.61 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=RDS_PPOE_02 routing-table=PPPOE_02 suppress-hw-offload=no
