Hi,
I configured OpenVPN on router and now I’m trying to get access to services that run on LAN/VPN endpoint side (SSH, HTTP, HTTPS…).
VPN users can browse through tunnel and go out through WAN interface of the router. They can also ping LAN addresses but cant access services running in LAN range. Same is for LAN users. They can ping VPN users but cant access services on other side of tunnel. I would say that routing is ok.
There are two ip pools created, 10.0.x.x/24 for VPN and 192.168.x.x/24. for LAN. Both subnets are added to same bridge interface.
I followed few suggestions provided here on forum and other sites unfortunately none of those worked.
Tried with port forwarding rules and filter rules but none of those helped. Im not sure what Im doing wrong. Can you help me out with configuring this?
Tnx.
Find fw part of configuration below
/ip firewall address-list
add address=192.168.x.x/24 list=Output_LANs
add address=10.0.x.x/24 list=Output_LANs
/ip firewall filter
add action=accept chain=input comment=“VPN allow” dst-port=xxxx protocol=xxx
add action=drop chain=forward comment=“Drop all invalid packets” connection-state=invalid
add action=accept chain=input comment=“Accept acces to the router from LAN list” src-address-list=Output_LANs
add action=accept chain=forward comment=“Accept new connections from LAN” connection-state=new in-interface=bridge
add action=accept chain=forward comment=“Accept new connections from dynamic ports (ie. VPN)” connection-state=new in-interface-list=dynamic
add action=accept chain=forward comment=“Friends list” dst-address-list=Output_LANs in-interface=bridge src-address-list=Output_LANs
add action=accept chain=forward comment=“Accept related and established connections” connection-state=established,related
add action=accept chain=input comment=“Accept related and established connections to the router” connection-state=established,related
add action=drop chain=input comment=“Drop all other traffic to the router”
add action=drop chain=forward comment=“Drop all other connections”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1