Access from OpenVPN to VLAN

michal602 · November 24, 2024, 3:00pm

Hi,
I would like to configure access for OpenVPN client (IP 10.235.51.10) to device in VLAN_02 id=51 with IP 10.235.51.100. I configured forward rules but still no communication from client device added to VLAN_02 id=51. IP pool is the same for OpenVPN client and VLAN.

# 2024-11-24 15:44:37 by RouterOS 7.16.1
# model = C52iG-5HaxD2HaxD
/interface vlan add interface=bridge name=VLAN_01 vlan-id=1
/interface vlan add interface=bridge name=VLAN_02 vlan-id=51
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add name=DHCP_POOL_VLAN_01 ranges=192.168.0.30-192.168.0.145
/ip pool add name=DHCP_POOL_VLAN_02 ranges=10.235.51.100
/ip dhcp-server add address-pool=DHCP_POOL_VLAN_01 interface=VLAN_01 lease-time=10m name=DHCP_VLAN_01 server-address=192.168.0.1
/ip dhcp-server add address-pool=DHCP_POOL_VLAN_02 interface=VLAN_02 lease-time=10m name=DHCP_VLAN_02 server-address=10.235.51.1
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=51
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether3,ether4,ether5,wifi1,wifi2 vlan-ids=1
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=51
/interface list member add comment=defconf interface=VLAN_01 list=LAN
/interface list member add comment=defconf interface=ether1-WAN1 list=WAN
/ip address add address=192.168.0.1/24 comment=defconf interface=VLAN_01 network=192.168.0.0
/ip address add address=10.235.51.1/24 comment=defconf interface=VLAN_02 network=10.235.51.0
/ppp secret add local-address=10.235.51.1 name=xxxxxx profile=openvpn remote-address=10.235.51.10 service=ovpn

tdw · November 24, 2024, 3:17pm

When using remote addresses for a VPN connection from a subnet which is attached to an ethernet-like interface (ethernet port, vlan, etc.) you have to enable proxy ARP otherwise local devices on that subnet cannot reach the VPN client.

Firewall rules may then prevent traffic as although the addresses are within the same subnet range packets are being forwarded between the VPN and local ethernet interfaces, it’s impossible to say as the full configuration has not been provided.

sindy · November 24, 2024, 3:19pm

Your export doesn’t show any “forward rules”; as you said you have “added” some, does it mean that initially there were none? If so, your firewall is non-existent, as the default treatment of a packet that doesn’t match to any rule is “accept”.

Always post the complete configuration, not just the part you assume is relevant. The issue is in most cases where you wouldn’t expect it. Of course, an anonymisation is necessary first.

Other than that, if you give the OpenVPN clients addresses that fit into the LAN subnet, you must set the arp parameter of interface VLAN_02 to proxy-arp, otherwise the device in the LAN cannot ever send a packet to the OVPN client - the destination address is within its own subnet so it sends out an ARP request, and the router must respond with its own MAC address in order to get the packet and be able to forward it to the OVPN client.

michal602 · November 24, 2024, 3:50pm

I added arp-proxy to VLAN_02 and this fiexed the issue.
Many thanks for help.