I have a site-to-site VPN from a Mikrotik router acting as VPN client to Mikrotik router acting as VPN server.
Both routers are on RouterOS v6.49.18.
Client router’s LAN address pool is 192.168.12.0/24, the router itself has an address 192.168.12.1
Server router’s LAN address pool is 192.168.51.0/24, the router itself has an address 192.168.51.1
VPN address pool on a server router is 192.168.77.0/24, the server router itself has an address 192.168.77.1
When the client router connects to VPN it gets an IP address 192.168.77.250
Hosts of the 192.168.12.0/24 network can access hosts of the networks 192.168.51.0/24 and 192.168.77.0/24 just fine.
If I create on the client router a manual route to 192.168.51.0/24 over the VPN client interface, then also hosts of the 192.168.51.0/24 network can access hosts of the 192.168.12.0/24.
The only thing I cannot achieve is to access the client router over the IP address 192.168.77.250 from the server router’s side, neither from the hosts on server side nor from the server router itself.
My concern is always to have an access to the client router over its VPN IP address no matter which address ranges the LANs have and which routes are set on the client router.
When I create two top diagnostic rules on the client router:
- input chain, accept packets for dst address 192.168.77.0/24
- forward chain, accept packets for dst address 192.168.77.0/24
and try to access 192.168.77.250, then only the rule for the forward chain is counting up.
I was expecting that the packets will be accepted by the input chain.
The replies go back probably through the default masquerade NAT rule and do not reach the requesting host.
If I create on the client router a manual route to 192.168.77.0/24 over the VPN client interface, then traceroute shows a cyclic route when accessing 192.168.77.250, so I removed this route.
What am I doing wrong?