Hi,
I have setup OpenVPN on Mikrotik Router. I am able to connect but unable to access LAN devices and the internet. See copy openvpn client configuration below:
vpn pool - 192.168.34.0/24
Router local ip: 192.168.100.1
2 VLANS - 10.0.10.0/24 and 10.0.20.0/24
client
dev tun
remote 75.4.211.120 1194 tcp
tun-mtu 1500
tls-client
nobind
user nobody
group nogroup
ping 15
ping-restart 45
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-GCM
auth SHA1
pull
auth-user-pass user.cfg
;redirect-gateway def1
connect-retry 1
reneg-sec 3600
remote-cert-tls server
;route 192.168.100.0 255.255.255.0 192.168.34.1
;route 10.0.10.0 255.255.255.0 192.168.34.1
;route 10.0.20.0 255.255.255.0 192.168.34.1
auth-nocache
On the Mikrotik Router I have to following filters:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=accept in-interface=zerotier1
2 chain=input action=accept in-interface=zerotier1
3 ;;; VPN
chain=input action=accept protocol=tcp dst-port=1194
4 ;;; jump to kid-control rules
chain=forward action=jump jump-target=kid-control
5 ;;; OVPN pass
chain=input action=accept protocol=tcp dst-port=1194
6 ;;; SSH Port for Debian Server
chain=input action=accept protocol=tcp dst-port=4222 log=no log-prefix=“”
7 chain=forward action=accept in-interface=all-ppp
8 ;;; Accept Traffic For VPN Users
chain=input action=accept src-address=192.168.34.0/24 log=yes log-prefix="VPN - "
9 ;;; Block Disney Plus
chain=forward action=reject reject-with=icmp-host-unreachable protocol=tcp src-address=10.0.20.0/24
content=disneyplus log=no log-prefix=“”
10 ;;; Drop Disney Traffic
chain=forward action=drop layer7-protocol=RebeccaBlockDisney protocol=tcp src-address=10.0.20.10 dst-port=443
log=no log-prefix=“” tls-host=disney
11 ;;; Block Disney Plus
chain=forward action=reject reject-with=icmp-host-unreachable protocol=tcp src-address=10.0.20.0/24 content=disney
log=no log-prefix=“”
12 ;;; Block Shein
chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp src-address=10.0.10.0/24
content=shein log=no log-prefix=“”
13 ;;; BlockDisney
chain=forward action=drop layer7-protocol=RebeccaBlockDisney protocol=tcp src-address=10.0.10.6 dst-port=443 log=no
log-prefix=“”
14 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
15 ;;; Block Disney
chain=forward action=reject reject-with=icmp-host-unreachable protocol=tcp src-address=10.0.10.0/24 content=disney
16 ;;; Block Disney Plus
chain=forward action=reject reject-with=icmp-host-unreachable protocol=tcp src-address=10.0.10.0/24
content=disneyplus log=no log-prefix=“”
17 ;;; BlockYouTubeRebeccaLaptop
chain=forward action=drop protocol=tcp src-address=10.0.20.202 dst-address-list=YouTubeAddressList dst-port=443
log=no log-prefix=“”
18 ;;; BlockYouTube When Rebecca Is On John3v16
chain=forward action=drop layer7-protocol=Block YouTube src-mac-address=98:43:FA:7F:58:14 log=no log-prefix=“”
19 ;;; BlockYouTube Becky When on SeekAndHeShallFine
chain=forward action=drop layer7-protocol=Block YouTube src-mac-address=98:43:FA:7F:58:14 log=no log-prefix=“”
20 ;;; BlockDisneyRebeccaLaptop
chain=forward action=drop layer7-protocol=RebeccaBlockDisney protocol=tcp src-address=10.0.10.8 dst-port=443 log=no
log-prefix=“”
21 ;;; BlockRebeccaLaptopWhenSheIsJohn3v16_Ext
chain=forward action=drop protocol=tcp src-address=10.0.20.10 dst-address-list=YouTubeAddressList dst-port=443
log=no log-prefix=“”
22 chain=input action=drop protocol=icmp in-interface=ether1
23 ;;; Drop Packets From Becky’s Laptop
chain=forward action=drop layer7-protocol=Block YouTube protocol=tcp src-address=10.0.10.6
dst-address-list=YouTubeAddressList dst-port=443 src-mac-address=1E:78:6A:7F:58:14 log=no log-prefix=“”
24 ;;; Drop Packets From Rebecca’s Laptop
chain=forward action=drop layer7-protocol=Block YouTube src-address=10.0.10.6 dst-address-list=YouTubeAddressList
log=no log-prefix=“”
25 ;;; YouTubeAddresList
chain=forward action=add-dst-to-address-list protocol=tcp src-address=10.0.20.10 address-list=YouTubeAddressList
address-list-timeout=4w2d dst-port=443 log=yes log-prefix=“” tls-host=youtube
26 ;;; Block Rebecca Access To YouTube
chain=forward action=add-dst-to-address-list protocol=tcp src-address=10.0.10.6 address-list=YouTubeAddressList
address-list-timeout=4w2d dst-port=443 log=no log-prefix=“” tls-host=youtube
27 ;;; Get IP Addresses for Disney
chain=forward action=add-dst-to-address-list protocol=tcp address-list=DisneyIPs address-list-timeout=4w2d
out-interface=BR1 dst-port=443 log=no log-prefix=“” tls-host=disney
28 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
29 chain=input protocol=tcp in-interface=BR1 dst-port=22,80,443
30 ;;; Allow Estab & Related
chain=forward action=accept connection-state=established,related
31 ;;; Allow VLAN
chain=input action=accept in-interface-list=VLAN
32 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
33 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
34 ;;; VLAN Internet Access only
chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN
35 ;;; accept established,related
chain=forward action=accept connection-state=established,related
36 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
37 ;;; Allow MGMT_Vlan Full Access
chain=input action=accept in-interface=MGMT_VLAN
38 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
39 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
40 ;;; drop blacklisted addresses
chain=input action=drop src-address-list=ip-blacklist
41 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
42 ;;; BlockDisneyRebecca
chain=forward action=drop layer7-protocol=RebeccaBlockDisney protocol=tcp src-address=10.0.20.10 dst-port=443
log=no log-prefix=“” tls-host=disney
43 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
44 ;;; Drop
chain=input action=drop
45 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500
46 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500
47 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701
48 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
49 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
50 ;;; Drop
chain=forward action=drop
51 chain=input action=drop in-interface=BR1
52 ;;; Drop invalid
chain=forward action=drop connection-state=invalid
53 ;;; Drop incoming packets that are not NATted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
54 ;;; Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface=ether1
55 ;;; Drop packets from Inside that do not have Inside IP
chain=forward action=drop src-address-list=!Inside in-interface=BR1 log=no log-prefix=“”
56 ;;; Drop packets from Inside that do not have Inside IP
chain=forward action=drop src-address-list=!Inside in-interface=BR1 log=no log-prefix=“”
57 ;;; Drop packets from Inside that do not have Inside IP
chain=forward action=drop src-address-list=!Inside in-interface=BR1 log=no log-prefix=“”
58 ;;; Drop packets from Inside that do not have Inside IP
chain=forward action=drop src-address-list=!Inside in-interface=BR1 log=no log-prefix=“”
59 ;;; fast-track for established,related
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
60 chain=forward action=drop connection-state=invalid
61 X ;;; drop access to clients behind NAT from WAN
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
62 D ;;; RebeccaLaptop, kid-control
chain=kid-control action=reject src-address=10.0.20.10
63 D ;;; RebeccaLaptop, kid-control
chain=kid-control action=reject dst-address=10.0.20.10
64 D ;;; RebeccaLaptop, kid-control
chain=kid-control action=reject src-address=10.0.10.8
65 D ;;; RebeccaLaptop, kid-control
chain=kid-control action=reject dst-address=10.0.10.8
66 D ;;; RebeccaLaptop02, kid-control
chain=kid-control action=reject src-address=10.0.10.6
67 D ;;; RebeccaLaptop02, kid-control
chain=kid-control action=reject dst-address=10.0.10.6
Assistance with fine tuning rules and also getting access to local LAN and internet with using OpenVPN would be appreciated.
Merry Christmas to all.