firewall allow lan to lan traffic

megachill · November 13, 2013, 5:32pm

Hey all,

I am by no means a firewall pro, so I am asking here. I have a minor issue with my setup here. So I got 1 RB2011 running RouterOS 6.1, no problem there.

I have the following port setup

eth1 = WAN - static WAN IP
eth2-5 = bridge - 192.168.100.0/24

I have an openvpn server running on 192.168.100.205 it has all necessary port forwards etc and has multiple instances. I have a very similar setup already running w dd-wrt router and that works just fine where several RB2011 connect to that OVPN server.

lets assume we use ports 12001 - 12005 for 5 different ovpn instances on server .205 . The server has same firewall config as other server where clients can talk to each other. Ports have following IP to their instances (internal to ovpn)
12001 = 10.9.1.0
→
12005 = 10.9.5.0

The problem?:
On original setup I can connect to 12001 and then be able to connect to routerboards throughout all the networks. e.g. if my IP is 10.9.1.20 and a router has 10.9.3.45 I can winbox into it.

When i use a routerboard here as router with firewall forwards this same thing does not work anymore. I can connect to any router inside 10.9.1.0/24 but not on 10.9.2.0/24 etc.. – as said before I have this very same server setup with very same firewall rules on Linux server running behind a dd-wrt and that works no problem? All I have on the dd-wrt is forwarded the ports for each ovpn instance to the server on 205, e.g. 120001 - 12005

The rules to forward the OVPN ports on NAT are as follows:

chain=dstnat action=dst-nat to-addresses=192.168.100.205 to-ports=12001
     protocol=tcp dst-address=WANIP dst-port=12001

11   chain=dstnat action=dst-nat to-addresses=192.168.100.205 to-ports=12002
     protocol=tcp dst-address=WANIP dst-port=12002

12   chain=dstnat action=dst-nat to-addresses=192.168.100.205 to-ports=12003 
     protocol=tcp dst-address=WANIP dst-port=12003

13   chain=dstnat action=dst-nat to-addresses=192.168.200.205 to-ports=12004
     protocol=tcp dst-address=WANIP dst-port=12004

14   chain=dstnat action=dst-nat to-addresses=192.168.100.205 to-ports=12005 
     protocol=tcp dst-address=WANIP dst-port=12005

I am sure I am probably just missing some rule here to allow the traffic between the different openvpn networks right? I have done masq for others like port 80 but that doesnt seem to work.

If anyone can help that would be nice. The push rules on the ovpn server conf are corrected and proven working w dd-wrt router in front.