Hello all,
i have an issue connecting two Sites with Mikrotik OVPN. Maybe is that kind of connecting two sites not ‘optimal’ (maybe GRE ipsec would be better), but I have tried to ensure connectivity between those two sites.
We have HQ site and the remote site. The HQ is connected via pppoe and the remote has an internet provider huawei router behind the remote MT. My goal is to enable VPN connectivity between the sites from remote to HQ to vlan100 office subnet resp 192.168.92.0/24. I am getting the connectivity on a remote MT to 92.0/24 subnet, but no connectivity to Remote local PC’s. What did I do wrong? 
Tx for any help there!
This is HW site:
/interface bridge
add name=bridge-LAN pvid=999 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether8 ] name=ether8-Trunk
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1-WAN \
name=pppoe-ether1 user=Userdata
/interface vlan
add interface=bridge-LAN name=vlan100-Office vlan-id=100
add interface=bridge-LAN name=vlan200-Guests vlan-id=200
add interface=bridge-LAN name=vlan300-Cameras vlan-id=300
add interface=bridge-LAN name=vlan999-Management vlan-id=999
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-Office ranges=192.168.92.100-192.168.92.200
add name=pool-Guests ranges=10.10.20.10-10.10.20.200
add name=pool-Cameras ranges=10.30.30.10-10.30.30.200
add name=pool-Management ranges=10.99.99.10-10.99.99.200
add comment="OpenVPN Client Pool" name=ovpn-pool ranges=\
192.168.200.10-192.168.200.200
/ip dhcp-server
add add-arp=yes address-pool=pool-Office interface=vlan100-Office lease-time=\
4h name=dhcp-Office
add add-arp=yes address-pool=pool-Guests interface=vlan200-Guests name=\
dhcp-Guests
add add-arp=yes address-pool=pool-Cameras interface=vlan300-Cameras \
lease-time=1h name=dhcp-Cameras
add address-pool=pool-Management interface=vlan999-Management lease-time=1h \
name=dhcp-Management
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add comment="OpenVPN Profile" local-address=192.168.200.1 name=ovpn-profile \
remote-address=ovpn-pool use-compression=no use-encryption=yes use-mpls=\
no use-upnp=no
/interface bridge port
add bridge=bridge-LAN interface=ether2 pvid=999
add bridge=bridge-LAN interface=ether3 pvid=100
add bridge=bridge-LAN interface=ether8-Trunk pvid=999
add bridge=bridge-LAN interface=ether4 pvid=200
add bridge=bridge-LAN interface=ether5 pvid=300
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether8-Trunk untagged=ether3 \
vlan-ids=100
add bridge=bridge-LAN tagged=bridge-LAN,ether8-Trunk vlan-ids=300
add bridge=bridge-LAN tagged=bridge-LAN,ether8-Trunk,ether2 vlan-ids=999
add bridge=bridge-LAN tagged=bridge-LAN,ether8-Trunk untagged=ether4 \
vlan-ids=200
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlan100-Office list=LAN
add interface=vlan200-Guests list=LAN
add interface=vlan300-Cameras list=LAN
add interface=vlan999-Management list=LAN
/interface ovpn-server server
add auth=sha256 certificate=server-cert cipher=aes256-cbc default-profile=\
ovpn-profile disabled=no mac-address=FE:CC:96:C1:1B:43 name=ovpn-server1 \
redirect-gateway=""
/ip address
add address=192.168.92.254/24 interface=vlan100-Office network=192.168.92.0
add address=10.10.20.254/24 interface=vlan200-Guests network=10.10.20.0
add address=10.30.30.254/24 interface=vlan300-Cameras network=10.30.30.0
add address=10.99.99.254/24 interface=vlan999-Management network=10.99.99.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=1.1.1.1 gateway=10.10.20.254
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.92.0/24 dns-server=192.168.92.12 gateway=192.168.92.254
add address=192.168.99.0/24 dns-server=192.168.99.254 gateway=192.168.99.254
/ip dns
set cache-size=4096KiB servers=1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment=OVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment=OVPN dst-port=1194 protocol=udp
add action=drop chain=input comment="input invalid" connection-state=invalid \
disabled=yes
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"connectivity only from VLAN999 mgmt net" disabled=yes dst-port=8291 \
protocol=tcp src-address=10.99.99.0/24
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.92.0/24 src-address=\
192.168.200.0/24
add action=fasttrack-connection chain=forward disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related \
disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=accept chain=forward disabled=yes in-interface-list=LAN \
out-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface=vlan200-Guests \
out-interface-list=LAN
add action=drop chain=forward disabled=yes in-interface=vlan100-Office \
out-interface=vlan200-Guests
add action=drop chain=forward comment="DROP EVERYTHING ELSE" disabled=yes \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-ether1
add action=masquerade chain=srcnat disabled=no src-address=192.168.200.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.92.0/24,10.99.99.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=user1 profile=ovpn-profile service=ovpn
add name=user2 profile=ovpn-profile service=ovpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB5009-GW
/system note
set show-at-login=no
and this is Remote site:
/interface bridge
add admin-mac=F4:1E:57:D5:50:F5 auto-mac=no comment=defconf name=bridge
/interface ovpn-client
add add-default-route=yes auth=sha256 certificate=vpncertificate cipher=\
aes256-cbc connect-to=hq.site.com mac-address=\
02:76:33:E4:E0:E9 name=ovpn-out1 user=user1 \
verify-server-certificate=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=net disabled=\
no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=net+ disabled=\
no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=10.0.0.100-10.0.0.150
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=4h30m name=\
"Bridge"
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.254/24 comment=defconf interface=bridge network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.254 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.200.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Remote
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
