Hello everyone i have just replaced old linksys router with HAP AC2 router and have some problems:
Network looks like this:
The problem:
Computers from 192.168.2.0/24 network can access only 192.168.4.1 (mikrotik) and 192.168.4.19 (ovpn server)
Computers from 192.168.4.0/24 network can access only every machine on 192.168.2.0/24 network
for example:
192.168.4.18 can ping 192.168.2.2
but
192.168.2.2 cannot ping 192.168.4.18
tracepath from 192.168.4.18
[x@x ~]# tracepath 192.168.2.2
1?: [LOCALHOST] pmtu 1500
1: router.lan 0.379ms
1: router.lan 0.312ms
2: 192.168.4.19 0.587ms asymm 1
3: 10.8.0.78 6.177ms asymm 2
4: 192.168.2.2 4.418ms reached
Resume: pmtu 1500 hops 4 back 3
tracepath from 192.168.2.2
[xx@xx ~]# tracepath 192.168.4.18
1?: [LOCALHOST] pmtu 1500
1: vyatta.x 0.499ms
1: vyatta.x 0.520ms
2: 10.8.0.1 5.041ms
3: no reply
4: no reply
5: no reply
mikrotik has static route:
/ip route
add distance=1 gateway=x.x.x.x
add check-gateway=ping distance=1 dst-address=192.168.2.0/24 gateway=192.168.4.19
OVPN config on 192.168.4.19
local 192.168.4.19
port 1194
proto udp4
dev tun0
ca ca.crt
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd ("iroute 192.168.2.0 255.255.255.0" is placed in right file in ccd)
ccd-exclusive
client-to-client
route 192.168.2.0 255.255.255.0
push "dhcp-option DNS 192.168.4.2"
client-to-client
keepalive 5 200
comp-lzo
persist-key
persist-tun
important stuff from mikrotik (i can post whole if needed)
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=ether2 network=192.168.4.0
add address=x.x.x.x interface=ether1 network=x.x.x.x
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address=0.0.0.0/0 ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=8082
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=443
add action=dst-nat chain=dstnat dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.4.19 to-ports=1194
add action=dst-nat chain=dstnat dst-port=5000-5055 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=5000-5055
/ip route
add distance=1 gateway=x.x.x.x
add check-gateway=ping distance=1 dst-address=192.168.2.0/24 gateway=192.168.4.19
Best regards
My first post so i am not sure if this is right subforum.