Hello!
We have qnap nas D4 connected via Mikrotik Rb951ui-2hnd to the internet. I have installed myQNAPcloud Connect app at home to get access to it via VPN, activated open vpn on server. When I try to establish openvpn or pptp connection I am getting endless spinning wheel in myQNAPcloud Connect app. So I assumed I need to do something in mikrotik?
I’ve added rule /ip firewall nat add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.8 and it didn’t help
I’m sure that your whole firewall has more rules than just this one. They can influence each other. And so far only you know about everything you have, anyone here can only guess.
I hope I exported it correctly
# jul/19/2019 21:58:31 by RouterOS 6.43.8
# software id = WAIS-1BW7
#
# model = RouterBOARD 750G r3
# serial number = 8AFF08EE8010
/interface bridge
add admin-mac=CC:2D:E0:F1:9D:35 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.110-192.168.0.140
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set mrru=1500
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether3 network=\
192.168.0.0
add address=159.224.216.242/18 interface=ether1 network=159.224.192.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=109.86.2.2
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
192.168.0.108 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=\
tcp to-addresses=192.168.0.108 to-ports=21
add action=masquerade chain=srcnat dst-address=192.168.0.108 dst-port=21 \
protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local \
dst-port=1194 protocol=udp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment=OpenVPNServer dst-port=1194 \
protocol=udp to-addresses=192.168.0.8 to-ports=0
/ip route
add distance=1 gateway=159.224.216.254
/ip service
set ftp address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0
[admin@MikroTik] >
The last dstnat rule (with to-ports=0) is wrong, because of to-ports and also because it does not in any way specify original target address, so it will catch also outgoing OpenVPN connections. But the one before it is correct, except that it’s disabled. So enable it and watch what happens. It it doesn’t work, check that its counter increases, it means that packets from outside are reaching your router. If it does increase, use Tools->Torch on bridge1 and look for packets to 192.168.0.8:1194, you should see them. Also pay attention to rx and tx columns. Packets in tx column are going to NAS, packets in rx column are responses from NAS. If there’s tx but zero rx, check the config of NAS.
Btw, you have quite unusual netmask on WAN.
Thank you! As for the mask, I guess we use just what ISP said? By the way, I have mikrotik hap ac at home from where I am trying to connect to server. Should I do something at home router too?
If “at home” is different network and you only use OpenVPN client from there, you don’t need to do anything special. Of course outgoing connections to your VPN server must be allowed, but that’s default behaviour, so unless you changed it, it’s ok.
True about the mask, but it really is unusual, /18 is huge network with 16 thousand addresses and the mask suggests that they should all be directly reachable on WAN interface without going through another router, at least that’s how things normally work. Which I’m almost sure is not true, but there are ways how it can still work correctly with such mask, so it’s not necessarily wrong. I only mentioned it, so that you can check if it’s really what ISP gave you. Because in case it was mistake, the behaviour would be that almost everything (whole internet) would work correctly, but you would not be able to communicate with most other addresses in this /18 and if VPN client also happened to be in 159.224.192-255.x range, it could explain your problem.
If I’m wrong about the mask, then forget it and try the troubleshooting I described before.
It’s hard to tell why the ISP gave us such settings but our building is really hard to reach and we were just lucky they established connection with another organization in another building next to us. So they connected us over the roofs. Maybe it required some specific settings, I don’t know.
But the funny thing is my ip is 178.150.253.3 so withing the range you specified as potentialy problematic…
Here is what I see in torch when trying to connect with OpenVPN
This is what I see when the 2 bottom lines are showing together (the first line doesn’t matter).
At first I see udp connection with 0 bytes and icmp after that.
It doesn’t not reach 192.168.0.8:1194.
OpenVPN says
Sat Jul 20 17:24:08 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]159.224.216.242:1194
Sat Jul 20 17:24:08 2019 UDP link local: (not bound)
Sat Jul 20 17:24:08 2019 UDP link remote: [AF_INET]159.224.216.242:1194
Sat Jul 20 17:25:08 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 20 17:25:08 2019 TLS Error: TLS handshake failed
By the way, I have the same ISP at home. And here is my settings with similar mask
I think it’s the way they work…
One of larger ISPs in my country (which in turn is fairly small) operating FTTH and VDSL used /16 netmask until a year ago. They went to /17 after that. Still some way to reach /18 
Their network is running fairly good, seems like they have decent gear in their core network …
It will be better if you try this:
/ip firewall mangle
add chain=postrouting dst-address=192.168.0.8 protocol=udp dst-port=1194 action=log log-prefix=request
add chain=prerouting src-address=192.168.0.8 protocol=udp src-port=1194 action=log log-prefix=response
And no, 178.x.x.x and 159.x.x.x are not in same /18, so no need to worry about that.
And no, 178.x.x.x and 159.x.x.x are not in same /18, so no need to worry about that.
Good to know 
Now it looks like this. Is this right? Still no go
# jul/20/2019 18:09:42 by RouterOS 6.43.8
# software id = WAIS-1BW7
#
# model = RouterBOARD 750G r3
# serial number = 8AFF08EE8010
/interface bridge
add admin-mac=CC:2D:E0:F1:9D:35 auto-mac=no comment="created from master port" \
name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.110-192.168.0.140
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set mrru=1500
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether3 network=192.168.0.0
add address=159.224.216.242/18 interface=ether1 network=159.224.192.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=109.86.2.2
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=log chain=postrouting dst-address=192.168.0.8 dst-port=1194 \
log-prefix=request protocol=udp
add action=log chain=prerouting log-prefix=response protocol=udp src-address=\
192.168.0.8 src-port=1194
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
192.168.0.108 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=tcp \
to-addresses=192.168.0.108 to-ports=21
add action=masquerade chain=srcnat dst-address=192.168.0.108 dst-port=21 \
protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=\
udp to-addresses=192.168.0.8
/ip route
add distance=1 gateway=159.224.216.254
/ip service
set ftp address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Kiev
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0
[admin@MikroTik] >
Those two rules were supposed to log some packets when you try to connect. So there’s nothing? What about counter for dstnat rule (for port 1194)? Is there anything?
I think I get it. Here is what counters show
The number increases
So you have incoming packets, they passed through router and were sent to 192.168.0.8, but as you see, nothing is coming back. In other words, it’s the service on NAS that’s not responding. You need to check what happens there.
I’d still run /tool sniffer quick interface=the-expected-out-interface ip-address=ip.of.the.nas to make sure that the packets do leave towards the proper MAC address via the proper interface before finally concluding that the NAS ignores them.
Like this?
/tool sniffer quick interface=ether1 ip-address=192.168.0.8
No, 192.168.0.8 is associated to ether3, so /tool sniffer quick interface=ether3 ip-address=192.168.0.8. When the packet passes through ether1, it still has the public IP as destination, not the private one. And don’t forget to make the command line window as wide as your screen allows before issuing the command.
But before you do that, fix a mistake in your configuratuion. The IP address 192.168.0.1/24 is attached to ether3 but it should be attached to bridge1 instead. The way you have it now it partially works but surprises of all kinds happen.
Which brings me to a question whether the NAS is actually connected to (via) ether3; if not, sniff at the proper one out of ether4, ether5.
Thanks!
But I forgot to say it’s connected via cisco switch. But there are no special settings in it.
THe black cable is connected to the switch. I am not sure if it’s ethernet 1 or 2… I think it’s ethernet 1? So there ethernet 3 is not involved at all but there is settings for it (see below)
The IP address 192.168.0.1/24 is attached to ether3 but it should be attached to bridge1 instead.
The interface and address lists shows:
IS it safe to change that settings? I suspect it has something to do with ISP settings for us