One Direction ping on Site-to-Site ovpn

Good day, everyone!
I can’t figure out the reason for the strange behavior of my MikroTik.
I’m setting up an RB4011iGS device.
RouterOS 7.16.1
Network diagram:

One of the steps is setting up an S2S OpenVPN connection between the office and the data center (DC), where pfSense is used as the OpenVPN server.
As a result of the configuration, everything connects, the tunnel is established successfully, but the pings only work one way—from the MikroTik to pfSense. When pinging from the pfSense side:
*) I can successfully ping my VPN tunnel address (10.12.0.1) and the MikroTik VPN tunnel address (10.12.0.2) if I add the corresponding rule allowing the ping on that interface.
*) The route to the office’s local network (192.168.11.0/24) behind the MikroTik is defined in the pfSense routes, and when I run tcpdump from the pfSense interface, I can see that the packets are indeed sent, at least to the VPN tunnel interface (likely to be forwarded further to the local network interface behind the MikroTik).
*) Tcpdump on the ovpn interface on the pfSense side shows the request packets but no response packets. The MikroTik packet sniffer doesn’t see any incoming packets on its VPN connection interface (while it does see them during successful pings in the opposite direction). The pfSense configuration doesn’t raise any suspicion since a similar tunnel is configured in the same way and works correctly. To reiterate, the tunnel is established, and packets travel just fine in the direction of the data center.

I ask knowledgeable colleagues to point me in the right direction to troubleshoot this issue.
Thank`s!
MikroTik config:

# 2024-10-21 03:23:55 by RouterOS 7.16.1
# software id = UBCS-3KGA
#
# model = RB4011iGS+5HacQ2HnD
# serial number = HG309G5KTWB
/interface bridge
add name=bridge-LAN
add name=bridge-Wifi_GUEST
/interface ethernet
set [ find default-name=ether5 ] name="LAN-Bridge-port (ether5)"
set [ find default-name=ether1 ] name="provider (ether1)"
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ovpn-server
add name=ovpn-vpnuser user=vpnuser
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_Work_Profile \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_Guest_profile \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    country=russia distance=indoors mode=ap-bridge noise-floor-threshold=-110 \
    security-profile=WiFi_Work_Profile ssid=wifi24
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    band=5ghz-a/n/ac country=russia distance=indoors guard-interval=long \
    mode=ap-bridge security-profile=WiFi_Work_Profile ssid=wifi5 wps-mode=\
    disabled
add keepalive-frames=disabled mac-address=7A:9A:18:B7:FE:27 master-interface=\
    wlan1 multicast-buffering=disabled name="wifi24g (wlan3)" \
    security-profile=WiFi_Guest_profile ssid=wifi24g wds-cost-range=1 \
    wds-default-cost=1 wmm-support=enabled wps-mode=disabled
/ip ipsec peer
add address=45.9.89.147/32 disabled=yes exchange-mode=ike2 name=\
    Office-COD
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
    chacha20poly1305,aes-256-cbc,aes-256-gcm
/ip pool
add name="LAN pool" ranges=192.168.11.100-192.168.11.200
add name="Wifi Guest Pool" ranges=10.101.0.2-10.101.0.50
add name="ovpn pool" ranges=10.100.0.10-10.100.0.100
/ip dhcp-server
add address-pool="LAN pool" disabled=yes interface=bridge-LAN lease-time=3d \
    name="DHCP LAN"
add address-pool="Wifi Guest Pool" authoritative=after-2sec-delay disabled=\
    yes interface=bridge-Wifi_GUEST lease-time=2h name="DHCP Wifi Guest"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=10.100.0.1 name=ovpn remote-address="ovpn pool"
add change-tcp-mss=yes local-address=10.12.0.2 name="S2S COD" \
    remote-address=10.12.0.1 use-ipv6=no
/interface ovpn-client
add auth=sha256 certificate=vpnMikrotik cipher=aes256-cbc connect-to=\
    45.9.89.147 mac-address=FE:C8:88:84:00:13 max-mtu=1400 name=\
    "ovpn S2S COD" port=1196 profile="S2S COD" user=vpnMikrotik
/interface bridge port
add bridge=bridge-LAN interface="LAN-Bridge-port (ether5)"
add bridge=bridge-LAN interface=ether6
add bridge=bridge-LAN interface=ether7
add bridge=bridge-LAN interface=ether8
add bridge=bridge-LAN interface=ether9
add bridge=bridge-LAN interface=ether10
add bridge=bridge-LAN interface=wlan2
add bridge=bridge-LAN interface=wlan1
add bridge=bridge-Wifi_GUEST ingress-filtering=no interface=\
    "wifi24g (wlan3)" internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ovpn-server server
set auth=sha256,sha512 certificate=ovpn-server cipher=aes256-cbc \
    default-profile=ovpn enabled=yes port=1200 push-routes=\
    "192.168.11.0 255.255.255.0 10.100.0.1" require-client-certificate=yes
/ip address
add address=192.168.11.254/24 interface=bridge-LAN network=192.168.11.0
add address=62.148.19.44/29 interface="provider (ether1)" network=\
    62.148.19.40
add address=10.101.0.1/24 interface=bridge-Wifi_GUEST network=10.101.0.0
add address=10.101.0.0/24 dns-server=10.101.0.1 gateway=10.101.0.1 netmask=24
add address=192.168.11.0/24 comment="Local Network" dns-server=192.168.11.254 \
    gateway=192.168.11.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=77.88.8.8,1.1.1.1,8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list=knock-knock \
    address-list-timeout=30s chain=input packet-size=100 protocol=icmp
add action=add-src-to-address-list address-list=knock-accept \
    address-list-timeout=1m chain=input packet-size=102 protocol=icmp \
    src-address-list=knock-knock
add action=accept chain=input in-interface="ovpn S2S COD" protocol=icmp
add action=accept chain=input comment=established,related connection-state=\
    established,related
add action=drop chain=input comment=ivalid connection-state=invalid
add action=accept chain=input comment="Open VPN Server" dst-port=1200 \
    in-interface="provider (ether1)" protocol=tcp
add action=accept chain=input dst-port=22 in-interface=bridge-LAN protocol=\
    tcp
add action=accept chain=input comment="winbox for openvpn" dst-port=8291 \
    in-interface=ovpn-vpnuser protocol=tcp
add action=accept chain=input comment="winbox for LAN" dst-port=8291 \
    in-interface=bridge-LAN protocol=tcp
add action=accept chain=input comment="winbox for knocking" dst-port=8291 \
    protocol=tcp src-address-list=knock-accept
add action=accept chain=input dst-port=53 in-interface=bridge-LAN protocol=\
    udp
add action=accept chain=input in-interface=bridge-LAN protocol=icmp
add action=drop chain=input comment="drop all"
add action=accept chain=forward dst-address=192.168.11.0/24 in-interface=\
    "ovpn S2S COD"
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid
add action=accept chain=forward protocol=icmp
add action=drop chain=forward dst-address=10.101.0.0/24 src-address=\
    172.16.172.0/24
add action=drop chain=forward dst-address=172.16.172.0/24 src-address=\
    10.101.0.0/24
add action=drop chain=forward comment="drop new non dstnat" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    "provider (ether1)"
/ip firewall nat
add action=src-nat chain=srcnat out-interface="provider (ether1)" \
    to-addresses=62.148.19.44
add action=src-nat chain=srcnat out-interface="ovpn S2S COD" \
    to-addresses=10.12.0.2
add action=masquerade chain=srcnat disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpnMikrotik disabled=yes peer=\
    Office-COD remote-certificate=euro-server
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=62.148.19.41 routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.100.0.0/24 gateway=192.168.11.3 routing-table=\
    main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=10.19.0.0/24 gateway=10.19.0.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpnuser profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Moscow
/system leds
add interface=wlan1 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan1 leds=wlan2_tx-led type=interface-transmit
add interface=wlan1 leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.ru.pool.ntp.org
add address=1.ru.pool.ntp.org
add address=2.ru.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool sniffer
set filter-interface="ovpn S2S COD" filter-ip-protocol=icmp

Same problem here with both routers being mikrotik’s. Only one direction(ovpn Client LAN → ovpn Server LAN) pings work.

Pings sent through the mikrotik’s terminals work though.

Gentlemen,
Check if you have routing set on both devices on each side

The only reference to 172.16.172.0/24 in your entire config is an entry on the firewall.
The mikrotik has no idea where to send 172.16.172.0/24 traffic it’s not in the routing table

Try starting by telling the mikrotik where to send the traffic

/ip route
add disabled=no dst-address=172.16.172.0/24 gateway=10.12.0.2 routing-table=main \
    suppress-hw-offload=no

Thank you for the response.
No, no. Traffic from the 192.168.11.0/24 network to the 172.16.172.0/24 network is working perfectly.
It’s not shown in the config, unfortunately, but when connecting to the OpenVPN server, the MikroTik receives the routes.
In my first message, I mentioned that the traffic FROM the MikroTik TO pfSense is working perfectly.

You should try to remove this src-nat rule:

/ip firewall nat
add action=src-nat chain=srcnat out-interface="ovpn S2S COD" \
    to-addresses=10.12.0.2

It changes the source address of all packets going from the clients in 192.168.11.0/24 to 172.16.172.0/24 to the address of the MikroTik router (10.12.0.2). It works if the connections are initiated from the 192.168.11.0/24 side (it’s like NAT-ing when you go out to the internet). But that rule also affects RESPONSE packets of connections initiated from the 172.16.172.0/24 side.

When 172.16.172.0/24 send packets to 192.168.11.0/24, the packet has src-address=172.16.172.A, dst-address=192.168.11.B, packets go through the VPN, to the MikroTik router. The router routes it to the corresponding client 192.168.11.B. Client B responds with a packet with src-address 192.168.11.B, dst-address=172.16.172.A. When the packet reaches the MikroTik router, because of the src-nat rule, src-address is changed to 10.12.0.2. The response packet goes through the VPN to the other side, but will be rejected because the other side did not expect a response with src-address from 10.12.0.2.

What about me, that I have set the routes correctly(at least I think so) and only terminals can ping each other with firewall disabled?

Good day again!

Sorry for the delayed response; I have to find time for testing.

I disabled the rule you specified, but unfortunately, it didn’t resolve the issue. With or without it, packets are still not reaching the local network 192.168.11.A.