Hi Everyone,
New to Mikrotik and RouterOS, but have usable network experience with other platforms. I’m trying to set up remote access to a client’s site for several windows users. Their network needs have outgrown their ISP provided router, so I am using a HEX S with a dedicated VDSL modem in bridge mode for their internet connectivity. Their LAN has had all sorts of hodge podge messy upgrades over the years and needs cleaning up. Right now a Windows server acts as their Active Directory domain controller, DHCP server and windows file share server using AD defined network mounts. They also have security cameras on the same LAN and several wifi SSIDs, which all seem to be on the same LAN. Far from ideal. Long term, I want to segregate services like guest wifi, security cameras, staff /server network into separate VLANs, however that is beyond the scope of my query here today. But is is worth mentioning, given it may impact any recommended solution.
They require secure remote access to their windows server (network shares) for their mobile users when they are off-site. My thinking was to enable the OpenVPN server as per useful guides from BGOCloud on youtube https://www.youtube.com/watch?v=DesGuLTjGIc and tweak as needed.
To begin with I have upgraded the factory firmware to 6.49.11
currently the network is as follows:
VDSL-model - static public IP v4 address
HEXs ether1 - connected to VDSL modem (which is in bridge mode)
HEXs WAN has ether1 as its interface member
HEXs LAN has bridge as its interface member
HEXs ether2, 3, 4 and 5 are in a bridge called bridge-LAN (it default created this) i just renamed it from ‘bridge’ to ‘bridge-LAN’ to avoid confusion
The HEXs is NOT running a DHCP server on the LAN side, as the Windows Server is still running it with a 192.168.0.0/24 network
All server and client resources are on 192.168.0.0/24
The windows server is 192.168.0.251
The HEXs IP on the Bridge LAN interface is 192.168.0.254 (matching the previous setup for ease of initial implementation)
its IP → Addresses, Address List has a default config of the address 192.168.0.254 and the network 192.168.0.0/24, assigned to interface bridge-LAN
The DHCP Pool which the Window server hands out are 192.168.0.60-192.168.0.120
As per the guide from BGOCloud above,
created a new bridge interface called OPENVPN-Bridge.
created the address 192.168.77.1/24, set interface OPENVPN-Bridge
created an IP Pool for OpenVPN of 192.168.77.100-192.168.77.200,
created firewall rule Chain is Input, Protocol is tcp, dest port 1194, click Action tab, set action is accept,
dragged accept rule ABOVE drop rules in FW table, so it is not below deny rules
swapped to NAT tab in firewall, click add and chain is srcnat, outinterface is ether1, click action tab, set action to masquerade
Next I generated certificates as per above BGOCloud video. One later troubleshooting step I had to take to get it working was that in PPP-> Profiles, for my new default-encryption profile, i had to change the InterfaceList from ‘all’ to ‘LAN’
At some stage I also added IP → Routes, add DST address 192.168.0.0/24 with Gateway OPENVPN-Bridge, as unicast.
At this stage I can get a Mac OpenVPN Client to connect correctly to the mikrotik network and i used the
’pull
route 192.168.0.0 255.255.255.0’
command in the client’s .ovpn config file. The mac can ping all clients on the 192.168.0.0.24 network and has an address on the 192.168.77.0/24 network.
HOWEVER, i run into a problem with the Windows clients as their OpenVPN client does NOT support the pull command.
somehow i need to tell them how to get from the OPENVPN-bridge interface over to the bridge-LAN interface for their resources.
I cannot tell if this should be done with routes on the .ovpn client config file, or there is a better way to configure the Mikrotik side of things, given what I have done above.
I read elsewhere that proxy arp is something which might help, but i can not for the life of me figure out how it would apply to this network scenario and which interfaces it would need to be applied to. It mostly seems to refer to clients where the remote host is also on the same subnet as the LAN, which is not the case here.
It makes sense to me to try and keep the OPENVPN-Bridge interface and a separate pool for it, given that down the road I would like to set new subnets and VLANs for staff/server network, security cameras, guest wifi. If that makes sense. I just haven’t gone down that path yet, as it seems complex enough as is, to get it going.
Any help and pointers appreciated.