OpenVPN Ping Issues

RouterOS General
1

I feel like i have been through every tutorial and forum post out there on fixing this issue. Just like countless other posts, I am not able to ping a computer on our office lan subnet from a computer on our remote subnet over an openvpn connection. I can ping the gateways from either side, but the packets will just not go through. Hopefully one of you kind souls can spot an issue in our configuration.

Server Side

aug/27/2018 16:26:29 by RouterOS 6.42.7

software id = 6A1G-CH30

model = RouterBOARD wAP R-2nD

serial number = 870E0760D839

/interface lte
set [ find ] mac-address=B6:9E:9D:2E:30:96 name=lte1
/interface bridge
add admin-mac=64:D1:54:7D:CE:72 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=DCMRouter wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=wap.tracfone
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.120-192.168.1.130
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=10.255.255.1 name=profile1 remote-address=pool-ovpn
/routing ospf area
add area-id=0.0.0.255 name=area255
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set certificate=SERVER default-profile=profile1 enabled=yes netmask=32
/ip address
add address=192.168.1.111/24 comment=defconf interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.111 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.111 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input protocol=ospf
add action=accept chain=forward src-address=10.255.255.254
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=DCRRouter1 profile=profile1
/routing ospf network
add area=area255 network=10.255.255.0/24
add area=area255 network=192.168.1.0/24
/system clock
set time-zone-autodetect=no time-zone-name=America/Kentucky/Louisville
/system logging
add topics=debug
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Server Routes
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 lte1 2
1 ADC 10.255.255.254/32 10.255.255.1 0
2 ADC 100.84.9.172/32 100.84.9.172 lte1 0
3 ADC 192.168.1.0/24 192.168.1.111 bridge 0
4 ADo 192.168.88.0/24 10.255.255.254 110

Client Config

aug/27/2018 16:36:28 by RouterOS 6.42.7

software id = GXG5-3WJ6

model = RouterBOARD wAP R-2nD

serial number = 7B7307D42EF2

/interface lte
set [ find ] mac-address=46:7F:C0:A2:6C:B6 name=lte1
/interface ovpn-client
add connect-to=notreallyourname.ddns.net mac-address=02:3D:FD:9E:80:DD name=ovpn-DCMain user=DCRRouter1
/interface bridge
add admin-mac=64:D1:54:7D:C7:66 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=DCRRouter1 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=wap.tracfone
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/routing ospf area
add area-id=0.0.0.255 name=area255
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input protocol=ospf
add action=accept chain=forward src-address=10.255.255.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=lte1
/routing ospf network
add area=area255 network=10.255.255.0/24
add area=area255 network=192.168.88.0/24
/system clock
set time-zone-autodetect=no time-zone-name=America/Kentucky/Louisville
/system logging
add topics=debug,!ospf
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Client Routes
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 lte1 1
1 ADC 10.255.255.1/32 10.255.255.254 ovpn-DCMain 0
2 ADC 33.208.199.255/32 33.208.199.255 lte1 0
3 ADo 192.168.1.0/24 10.255.255.1 110
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0

Any ideas?

2

I cannot see anything wrong in the configuration. Therefore, my first step would be to add the routes to remote sites’ LAN subnets manually on both devices to test whether there is no issue in interworking between OSPF and OpenVPN. If it does not help (and it actually should not, it is just a much faster and simpler test than the subsequent one), I would start pinging from device in one LAN to device in the remote LAN and run /tool torch or /tool sniffer on the interfaces starting from the one closest to the source and moving one by one to the destination. So local bridge, local ovpn interface, remote ovpn interface, remote bridge. As src-address and dst-address parameters of /tool torch behave non-intuitively, the torch parameters should be src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=icmp.

If you can see the ping at the Mikrotik interface which is most distant from the ping source (i.e. on the remote bridge), the issue is a firewall on the ping destination device in the remote LAN (and this is what I suspect most). If it disappears sooner, watch closely the path between the last interface where you can see it and the next one. As stated above, I could not find any firewall rule in either configuration which could prevent the packets from being forwarded but maybe there is something well-hidden. If it disappears between the openvpn interfaces, you’ll have to sniff simultaneously on the ovpn interface and the WAN interface on the same device into a file, open the file using Wireshark and look whether an icmp packet (on the ovpn interface) is immediately followed by a slightly larger TCP packet with one of the ports being 1194 (on the WAN interface) on sending side, and vice versa on receiving side.

3

Thanks so much for the response Sindy. I was convinced I was just glossing over something and was really hoping that someone was going to respond with “you messed up line 3 dummy.” But I am glad to have a direction to head. I’m setting up to test right now. I forgot to mention that I used the LTE quickset for the initial settings of the device. Not sure if that would make any kind of difference. I’ll post some results of the torch tool shortly.

4

Networks
Local Subnet: 192.168.1.0/24
Remote Subnet 192.168.88.0/24
Local VPN GW 10.255.255.1
Remote VPN GW 10.255.255.253

Continuous ping from 192.168.1.129 to 192.168.88.217

Torch Results
Local Bridge - Can see ping (Src - 192.168.1.129, Dst 192.168.88.217)
Local OVPN - I see a ping, but it seems to be the wrong way (Src - 192.168.88.217, Dst - 192.168.1.129) Is this the return of the ping? If so where is the ping going out?
Remote OVPN - Can see ping (Src - 192.168.1.129, Dst 192.168.88.217)
Remote Bridge - Can see ping but is reversed again (Src - 192.168.88.217, Dst - 192.168.1.129)

5

Forget about the dst-address and src-address indicated, they are assigned in a hard to understand way. Look at the Rx and Tx columns at the right side of the line. If both count, both the request and response are there; if only one of them counts, only the requests pass through that interface.

6

Sindy. I appreciate your time in helping me troubleshoot my issues. I’m embarrassed to say it was the windows firewall. I should have checked it a long time ago. These two machines could ping each other no problem when they were attached to our regular office network since it is a “Private” network. Once I had them connected to the Mikrotik, which was tagged as a public network the ping was failing. After following your troubleshooting directions I attempted to disable the firewall altogether and everything started flowing. The weird thing is that the firewall rule to allow ping echos is enabled for domain, private and public networks. But that’s a completely separate issue. Thanks for your time.