OpenVPN Routing Problem

Hardware MikroTik hardware general
1

Hello,

I have RouterBoard 411U running as OpenVPN-Client to our network.
The OpenVPN-server is configured with TUN-Device as Host-to-Net.
I can ping from RouterBoard to our network and vice versa, but from a host connected to the RouterBoard i cannot ping our Network. The ping package seems not to leave the router.

Do you have any ideas?

Here is the address-list:

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.88.1/24 192.168.88.0 192.168.88.255 LAN
1 D 77.25.230.206/32 10.112.112.126 0.0.0.0 Vodafone
2 D 10.10.10.14/32 10.10.10.1 0.0.0.0 ovpn

Here is the routing-list:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.112.112.126 1
1 ADC 10.10.10.1/32 10.10.10.14 ovpn 0
2 ADC 10.112.112.126/32 77.25.230.206 Vodafone 0
3 ADS 192.168.55.0/24 10.10.10.1 1
4 ADC 192.168.88.0/24 192.168.88.1 LAN 0

2

You have to add route so that router knows your private network located on other end of ovpn tunnel.

3

Well, we still have the same problem. Let me be more detailed:
We have Firewall FW999 with the Routerboard RB411U. On both runs OpenVPN. FW999 is the server.

Behind FW999 is a local net 192.168.55.0, Behind RB411U is a local net 192.168.88.0

  1. ping from RB411 to FW999 works and is logged on both devices in the firewall log
  2. ping from FW999 to RB411 works too and is logged on both devices in the firewall log.
  3. ping from 192.168.88.40 through RB411 over VPN to FW999 fails.
    RB411 firewall log confirms pass of ping request from LAN to ovpn device.
    But on FW999 nothing seem to arrive.

What is wrong?
I assume the ping does not even leave RB411.

=====================================

RouterBoard RB411U:
LAN interface: 192.168.88.1
UMTS interface: 77.24.215.174
openvpn interface: 10.10.10.10

     192.168.88.1/24    192.168.88.0    192.168.88.255  LAN
 1 D 77.24.215.174/32   10.112.112.129      0.0.0.0         Vodafone
 2 D 10.10.10.10/32      10.10.10.1         0.0.0.0         ovpn




 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.112.112.129     1
 1 A S  10.10.10.0/24                      ovpn               1
 2 ADC  10.10.10.1/32      10.10.10.10     ovpn              0
 3 ADC  10.112.112.129/32  77.24.215.174   Vodafone           0
 4 ADS  192.168.55.0/24                    10.10.10.1         1
 5 ADC  192.168.88.0/24    192.168.88.1    LAN                0

Other VPN End Point, FW999
LAN interface 192.168.55.254
WAN interface 212.213.33.86
VPN interface 10.10.10.1

eth0 inet addr:192.168.55.254  Bcast:192.168.55.255  Mask:255.255.255.0
eth3 inet addr:212.213.33.86   Bcast:212.213.33.87   Mask:255.255.255.248
tun0 inet addr:10.10.10.1        P-t-P:10.10.10.2    Mask:255.255.255.255




Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.2       0.0.0.0        255.255.255.255  UH    0      0        0 tun0
212.213.33.80    0.0.0.0        255.255.255.248  U      0      0        0 eth3
192.168.55.0     0.0.0.0        255.255.255.0    U      0      0        0 eth0
10.10.10.0       10.10.10.2     255.255.255.0    UG     0      0        0 tun0
192.168.88.0     10.10.10.2     255.255.255.0    UG     0      0        0 tun0
0.0.0.0          212.213.33.81  0.0.0.0          UG     0      0        0 eth3
  1. ping from RB411 to FW999 works and is logged on both devices in the firewall log
RB411U> /ping 10.10.10.1
10.10.10.1 64 byte ping: ttl=64 time=506 ms
10.10.10.1 64 byte ping: ttl=64 time=251 ms
10.10.10.1 64 byte ping: ttl=64 time=231 ms
10.10.10.1 64 byte ping: ttl=64 time=211 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 211/299.7/506 ms
  1. ping from FW999 to RB411 works too and is logged on both devices in the firewall log.
FW999> ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10): 56 data bytes
64 bytes from 10.10.10.10: icmp_seq=0 ttl=64 time=484.314 ms
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=325.186 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=304.610 ms
64 bytes from 10.10.10.10: icmp_seq=3 ttl=64 time=304.906 ms
64 bytes from 10.10.10.10: icmp_seq=4 ttl=64 time=359.455 ms
--- 10.10.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 304.610/355.694/484.314/67.345 ms
  1. ping to or from 192.168.88.40 fails
FW999> ping 192.168.88.40
PING 192.168.88.40 (192.168.88.40): 56 data bytes
--- 192.168.88.40 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
4

Well - I know this tpoic is about 3 Years old. But I’m haveng the same problem (running RouterOS 6.0RC6).

The MikroTik-Router (as OVPN-Client) establishes the OVPN Connection and can also access Resources in the connected Network. But Clients connected to the Mikrotik-Router can’t. The traceroute on the clients shows, that packets got lost in the MikroTik-Router.

Does anyone solved this problem?

5

Deleted because not related.

6

Hello,
I am also experiencing the same problem , I even made a new thread about it ( I know I should’ve used the search ) but I cannot find a solution to this problem so a bit help would be much appreciated.

The private lan cannot pping the other private lan via openvpn connection. I’ve used the sniffer and the ping just does not get past mikrotik. It works with setting a masquarade rule in the filter nat, but why masquarade.

thanks and kind regards.

7

mrz, I suppose you know your products need a good knowledge base. This is the second place where a customers comes for answers because your main wiki isn’t updated. SO: Could you give a good, educated and respectful answer, please?

You are answering in a rude way just because you don’t care but your username is backed up by the MikroTik brand and just because of that and if you want to continue selling hardware that runs RouterOS you should do a bigger effort and you could go and UPDATE the wiki if you really KNOW the answer. If you don’ know the exact unser don’t even bother writing.