Hi,
I would like to create OpenVPN tunnel between two Mikrotik routers (RB750), so networks behind each of the router are reachable from the other side. VPN works fine, the problem is that I cannot access the devices in the other network. Each router is running the default configuration regarding the ports and DHCP - ether1 is WAN, ether2-5 are LAN, DHCP is enabled.

Router A - server
adresses

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 10.0.2.254/24 10.0.2.0 ether2-master-local
1 D 192.168.3.193/24 192.168.3.0 ether1-gateway
2 D 10.0.30.254/32 10.0.30.253 openvpn-inbound

routes

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.3.254 2
1 A S 10.0.0.0/24 10.0.30.253 1
2 A S 10.0.1.0/24 10.0.30.253 1
3 ADC 10.0.2.0/24 10.0.2.254 ether2-master-l… 0
4 ADC 10.0.30.253/32 10.0.30.254 openvpn-inbound 0
5 ADC 192.168.3.0/24 192.168.3.193 ether1-gateway 0

nat rules

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=“”

1 chain=srcnat action=src-nat to-addresses=10.0.2.254 src-address=10.0.30.0/24 dst-address=10.0.2.0/24 log=no log-prefix=“”

Router B - client. OpenVPN server is running here to, but it is used for other purposes. Client is important here - ovpn-out-b3.
adresses

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 10.0.0.254/24 10.0.0.0 ether2-master-local
1 D 192.168.3.198/24 192.168.3.0 ether1-gateway
2 D 10.0.30.253/24 10.0.30.0 ovpn-out-b3
3 D 10.0.1.254/32 10.0.1.240 openvpn-inbound

routes

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.3.254 2
1 ADC 10.0.0.0/24 10.0.0.254 ether2-master-l… 0
2 ADC 10.0.1.240/32 10.0.1.254 openvpn-inbound 0
3 A S 10.0.2.0/24 10.0.30.254 1
4 ADC 10.0.30.0/24 10.0.30.253 ovpn-out-b3 0
5 ADC 192.168.3.0/24 192.168.3.198 ether1-gateway 0

nat rules

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=“”

1 chain=srcnat action=src-nat to-addresses=10.0.0.254 src-address=10.0.1.0/24 dst-address=10.0.0.0/24 log=no log-prefix=“”

When I ping from the Router A (server) or from device in the Router A network any device in the Router B (client) network, it timeouts. I can see the ping traffic (packets) going through the tunnel and even exiting the Router B via correct port, but nothing is sent back. The same is valid the other way - ping from Router B to the Router A network. All the devices respond to ping when it gets from the “home” router.

There must be something small and important that I am missing, but I am quite new to networking, so I am not able to figure out what it is. I will be very grateful for any comments.

Regards
Petr

Maybe those devices you’re trying to ping don’t like to answer when requests come from different subnet? For example Windows computers with default firewall do exactly that.

You are absolutely correct. I was so focused on pinging the devices first that I missed that other traffic may pass fine. Thank you.

Just curious, is there any easy way how to make the ping work as well?

Petr

For Windows:

• open Windows Firewall with Advanced Security
• find File and Printer Sharing (Echo Request - ICMPv4-In) in Inbound Rules for your active profile
• open its properties and select Scope tab
• Remote IP address will contain Local subnet
• add the other network to that