Hello,
I’m trying to implement a site to site VPN with two mikrotiks, as in the image:
The server have a LAN in 192.168.20.0/24, and the IP of the VPN is 192.168.200.1.
The cliente have a LAN in 10.10.2.0/24 and the IP of the VPN is 192.168.200.2.
I had done the routes manualy:
In server: 10.10.2.0/24 → 192.168.200.2
In client 192.168.20.0/24 ->192.168.200.1
From the server LAN I can ping the router 10.10.2.1 and a client 10.10.2.10.
From the cliente LAN I can ping the router 192.168.20.1 BUT I CAN’T PING 192.168.20.20…
Server RB5009UG+S+ RouterOS 7.12.1
Client RB941-2nD RouterOS 6.49.10
Any advice?
Thanks
Hi.
Routes are correct.
I don’t have experience with OVPN, I am using Wireguard for Site2Site, so can’t tell nothing about this kind of configuration. But it looks like an issue with firewall rules for me. Maybe you didn’t enable something there?
I don’t have firewall rules. In none of the sites…
And as I wrote, from the server to client it works.
Doesn’t work from client to server…
And I also try with SSTP VPN. And the behavior is the same…
Are you masquarading on both sites or accepting traffic in NAT tab?
I’m only masquerating the outgoing traffic to internet by ether 1.
What should i do?
As I said, I have only Wireguard experience in Site2Site so I’m thinking about that configuration, but maybe you can try to add another masquarade rule on both sites with out.interface <name_of_ovpn_tunnel> and IP address of tunnel itself (depending of site).
Before doing it be sure to enable any other VPN connection for yourself - if something goes wrong you can connect to the router and rollback/disable changes.
If masquarade will work out, be aware that every traffic on other side of tunnel will “come in” with IP 192.168.200.1 or 192.168.200.2. I’m writing this down because you probably HAVE firewall rules but just disabled for testing purposes and maybe you will have to add some of them acordingly to these changes.