Can’t understand, please help…
I connected VPN and sent some packets (ping) from PC, connected to Mikrotik, but packets 100% loss.
I saw by wireshark, mikrotik received ping reply from VPN.
OK, I create passthrough rule with log on icmp. And…
I see ping reply in Raw, in Mangle from vpn interface… But it’s no icmp packets in NAT and Filter at any interfaces… Why could this happen? It’s no drop rule in NAT or Mangle…
Is any IP-Settings can block ping reply?
Any ideas? Please…
May be about how to diagnose it?
Hi Olegon,
I cannot understand you very well.
You connect a PC to a Mikrotik through VPN through Internet?
Which kind of VPN do you have?
Which IP are you using to ping?
Maybe you could do an “Export” to show us your settings, hidding sensitive information.
Regards,
Damián
I create VPN and interface vpn created with address 10.121.241.126
I connect PC directly to Mikrotik
PC - 192.168.88.70
/ip firewall mangle
add action=passthrough chain=prerouting disabled=yes in-interface=vpn log=yes protocol=icmp
add action=mark-routing chain=prerouting dst-address-list=blocked new-routing-mark=vpn passthrough=yes
/ip route
add distance=1 gateway=vpn routing-mark=vpn
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.88.254 pref-src=192.168.88.1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=wan src-address=192.168.0.0/16 to-addresses=xx.xx.184.187
add action=masquerade chain=srcnat out-interface=vpn
/ip firewall raw
add action=passthrough chain=prerouting disabled=yes in-interface=vpn log=yes protocol=icmp
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 vpn 1
1 ADS 0.0.0.0/0 77.37.184.1 10
2 ADC 10.121.192.1/32 10.121.241.126 vpn 0
3 ADC xx.xx.184.0/23 xx.xx.184.187 wan 0
4 A S 192.168.10.0/24 192.168.88.1 192.168.88.254 1
5 ADC 192.168.88.0/24 192.168.88.1 bridge 0
vpn route with connection mark
Now, I pinged 195.201.201.32 and can see output packets in Filter and incoming in Raw
Sep 10 07:39:33 wall firewall,info prerouting: in:vpn out:(unknown 0), proto ICMP (type 0, code 0), 195.201.201.32->10.121.241.126, len 84
But no one incoming packet in Filter 
And no one at client .70
Hello olegon,
I still dont understand you very well.
I create VPN and interface vpn created with address 10.121.241.126
Is this the public IP wich VPN clients use to connect to?
I connect PC directly to Mikrotik
PC - 192.168.88.70
Directly how? Ethernet cable?
Which kind of VPN are you using?
Now, I pinged 195.201.201.32 and can see output packets in Filter and incoming in Raw
What is this public IP? How can you see the output packets?
Sorry, maybe is my bad english.
Regards,
Damián
No, I can reveal public IP of my VPN service, 10.121.241.126 - IP at my side of VPN, internal VPN address
Yes, one end of cable to PC, another one - to RB3011.
Which kind of VPN are you using?
L2TP
What is this public IP? How can you see the output packets?
It’s random IP, I choose… I ping it without VPN and it replied. I created passthrough rule in every table with log. So, I can view packets in journal.
Nowadays, I see reply packet from 195.201.201.32 to my PC in Mangle… And no ICMP in Filter at all…
I deleted completely all rules and VPN config, and recreated it again without any success… I asked many specialists and nobody can help me :*(