Question about VPN, pools and subnets

Adephx · December 16, 2020, 8:28am

I have an OpenVPN Server with the following settings:

/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-Server cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet require-client-certificate=yes

/ppp profile
add bridge=bridge local-address=192.168.87.1 name=OpenVPN remote-address=OpenVPN-Pool use-encryption=required

/ip pool
add name=OpenVPN-Pool ranges=192.168.87.2-192.168.87.254

How do I achieve that the devices connected to the VPN can communicate with my default local network that is using the following pool?

add name=Default-Pool ranges=192.168.88.2-192.168.88.254

I used two pools with two DHCP servers before and they could communicate by default, so I had to drop connections with a firewall rule, but here I can’t get the devices from the 192.168.87.0/24 to communicate with the devices from the 192.168.88.0/24 subnet.

pe1chl · December 16, 2020, 12:17pm

Check your firewall settings. Probably the packets are getting dropped somewhere.

Adephx · December 16, 2020, 2:20pm

Do you see anything out of the ordinary, because I don’t?

/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

pe1chl · December 16, 2020, 2:35pm

It depends on what is in LAN and WAN interface lists…
You also made some changes (like changing !LAN into WAN) that could have effect.
You also need to check if the routing table is OK on your client devices (is there a route that sends 192.168.88.0/24 traffic to the VPN).

Adephx · December 16, 2020, 5:50pm

I have reset my router to factory defaults. Same issues. Devices can’t talk to eachother.

erkexzcx · December 16, 2020, 6:09pm

Aren’t traffic, which is coming from the VPN clients, picked by these rules? Technically, connections are coming from WAN interfaces.

/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Not sure about OpenVPN, but for IPSEC one must exclude such traffic from fasttrack in order to avoid issues. Same applies to main NAT rule.

First thing to try would be to add simple filter that allows from to networks and vice versa above all other rules.

EDIT: Mmm yes, “drop all not coming from LAN”.

pe1chl · December 16, 2020, 6:40pm

Yes in the default setup you would usually want to add the VPN interface to the LAN interface list.

CZFan · December 16, 2020, 6:44pm

With limited info available, it seems you are confusing VPN server between “Routed” and “Bridged”

As a start, for routed, remove below and test:
/ppp profile
add bridge=bridge local-address=192.168.87.1 name=OpenVPN remote-address=OpenVPN-Pool use-encryption=required

Adephx · December 16, 2020, 7:12pm

Aren’t traffic, which is coming from the VPN clients, picked by these rules? Technically, connections are coming from WAN interfaces.
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Not sure about OpenVPN, but for IPSEC one must exclude such traffic from fasttrack in order to avoid issues. Same applies to main NAT rule.

First thing to try would be to add simple filter that allows from to networks and vice versa above all other rules.

EDIT: Mmm yes, “drop all not coming from LAN”.

I have disabled all of the rules and I devices still can’t communicate. Anyway, like I said, if I use the default pool in the VPN profile, everything works fine, so it can’t be a WAN > LAN issue.

If I remove bridge=bridge from the profile, I lose communication between devices even while using the same pool (local devices and devices connected through the VPN).

CZFan · December 16, 2020, 9:17pm

Let us see the whole config, provide results of /export file=filenameofyourchoice hide-sensitive

Adephx · December 16, 2020, 9:23pm

There you go mate.
Export.rsc (5.48 KB)

CZFan · December 16, 2020, 9:43pm

Also see

http://forum.mikrotik.com/t/vpn-with-tun-interface/145422/10