QVPN and Mikrotik, reaching both networks from each other

paweld · February 24, 2021, 8:28am

Hello Everyone,
I have Mikrotik router with LAN pool 192.168.5.1 - 255
I'm serving OpenVPN with Qnap NAS IP pool : 10.8.0.2-255
When I connect with VPN I can reach my Lan with no problem (either hosts and router)
When I try to connect to VPN Client from Lan (for ex. 192.168.5.22 -> 10.8.0.6) nothing happens, pings are rejected and so on.
Is it even possible to do? I want to connect both of my company's offices for CCTV monitoring in both directions.
I took this job just few days ago from another admin, I'm not totally beginner but I never worked on Mikrotiks. I'm sure there's a lot of garbage in our setting but I'm not yet ready to reconfigure a whole network. Also I'm not professional, so sorry for any naive questions.

feb/24/2021 09:33:26 by RouterOS 6.48.1

software id = YXUP-DC93

model = RouterBOARD 941-2nD

serial number = 661705A57AD3

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=*1
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface l2tp-server server
set use-ipsec=required
/interface list member
add interface=ether1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=pppoe-out2 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=wlan1 list=discover
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 require-client-certificate=yes
/interface pptp-server server
set default-profile=default mrru=1600
/interface sstp-server server
set authentication=mschap2 certificate=Server force-aes=yes pfs=yes
/interface wireless access-list
add allow-signal-out-of-range=10m mac-address=A4:50:46:3E:91:E7 vlan-mode=no-tag
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=192.168.5.0
add address=192.168.5.0/24 interface=wlan1 network=192.168.5.0
/ip arp
add address=192.168.5.5 comment=Jablotron interface=bridge mac-address=00:13:B0:05:16:95
add address=192.168.5.22 comment=pd-adm interface=bridge mac-address=D8:CB:8A:5D:88:BC
add address=192.168.5.3 comment=Nas-1 interface=bridge mac-address=24:5E:BE:03:42:49
add address=192.168.5.2 comment=Monitoring interface=bridge mac-address=9C:14:63:68:FD:8E
add address=192.168.5.150 interface=bridge mac-address=4C:52:62:25:15:00
/ip cloud
set update-time=no
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
add disabled=no interface=ether2-master use-peer-dns=no
/ip dhcp-server lease
add address=192.168.5.22 mac-address=D8:CB:8A:5D:88:BC server=defconf
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.53 gateway=192.168.5.1 netmask=24

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward dst-address=10.8.0.0/24 src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=10.8.0.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=none-static chain=input comment=
"8291 port scanners to list " dst-port=8291 log-prefix="8291 scanner" protocol=tcp src-address=!192.168.5.0/24 tcp-flags=
""
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=none-static chain=input comment=
"Port scanners to list " log-prefix=PortScanner protocol=tcp psd=21,3s,3,1 src-address=!192.168.5.0/24 tcp-flags=""
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=
"NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan"
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan"
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan"
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan"
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan"
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=none-static chain=input comment=
"port 111 UDP" dst-port=111 log-prefix="port 111" protocol=udp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=none-static chain=input comment=
"port 19 UDP" dst-port=19 log-prefix="port 19" protocol=udp
add action=drop chain=input comment=nmap dst-port=80,8080,5060,443 log-prefix="drop nmap" protocol=tcp src-address=
!192.168.5.0/24
add action=drop chain=input comment="dropping port scanners" log-prefix="dropping port scanners" src-address=!192.168.5.0/24
src-address-list="port scanners"
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether2-master
add action=drop chain=input comment="podlaczone nie nasze" dst-address=95.215.67.133 log-prefix=drop src-address=
!192.168.5.0/24 src-address-list=!whitelist
add action=drop chain=input comment="Drop all connections from blacklist" log-prefix=BLOCKED src-address-list=blacklist
add action=drop chain=input comment="podlaczone nie nasze" dst-address=79.186.40.239 log-prefix=drop src-address=
!192.168.5.0/24 src-address-list=!whitelist
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 log-prefix=53UDP protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=53TCP protocol=tcp
add action=drop chain=input dst-port=445 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether2-master protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether2-master protocol=tcp
add action=drop chain=input comment="port 111 UDP - SunRPC" dst-port=111 log=yes log-prefix="port 111" protocol=udp
add action=drop chain=input comment="port 19 UDP" dst-port=19 log=yes log-prefix="port 19" protocol=udp
add action=drop chain=input comment="port 1900 - SSDP, UpnP" dst-port=1900 log=yes log-prefix="port 1900" protocol=udp
src-address=!192.168.5.0/24
add action=drop chain=input comment="Port 1080 - SOCKS" dst-port=1080 log=yes log-prefix="port 1080" protocol=tcp
add action=drop chain=input comment="Port 6969 - Assasin" dst-port=6969 log=yes log-prefix="port 6969" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=forward comment="dropping port scanners" src-address=!192.168.5.0/24 src-address-list="port scanners"
add action=drop chain=forward log-prefix=fwall src-address-list=blacklist
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether2-master
add action=drop chain=output comment="Drop all connections from blacklist" log=yes log-prefix=BLOCKED src-address-list=
blacklist
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix="deny all other types"
add action=drop chain=tcp comment="Drop all connections from blacklist" log=yes log-prefix=BLOCKED src-address-list=blacklist
add action=drop chain=udp comment="Drop all connections from blacklist" log=yes log-prefix=BLOCKED src-address-list=blacklist
add action=drop chain=tcp comment="deny TFTP" dst-port=5060 log=yes log-prefix="deny 5060" protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 log=yes log-prefix="deny RPC portmapper" protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 log=yes log-prefix="deny RPC portmapper" protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 log=yes log-prefix="deny NBT" protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 log=yes log-prefix="deny cifs" protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 log=yes log-prefix="deny NFS" protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 log=yes log-prefix="deny NetBus" protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 log=yes log-prefix="deny NetBus" protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 log=yes log-prefix="deny BackOriffice" protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 log=yes log-prefix="deny TFTP" protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 log=yes log-prefix="deny PRC portmapper" protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 log=yes log-prefix="deny PRC portmapper" protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 log=yes log-prefix="deny NBT" protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 log=yes log-prefix="deny NFS" protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 log=yes log-prefix="deny BackOriffice" protocol=udp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=pd passthrough=no src-address=192.168.5.0/24
add action=accept chain=prerouting dst-address=10.8.0.0/24 in-interface=bridge log=yes log-prefix=prerouting
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=all-ppp
add action=dst-nat chain=dstnat comment=netcat disabled=yes dst-port=63333 log=yes log-prefix=63333 protocol=tcp to-addresses=
192.168.5.22 to-ports=4444
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 log=yes log-prefix=openvpn protocol=udp to-addresses=192.168.5.3
add action=dst-nat chain=dstnat comment=QbeltVPN disabled=yes dst-port=9891 log=yes log-prefix=openvpn protocol=udp
to-addresses=192.168.5.3 to-ports=9891
add action=dst-nat chain=dstnat dst-address=!192.168.5.53 dst-address-list=whitelist dst-port=53 protocol=udp src-address=
!192.168.5.53 src-address-list=whitelist to-addresses=192.168.5.53 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.5.53 dst-address-list=whitelist dst-port=53 protocol=tcp src-address=
!192.168.5.53 src-address-list=whitelist to-addresses=192.168.5.53
add action=masquerade chain=srcnat dst-address=192.168.5.53 dst-port=53 protocol=udp src-address=192.168.5.0/24
add action=masquerade chain=srcnat dst-address=192.168.5.53 dst-port=53 protocol=tcp src-address=192.168.5.0/24
add action=netmap chain=dstnat disabled=yes dst-address=192.168.5.0/24 log=yes log-prefix=netmap1 to-addresses=10.8.0.0/24
add action=netmap chain=srcnat dst-address=10.8.0.0/24 log=yes log-prefix=netmap2 to-addresses=192.168.5.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=yes distance=1 gateway=pppoe-out2 routing-mark=pd
add disabled=yes distance=1 gateway=ether2-master routing-mark=tmobile
add distance=1 gateway=ether2-master
add check-gateway=ping distance=1 gateway=192.168.100.1
add distance=1 dst-address=10.8.0.0/24 gateway=bridge pref-src=192.168.5.1

Thank you very much for help in advance.
Greetings. paweld