Yet Another OVPN Numpty Issue

RouterOS Beginner Basics
1

Hi Everyone

I have been banging my head against the desk for a while trying to solve a problem.
I have a Mikrotik CRS125.
I have configured certificates and OVPN. I am able to log in without an issue.
I have 2 subnets:
192.168.99.0/24 - internal network
192.168.81.0/24 - vpn network
I am able to log into the OVPN and obtain a 192.168.81.0 IP address.
I have a firewall rule that states:
action=accept chain=input dst-address=192.168.99.0/24 src-address=192.168.81.0/24
I am able to access the internet from a client connected to the VPN without issue via the VPN, this is verified by tracert. DNS lookups to internet addresses work fine.

So, onto what isn’t working, I am unable to access devices on the 192.168.99.0/24 network. i am assuming it is something to do with routing within the router.
Tracert on the openvpn client device gives the following:
C:>tracert 192.168.99.5
Tracing route to 192.168.99.5 over a maximum of 30 hops
1 127 ms 56 ms 54 ms 192.168.81.1
2 * * * Request timed out.
3 * * * Request timed out.

Within >IP>Route I have the following:
11 ADC 192.168.81.100/32 192.168.81.1 0
12 ADC 192.168.99.0/24 192.168.99.1 ether1-OfficeLAN 0
This does not seem correct as the address space for 192.168.81.0 is actually 192.168.81.0/24

Does anyone have any suggestions what the issue is?

Many Thanks
Freddy

2

I have done quite alot of reading and it would appear I have an issue with my firewall rules or routes and I don’t really know how to resolve this.
I have read that some people add a bridge, some people add a mangle rule, some people just do basic config and it works fine.

A few notes: Proxy is currently disabled, hotspot is currently disabled, network comprises OfficeLAN, GuestLAN, OVPN, WAN1 and WAN2, failover between the 2 WANs works fine.

The firewall config is as follows:

/ip firewall
action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
action=jump chain=input comment="Ensure proxy is accessible only to internal clients" dst-port=8080 in-interface=ether23-WAN1 jump-target=drop protocol=tcp
action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether23-WAN1 protocol=udp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether24-WAN2 protocol=udp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether23-WAN1 protocol=tcp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether24-WAN2 protocol=tcp
action=drop chain=input comment="Rule to stop GuestLAN accessing OfficeLAN" dst-address=192.168.99.0/24 src-address=192.168.150.0/24
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer1" dst-address=192.168.99.10 src-address=192.168.150.0/24
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer2" dst-address=192.168.99.11 src-address=192.168.150.0/24
action=accept chain=input comment="Allow OVPN clients access to Office Network" dst-address=192.168.99.0/24 src-address=192.168.81.0/24

/ip firewall mangle
action=mark-routing chain=prerouting comment="All LAN Traffic" new-routing-mark=GUIFI passthrough=no src-address=192.168.99.0/24
action=mark-routing chain=prerouting comment="All GuestLAN Traffic" new-routing-mark=SS passthrough=no src-address=192.168.150.0/24

/ip firewall nat
action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.99.0/24
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.150.0/24
action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.150.0/24
action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.99.0/24
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.150.0/24
action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.150.0/24
action=masquerade chain=srcnat out-interface=ether23-WAN1
action=masquerade chain=srcnat out-interface=ether24-WAN2

My routing looks like this:

/ip route export
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=GUIFI
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=GUIFI
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=SS
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=SS
add distance=2 gateway=192.168.1.254
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.0.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.254 scope=10

/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          8.8.8.8                   1
 1   S  0.0.0.0/0                          8.8.4.4                   2
 2 A S  0.0.0.0/0                          8.8.4.4                   1
 3   S  0.0.0.0/0                          8.8.8.8                   2
 4 A S  0.0.0.0/0                          192.168.1.254             2
 5 X S  0.0.0.0/0                          192.168.0.1               1
 6 X S  0.0.0.0/0                          192.168.0.1               1
 7 A S  8.8.4.4/32                         192.168.0.1               1
 8 A S  8.8.8.8/32                         192.168.1.254             1
 9 ADC  192.168.0.0/24     192.168.0.2     ether23-WAN1              0
10 ADC  192.168.1.0/24     192.168.1.2     ether24-WAN2              0
11 ADC  192.168.81.100/32  192.168.81.1    <ovpn>                0
12 ADC  192.168.99.0/24    192.168.99.1    ether1-OfficeLAN          0
13 ADC  192.168.150.0/24   192.168.150.1   ether10-GuestLAN          0

Any help would be very much appreciated.
Many thanks
Freddy

3

I am sure the issue is related to the WAN failover.
A further test has proven that the firewall rules to allow access to the printers from the guest network is not functioning either.

Therefore all the traffic for each subnet is routing outwards. I am not sure whether there is a mangle rule or a routing rule required.
Does anyone have any suggestions on what rule should be applied?

Many Thanks
Freddy

4

How are you connecting WAN1 and WAN2?

Via a single interface or multiple?

5

WAN1 and WAN2 are on seperate ethernet connections ether23 and ether24.

6

why is your gateway set for google?

7

Your firewall rules are all kinds of messed up.

action=drop chain=input comment="Rule to stop GuestLAN accessing OfficeLAN" dst-address=192.168.99.0/24 src-address=192.168.150.0/24 
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer1" dst-address=192.168.99.10 src-address=192.168.150.0/24
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer2" dst-address=192.168.99.11 src-address=192.168.150.0/24

(These should be the forward chain)

You have several masquerade rules, all of which don’t really do anything useful. They should be simplified to…

action=masquerade out-interface=ether23-WAN1
action=masquerade out-interface=ether23-WAN2

Whats your end goal?

8

Hi,

Thanks for helping…

The end goal is to have the following:
2 Seperate Physical WAN connections with the ability to failover if internet connectivity is not available. Simple next hop failover is not sufficient.
1 Office Network (192.168.99.0/24)
1 Guest Network (192.168.150.0/24)
OpenVPN Remote Access
Guest Network shall only be able to access the printers on Office Network
Future: Hotspot on Guest Network
Future: Internet Proxy

For the internet failover I followed this guide:
http://oriolrius.cat/blog/2016/08/29/internet-fail-over-connection-with-mikrotik

Following your suggestion it would appear I can simplify the firewall rules to the following, however I am not sure whether it will resolve my issue:

/ip firewall
action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
action=jump chain=input comment="Ensure proxy is accessible only to internal clients" dst-port=8080 in-interface=ether23-WAN1 jump-target=drop protocol=tcp
action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether23-WAN1 protocol=udp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether24-WAN2 protocol=udp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether23-WAN1 protocol=tcp
action=drop chain=input comment="Block External DNS lookups" dst-port=53 in-interface=ether24-WAN2 protocol=tcp
action=drop chain=input comment="Rule to stop GuestLAN accessing OfficeLAN" dst-address=192.168.99.0/24 src-address=192.168.150.0/24 
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer1" dst-address=192.168.99.10 src-address=192.168.150.0/24
action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer2" dst-address=192.168.99.11 src-address=192.168.150.0/24
action=accept chain=input comment="Allow OVPN clients access to Office Network" dst-address=192.168.99.0/24 src-address=192.168.81.0/24

/ip firewall mangle
action=mark-routing chain=prerouting comment="All LAN Traffic" new-routing-mark=GUIFI passthrough=no src-address=192.168.99.0/24
action=mark-routing chain=prerouting comment="All GuestLAN Traffic" new-routing-mark=SS passthrough=no src-address=192.168.150.0/24

/ip firewall nat
action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.150.0/24
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.99.0/24
action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.150.0/24
action=masquerade chain=srcnat out-interface=ether23-WAN1
action=masquerade chain=srcnat out-interface=ether24-WAN2

Many Thanks
Freddy

9

Thanks CTSsean,
I have read up on the difference between input and forward, anything that is performed internal to the router (ie between subnets) is now on a forward rule.
I have tidied up all of the rules to remove any duplicates and simplified the masquerade rules as you mentioned.

I am still being prevented access across between 192.168.81.0 and 192.168.99.0, I will check that 192.168.150.0 can access the 2 printers tomorrow however I am fairly certain that they will not be accessible.

I think the instructions I followed in order to set up the WAN failover has caused the problem that I am trying to resolve.
I followed the following website: http://oriolrius.cat/blog/2016/08/29/internet-fail-over-connection-with-mikrotik/

Do you know of a better guide for setting up a failover between WAN connections?
I do have additional modems connected to ether23 and ether24 which provide internet access, therefore just performing a ping test to the next hop does not give me confirmation if there is internet connectivity on that link, the ping test would just tell me that a modem is down.

Thanks
Freddy