After successful configuration of OpenVPN on my router, I'm able to connect from Android and Mac.
While connected I can ping and connect to all hosts in LAN network but unfortunately not to Mikrotik address 192.168.88.1 (its responding for ping but not for traceroute)
When I disable firewall rule: "drop all not coming from LAN" i can connect to router but I guess its a bad idea turn off that rule.
I will be very grateful for help with this topic.
Please find my exported configuration below:
Code: Select all
# aug/13/2018 09:37:51 by RouterOS 6.42.6
# software id = XG76-0ZTT
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE0937214B
/interface bridge
add admin-mac=B8:69:F4:1B:C3:28 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=wpa ssid=milki wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=wpa ssid="milki 5GHz" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=openvpn ranges=10.0.0.2-10.0.0.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=openvpn remote-address=openvpn use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server_cert cipher=aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.246 client-id=1:b8:27:eb:f6:0:c mac-address=B8:27:EB:F6:00:0C server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=mily profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=bugfix
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=5m name=noip_schedule on-event="/system script run noip" policy=read,write,test,password start-time=startup
/tool graphing interface
add interface=wlan1
add interface=wlan2
add interface=ether1
add interface=ether2
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN