1. The ISP router has a forward rule to allow any inbound WAN UDP traffic to port 1194 (OpenVPN) to be forwarded to my RB4011iGS on the LAN side
2. RB4011iGS is also configured as a router and has a dstnat rule to forward any traffic from the WAN side on port 1194 to my OpenVPN server on the LAN.
3. I can see trafffic is being forward from the ISP router and hitting my dstnat rule on the RB4011iGS but for some reason I am not seeing the tunnel being established.
The traffic however is not getting to my openVPN server. Here is dstnat rule:
Code: Select all
add action=dst-nat chain=dstnat dst-address=192.168.0.10 dst-port=1194 in-interface-list=WAN log=yes \
log-prefix=dstnat_ protocol=udp to-addresses=192.168.2.45 to-ports=1194
Here is my full config:
Code: Select all
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" name=vlan
add include=LAN,vlan name=all-vlan-lan
add name="Management VLAN"
add include=vlan name=all-vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add comment=defconf interface=LanBridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN5 list=vlan
add interface=VLAN10 list=vlan
add interface=VLAN20 list=vlan
add interface=VLAN30 list=vlan
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=VLAN10 list=all-vlan
add interface=VLAN20 list=all-vlan
add interface=VLAN30 list=all-vlan
add interface=VLAN5 list=all-vlan
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=LanBridge network=192.168.88.0
add address=192.168.2.1/24 interface=LanBridge network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip firewall address-list
add address=192.168.2.0/24 list=192.168.2.0/24
add address=192.168.5.0/24 list=192.168.5.0/24
add address=192.168.10.0/24 list=192.168.10.0/24
add address=192.168.20.0/24 list=192.168.20.0/24
add address=192.168.30.0/24 list=192.168.30.0/24
add address=192.168.2.1-192.168.2.254 comment="Admin access subnet" list=adminAccess
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=\
drop-invalid_
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list=all-vlan-lan \
protocol=tcp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list=all-vlan-lan \
protocol=udp
add action=accept chain=input comment="Allow admin access to router (Webfig)" in-interface-list=LAN \
log-prefix=admin-access_ src-address-list=adminAccess
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow dstnat for established, related" connection-nat-state=dstnat \
connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all inter vlan traffic\
\n" in-interface-list=all-vlan log-prefix=INTER-VLAN-DROP out-interface-list=all-vlan
add action=drop chain=forward comment="Drop all traffic to native VLAN not from native VLAN" dst-address=\
192.168.2.0/24 dst-address-list="" src-address=!192.168.2.0/24
add action=accept chain=forward comment="VLAN30 to WAN - Mars" out-interface-list=WAN src-address=\
192.168.30.0/24
add action=accept chain=forward comment="VLAN20 to WAN - Mars BH" out-interface-list=WAN src-address=\
192.168.20.0/24
add action=accept chain=forward comment="VLAN10 to WAN - Guest" out-interface-list=WAN src-address=\
192.168.10.0/24
add action=accept chain=forward comment="VLAN5 to WAN" out-interface-list=WAN src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow internet access for native VLAN " out-interface-list=WAN \
src-address=192.168.2.0/24
add action=accept chain=forward comment="Without this rule all internet traffic blocked. I need to specifical\
ly specify all the allowed services. " disabled=yes log-prefix=CATCH-ALL
add action=drop chain=forward comment="drop all else" log=yes log-prefix=DROP-ALL_
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
WAN
add action=dst-nat chain=dstnat dst-address=192.168.0.10 dst-port=1194 in-interface-list=WAN log=yes \
log-prefix=dstnat_ protocol=udp to-addresses=192.168.2.45 to-ports=1194