Community discussions

MikroTik App
 
gostapit
just joined
Topic Author
Posts: 2
Joined: Fri Feb 12, 2021 2:52 pm

Mikrotik routing with openvpn on different machine

Fri Feb 12, 2021 3:37 pm

Hello everyone i have just replaced old linksys router with HAP AC2 router and have some problems:

Network looks like this:
Screenshot_2021-02-12 Untitled Diagram - diagrams net.png
The problem:
Computers from 192.168.2.0/24 network can access only 192.168.4.1 (mikrotik) and 192.168.4.19 (ovpn server)
Computers from 192.168.4.0/24 network can access only every machine on 192.168.2.0/24 network

for example:

192.168.4.18 can ping 192.168.2.2
but
192.168.2.2 cannot ping 192.168.4.18

tracepath from 192.168.4.18
[x@x ~]# tracepath 192.168.2.2
 1?: [LOCALHOST]                      pmtu 1500
 1:  router.lan                                            0.379ms 
 1:  router.lan                                            0.312ms 
 2:  192.168.4.19                                          0.587ms asymm  1 
 3:  10.8.0.78                                             6.177ms asymm  2 
 4:  192.168.2.2                                           4.418ms reached
     Resume: pmtu 1500 hops 4 back 3 
tracepath from 192.168.2.2
[xx@xx ~]# tracepath 192.168.4.18
 1?: [LOCALHOST]                                         pmtu 1500
 1:  vyatta.x                                          0.499ms 
 1:  vyatta.x                                          0.520ms 
 2:  10.8.0.1                                              5.041ms 
 3:  no reply
 4:  no reply
 5:  no reply

mikrotik has static route:
/ip route
add distance=1 gateway=x.x.x.x
add check-gateway=ping distance=1 dst-address=192.168.2.0/24 gateway=192.168.4.19
OVPN config on 192.168.4.19
local 192.168.4.19
port 1194
proto udp4
dev tun0
ca ca.crt 
cert server.crt 
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd  ("iroute 192.168.2.0 255.255.255.0" is placed in right file in ccd)
ccd-exclusive
client-to-client
route 192.168.2.0 255.255.255.0
push "dhcp-option DNS 192.168.4.2"
client-to-client
keepalive 5 200
comp-lzo
persist-key
persist-tun
important stuff from mikrotik (i can post whole if needed)
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=ether2 network=192.168.4.0
add address=x.x.x.x interface=ether1 network=x.x.x.x

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address=0.0.0.0/0 ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=8082
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=443
add action=dst-nat chain=dstnat dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.4.19 to-ports=1194
add action=dst-nat chain=dstnat dst-port=5000-5055 in-interface=ether1 protocol=tcp to-addresses=192.168.4.18 to-ports=5000-5055

/ip route
add distance=1 gateway=x.x.x.x
add check-gateway=ping distance=1 dst-address=192.168.2.0/24 gateway=192.168.4.19
Best regards

My first post so i am not sure if this is right subforum.
You do not have the required permissions to view the files attached to this post.
 
gostapit
just joined
Topic Author
Posts: 2
Joined: Fri Feb 12, 2021 2:52 pm

Re: Mikrotik routing with openvpn on different machine  [SOLVED]

Tue Feb 16, 2021 5:15 pm

It was standard firewall (forwarding) rule:
changing from
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid 
to
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid dst-address=!192.168.2.0/24
solved problem

Who is online

Users browsing this forum: Gongy, k6ccc and 81 guests