Community discussions

MikroTik App
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

OVPN site to site Chateau LTE12 no ping remote network

Fri Sep 10, 2021 3:56 pm

Hello!
I have problems with geting OpenVPN tunel site to site to work on 2x Chateau LTE12.
Tunnel is connecting when for ie. making it with this tutorial:
https://systemzone.net/mikrotik-site-to ... os-client/
After doing everything from this instruction without "Basic configuration part" (it is configured by default i think) and additionaly add firewall rule on top:
/ip firewall filter add action=accept chain=input comment="allow OpenVPN" disabled=no dst-port=1194 protocol=tcp

Connection is established, pc1(192.168.1.150) in router1 (192.168.1.1 /24 server ovpn) network can ping router2 ip (virtual 172.22.22.2 and lan 192.168.0.1 /24) but not pc2 (192.168.0.150) in router2 network. From pc2 looks identically (reverse side).
Routes on router1 are configured:
-in Secrets, routes looks this: 192.168.0.0/24 172.22.22.2 1
so all routes on router 1 looks like this in attachements.

Please help, what i need to reconfigure in routes or smth?
Also how to make on RouterOS v7.1 rc3 make part "Static Route Configuration" for router 2 from the end of this tutorial? There is no way to chose client interface "openvpn-server" so i manually typed it. I tried with things like 192.168.1.0/24 172.22.22.1 but not working.

How end's tracert from 192.168.1.150 pc:
tracert 192.168.0.149
Tracing route to 192.168.0.149 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.1.1
2 78 ms 81 ms 85 ms 172.22.22.2
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
....
You do not have the required permissions to view the files attached to this post.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Sun Sep 12, 2021 6:15 pm

It's seasm like you have a OVPN connected but you not used it.
If you plan go to internet via this OVPN tunnel then you should create a rule like:
Image

and you plan connect to other network then just Dst.Address: Put Your Destination address.
I tried with things like 192.168.1.0/24 172.22.22.1 but not working.
but 172.22.22.1 is your IP at your end. Next-hop as gateway is always a remote end host like 172.22.22.2.
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Mon Sep 13, 2021 5:25 pm

It's seasm like you have a OVPN connected but you not used it.
If you plan go to internet via this OVPN tunnel then you should create a rule like:
Image

and you plan connect to other network then just Dst.Address: Put Your Destination address.
I tried with things like 192.168.1.0/24 172.22.22.1 but not working.
but 172.22.22.1 is your IP at your end. Next-hop as gateway is always a remote end host like 172.22.22.2.
1. Im not plan to go to internet trought vpn.
2. Yes i plan to connect bi-directional to other network but i think my rule exist for this. Look at 4 route in attachment. Dest is 192.168.0.0/24 and gateway 172.22.22.2. So i missing something here?
3."...172.22.22.1 is your IP at your end..." in line you quoted i talk about route on router2 (client side), so route is opposite and correct i think?

If i am wrong please correct me.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Mon Sep 13, 2021 7:00 pm

yes, the router1 route.png the 4. rule is correct.
If oposite router have route like 192.168.0.0/24 via 172.22.22.1 then only firewall can block that traffic.
Use tools>tourch to see traffic on ovpn inteface at both end and you discover if one Tx traffic and oposite see the Rx of that traffic.
That way you can check firewall to be sure it's start work.

Use traceroute too.
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Wed Sep 15, 2021 12:23 pm

Both has correct routes then.
I see everywhere on forum here and others identical problems like mine but there no solution or solution provided there are not working for me.
Tried proxy-arp for bridge, tried other variants for masquerade, firewall with all filters disabled (as far as i know, disabled rules should work like no firewall on mikrotik right?), some filters with forward but that not working for me.
I think that solutions tried from other devices may not work because some differences in router using lte modem built-in or RouterOS v7.1rc3.

Router1 (OVPN server):
Route:
DAm 0.0.0.0/0        lte1                     2
DAc 5.1xx.xx.xx/32  lte1                     0
DAc 172.22.22.2/32   <ovpn>         0
DAv 192.168.0.0/24   172.22.22.2              1
DAc 192.168.1.0/24   bridge                   0

/ip/firewall/filter:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no 
      log-prefix="" 

 2    ;;; allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 3    chain=input action=accept in-interface=all-ppp log=no log-prefix="" 

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 6    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related log=no log-prefix="" 

11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no 
      log-prefix="" 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN log=no log-prefix="" 

 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Wed Sep 15, 2021 1:03 pm

At your how to you have info: 172.22.22.1/30, but you use /32.
I not configure ovpn at ros but this can be your problem.

You can ping a 172.22.22.2 opposite site ? You should.
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Wed Sep 15, 2021 2:22 pm

Maybe you have right, but i don't see any place where i'm using /30 or /32 for this virtual network. This subnet is created automatically when putting src snd dst address in secret configuration i think.
Like i said in first post i can ping:
PC1 192.168.1.150 -> VPN end 172.22.22.2 and Router2 LAN ip 192.168.0.1
PC2 192.168.0.149 -> VPN end 172.22.22.1 and Router1 LAN ip 192.168.1.1
I can't ping from
PC1 to PC2
Router1 to PC2
PC2 to PC1
Router2 to PC1
Like there is no working LAN ARP or something for VPN connection only router ip is working from other end of tunel.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Wed Sep 15, 2021 3:45 pm

Firewall > Filer > add
in chain=forward, from 192.168.0.0/24 to 192.168.1.0/24 action=accept

Move that rule before other rules in forward.
Now you should do a ping to 192.168.1.x

When you do that at opposite site then opposite site can ping you.

And yes, if you disable all rules then default is ACCEPT but you should stay with accept for establish/relaten in every chain.
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Thu Sep 16, 2021 9:41 am

Not working:
 
 [admin@MikroTik] > ping 192.168.0.149
  SEQ HOST                                     SIZE TTL TIME       STATUS                   
    0 192.168.0.149                                                timeout                  
    1 192.168.0.149                                                timeout                  
    2 192.168.0.149                                                timeout
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=accept src-address=192.168.0.0/24 dst-address=192.168.1.0/24 
      log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no 
      log-prefix="" 

 3    ;;; allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 4    chain=input action=accept in-interface=all-ppp log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 7    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related log=no log-prefix="" 

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no 
      log-prefix="" 

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN log=no log-prefix=""
      
       
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Thu Sep 16, 2021 10:48 am

You paste ping and rule from the same router ?
Maybe start be more details.

ping 192.168.0.149 timeout - I understand that you are now in 192.168.1.x

then this rule
chain=forward action=accept src-address=192.168.0.0/24 dst-address=192.168.1.0/24
should be opposite, from your 192.168.1.0/24 to 192.168.0.1/24
 
fauxkalel
just joined
Topic Author
Posts: 10
Joined: Thu Sep 09, 2021 6:15 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Thu Sep 16, 2021 11:54 am

It was not working so i tested both variants.
Router1 (OVPN Server):
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 3    ;;; allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 4    chain=input action=accept in-interface=all-ppp log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 7    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

14    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
[admin@MikroTik] > ping src-address=192.168.1.1 192.168.0.149
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                        
    0 192.168.0.149                                                timeout                                                                                                                       
    1 192.168.0.149                                                timeout                                                                                                                       
    2 192.168.0.149                                                timeout                                                                                                                       
    3 192.168.0.149                                                timeout                                                                                                                       
    sent=4 received=0 packet-loss=100% 
    
    [admin@MikroTik] /tool> traceroute
address: 192.168.0.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS      LOSS  SENT  LAST    AVG   BEST  WORST  STD-DEV
1  192.168.0.1  0%      16  91.2ms  89.6  70.4  116.9  12.4   

[admin@MikroTik] /tool> traceroute 172.22.22.2
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS      LOSS  SENT  LAST     AVG   BEST  WORST  STD-DEV
1  172.22.22.2  0%       9  114.6ms  88.3  68.1  114.6  14.4   

[admin@MikroTik] /tool> traceroute 192.168.0.149
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS      LOSS  SENT  LAST     AVG  BEST  WORST  STD-DEV
1  172.22.22.2  0%       3  85.4ms   106  85.4  124.9  16.2   
2               100%     3  timeout                           
3               100%     3  timeout                           
4               100%     3  timeout                           
5               100%     3  timeout                           
6               100%     3  timeout  
On Router2 (Client) rule is opposite.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: OVPN site to site Chateau LTE12 no ping remote network

Thu Sep 16, 2021 12:22 pm

I try help you but seams I cannot help like other person at this forum.
Do at both directions rules, for incomming and outgoing directions, that way you can check counters at particular rule and see if package increase.
chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24
chain=forward action=accept src-address=192.168.0.0/24 dst-address=192.168.1.0/24

Why this cannot work?
  • Because end-pc not allow to answer at ping by his local firewall rule.
  • Because end-pc not have got a geteway, then he not answer for any not-local networks and only way is add this gateway for him or create a SNAT to hide remote traffic like local gateway (seams to HairPinNat)

Who is online

Users browsing this forum: Bing [Bot], Uqbar and 47 guests