Community discussions

MikroTik App
 
jamsden
newbie
Topic Author
Posts: 25
Joined: Fri Feb 26, 2021 7:28 am

OpenVPN Access - Can only reach the gateway

Tue Sep 21, 2021 5:45 pm

Hi everybody, after a few week working on my new home network, I'm back, of course, with a problem.
Thanks to everybody who helped me going for a POE solution. My network now is almost ok (VLAN separation is still a desired thing), but so far so good, everything is working fine.
The network is made of:
  • RB1100AHx4 as main router, connected to my ISP modem. It does everything, DNS, DHCP server, DDNS...
  • CRS112-8P as switch
  • HAP ac3 as bridge AP
  • Map Lite as bridge AP
Everything is powered by CRS112.
I have configured RB1100 for remote access via OpenVPN, and it works as long as I try to connect to RB1100 itself. Cannot reach any of the other machines in the LAN. I have also to say that before putting on work CRS112, I had a CSS610 as main switch, and everything was working fine, I could reach all the machines in the LAN (NAS, cameras, access points), SWOS was a lot easier.
All devices are on latest stable, 6.48.4.
RB1100:
# sep/21/2021 15:00:12 by RouterOS 6.48.4
#
# model = RB1100x4
/interface bridge
add name=bridge-to-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] name=ether13-POE
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=PPPoE-WindTre \
    use-peer-dns=yes user=benvenuto
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-to-lan lease-time=\
    23h59m59s name=dhcp-base-lan
/ppp profile
add local-address=192.168.0.1 name=ovpn remote-address=dhcp
/interface bridge port
add bridge=bridge-to-lan interface=ether2
add bridge=bridge-to-lan interface=ether3
add bridge=bridge-to-lan interface=ether4
add bridge=bridge-to-lan interface=ether5
add bridge=bridge-to-lan interface=ether6
add bridge=bridge-to-lan interface=ether7
add bridge=bridge-to-lan interface=ether8
add bridge=bridge-to-lan interface=ether9
add bridge=bridge-to-lan interface=ether10
add bridge=bridge-to-lan interface=ether11
add bridge=bridge-to-lan interface=ether12
add bridge=bridge-to-lan interface=ether13-POE
/interface list member
add interface=PPPoE-WindTre list=WAN
add interface=bridge-to-lan list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ovpn enabled=\
    yes require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=bridge-to-lan network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.0.254 client-id=1:38:f9:d3:4:e7:b7 mac-address=\
    38:F9:D3:04:E7:00 server=dhcp-base-lan
add address=192.168.0.253 client-id=1:8:55:31:a3:2c:10 mac-address=\
    08:55:31:A3:2C:00 server=dhcp-base-lan
add address=192.168.0.252 client-id=1:8:55:31:88:d4:ff mac-address=\
    08:55:31:88:00:FF server=dhcp-base-lan
add address=192.168.0.250 client-id=1:0:11:32:89:c5:da mac-address=\
    00:11:32:00:C5:DA server=dhcp-base-lan
add address=192.168.0.247 mac-address=E8:E8:B7:9E:9C:75 server=dhcp-base-lan
add address=192.168.0.246 client-id=1:8e:3b:ad:28:12:d9 comment=EX8000 \
    mac-address=EE:3B:AD:28:12:D9 server=dhcp-base-lan
add address=192.168.0.245 comment="athom plug soggiorno" mac-address=\
    50:02:91:00:A2:27 server=dhcp-base-lan
add address=192.168.0.244 comment="athom plug ingresso" mac-address=\
    24:62:AB:AA:A3:48 server=dhcp-base-lan
add address=192.168.0.228 comment="camera rebecca" mac-address=\
    DC:4F:22:71:7D:6D server=dhcp-base-lan
add address=192.168.0.167 client-id=1:2c:d2:6b:18:aa:cb comment="ip camera" \
    mac-address=2C:D4:6B:18:AA:CB server=dhcp-base-lan
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.0.100-192.168.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=1194 log=yes protocol=tcp
add action=drop chain=input comment="drop everything else" in-interface=\
    PPPoE-WindTre log-prefix=WAN
add action=accept chain=forward comment="established, related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    dst-address-type="" fragment=no log-prefix=invalid src-address-type=""
add action=drop chain=forward comment=\
    "drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge-to-lan log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge-to-lan
add action=drop chain=forward comment=\
    "drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "drop incoming from internet which is not public IP" in-interface=\
    ether1-WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "drop packets from LAN that do not have LAN IP" in-interface=\
    bridge-to-lan log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos log=yes
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.0.0/24
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=giancarlo profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik_RB1100AHx4
/system routerboard settings
set silent-boot=yes
/tool e-mail
set address=smtp.mailbox.org from=<tie@mailbox.org> port=465 start-tls=yes \
    user=
/tool graphing interface
add interface=bridge-to-lan
add interface=PPPoE-WindTre
/tool graphing resource
add
CRS112:
# sep/21/2021 15:01:13 by RouterOS 6.48.4
#
# model = CRS112-8P-4S
/interface bridge
add admin-mac=2C:C8:1B:E7:66:7B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-RB1100AHx4
set [ find default-name=ether2 ] name=ether2-EX8000
set [ find default-name=ether3 ] name=ether3-TimeMachine
set [ find default-name=ether4 ] name=ether4-DS218+
set [ find default-name=ether5 ] name=ether5-iMac
set [ find default-name=ether6 ] name=ether6-MapLite
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1-RB1100AHx4
add bridge=bridge comment=defconf interface=ether2-EX8000
add bridge=bridge comment=defconf interface=ether3-TimeMachine
add bridge=bridge comment=defconf interface=ether4-DS218+
add bridge=bridge comment=defconf interface=ether5-iMac
add bridge=bridge comment=defconf interface=ether6-MapLite
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface list member
add interface=ether1-RB1100AHx4 list=WAN
add interface=ether2-EX8000 list=LAN
add interface=ether3-TimeMachine list=LAN
add interface=ether4-DS218+ list=LAN
add interface=ether5-iMac list=LAN
add interface=ether6-MapLite list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
/ip address
add address=192.168.0.2/24 comment=defconf interface=ether2-EX8000 network=\
    192.168.0.0
/ip dns
set servers=192.168.0.1
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Rome
/system identity
set name=MikroTik_CRS112-8P
/tool graphing interface
add
/tool graphing resource
add
OpenVPN client:
client
dev tun
proto tcp-client
remote XXXXXXXXX.sn.mynetname.net
port 1194
cipher AES-256-CBC
remote-cert-tls server
auth SHA1
auth-user-pass
pull
route 192.168.0.1 255.255.255.0
dhcp-option DNS 192.168.0.1
<ca>
</ca>
<cert>
</cert>
<key>
</key>
Am I missing something? Just out of curiosity, why CSS610 was able to route my traffic while CRS112 not?

Thank you very much.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN Access - Can only reach the gateway  [SOLVED]

Tue Sep 21, 2021 7:41 pm

The CSS610 and CRS112 both switch traffic not route it.

I can't see how Open VPN would have ever worked - as you are using IP addresses from the same subnet for both the VPN and LAN you need to enable proxy-arp on the RB1100 bridge-to-lan otherwise local devices cannot send replies to the VPN client.
 
jamsden
newbie
Topic Author
Posts: 25
Joined: Fri Feb 26, 2021 7:28 am

Re: OpenVPN Access - Can only reach the gateway

Tue Sep 21, 2021 8:14 pm

@tdw thank you it worked. I have probably changed the config without knowing exactly what I was doing.

Who is online

Users browsing this forum: No registered users and 34 guests