What I'm trying to archive is connecting from host "VPN Client" to "HServer-1". Since "HRoute" have another EoIP here's what I'll got if I try to ping "HServer" from "VPN Client":
1. 10.0.0.19 sends ICMP to 11.12.13.14
2. Due to route on client "11.12.13/24 10.0.0.1" packet is transmitted to "WRouter"
3. "WRouter" have a route to "11.12.13/24" network via EoIP, so packets is sent to "HRouter"
4. "HRouter" transmits packet to "HServer-1" via ARP lookup
5. "HServer-1" replies to "HRouter" with ICMP-reply src=11.12.13.14 dst=10.0.0.19
6. "HRouter" transmits following reply to "MRouter" since dst=10.0.0.19 matches route
Of course I can try to eliminate IP ranges conflict, but it's not a right path to follow in that case. I personally think "HRouter" should NOT know about (somewhat internal) routing on "WRouter" - packets should be NATed and than transmitted to "HRouter".
...and that's where I stopped No matter what I do packets from VPN are directly transmitted via EoIP to "HRouter".
That's the route on "WRouter" to direct packets to "HRouter" network:
Code: Select all
/ip route add distance=1 dst-address=11.12.13.0/24 gateway=eoip-to-hrouter pref-src=172.16.1.2
Code: Select all
/ip firewall filter
add chain=forward comment="Allow VPN users to access EoIP-HRouter network" dst-address=11.12.13.0/24 in-interface=all-ppp
add action=reject chain=forward comment="Drop unknown traffic from VPN users" in-interface=all-ppp reject-with=icmp-admin-prohibited
Any suggestions before I rip off all hairs from my head?