Community discussions

 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Ovpn server on separate pool cannot reach lan

Thu Jul 25, 2019 5:13 pm

I've setup an OpenVPN server on my router.
My lan pool is 192.168.1.0/24, 192.168.1.1 is the bridge for the lan.
The OpenVPN pool is 10.255.255.0/24
The connection to the server works fine but i can't see and ping the lan

I've inserted the rule in the firewall to reach the lan from a open-vpn address pool but it not works. I cannot reach the lan 192.168.1.0/24.
/ip firewall filter
add chain=forward src-address=192.168.1.0/24 dst-address=10.255.255.0/24 action=accept
add chain=forward src-address=10.255.255.0/24 dst-address=192.168.1.0/24 action=accept


OpenVPN client config is:
client
dev tun
proto tcp
remote MY_REMOTE_IP
port 1200
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca [inline]
cert [inline]
key [inline]
verb 4
keepalive 60 900
mute 10
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
auth-nocache


My router config:
/interface bridge
add admin-mac=4C:5E:0C:07:63:3C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=WAN1
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=WAN2
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n country=italy \
    disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain hide-ssid=yes mode=ap-bridge ssid=Tss tx-power=25 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.0.2.2-10.0.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add interface-list=LAN local-address=192.168.1.1 name=Ovpn-profile \
    remote-address=dhcp
add interface-list=LAN local-address=10.255.255.1 name=OVPN-profile2 \
    remote-address=pool-ovpn
/queue simple
add disabled=yes dst=192.168.1.250/32 max-limit=10M/700k name=WAN1_total \
    target=WAN1
add disabled=yes limit-at=1M/256k max-limit=10M/512k name=Server_wan1 parent=\
    WAN1_total target=192.168.1.250/32
/queue tree
add disabled=yes max-limit=700k name=uploadWAN2 parent=WAN1
add limit-at=200k max-limit=600k name=Voip_upload_WAN2 packet-mark=fromVoip \
    parent=uploadWAN2
add max-limit=690k name=otherClientWAN2 packet-mark=no-mark parent=uploadWAN2
/system logging action
set 1 disk-file-count=1
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=WAN2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=WAN2 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=OVPN-profile2 \
    enabled=yes port=1200 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
add dhcp-options=hostname,clientid disabled=no interface=WAN2
/ip dhcp-server lease
add address=192.168.1.254 client-id=1:6c:3b:6b:ed:b3:5f disabled=yes \
    mac-address=6C:3B:6B:ED:B3:5F server=defconf
add address=192.168.1.251 client-id=1:64:d1:54:46:af:ee mac-address=\
    64:D1:54:46:AF:EE server=defconf
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=192.168.178.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.2.1
add address=10.255.255.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input connection-state=new dst-port=1200 protocol=tcp
add action=accept chain=input comment="Intercomunicazione POOL VPN" \
    dst-address=10.255.255.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="Intercomunicazione POOL VPN" \
    dst-address=192.168.1.0/24 src-address=10.255.255.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!WAN2 connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    192.168.178.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Voip connection mark WAN2" connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=Voip_WAN2 passthrough=yes \
    src-address=192.168.1.250
add action=mark-connection chain=prerouting comment="PCC stream WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting comment="PCC stream WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Voip routing mark WAN2_mark chain prerouting" connection-mark=Voip_WAN2 \
    in-interface=bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output comment=\
    "Voip routing mark WAN2_mark chain output" connection-mark=Voip_WAN2 \
    new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
    WAN1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
    WAN2-mark passthrough=yes
add action=mark-packet chain=postrouting connection-mark=Voip_WAN2 \
    new-packet-mark=fromVoip
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes log=yes log-prefix=OVPN \
    src-address=10.255.255.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=1 gateway=\
    192.168.43.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
    192.168.178.1 routing-mark=WAN1-mark
add comment="Default route WAN 1" distance=1 gateway=192.168.178.1
add comment="Defult route WAN 2" distance=1 gateway=192.168.43.1
/ip ssh
set forwarding-enabled=remote
/ppp secret
add name=Utente1 profile=OVPN-profile2 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAP
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Ovpn server on separate pool cannot reach lan

Fri Jul 26, 2019 1:54 pm

We're experiencing the same problem after upgrading to 6.45.1 ...
It's time to finally throw all Mikrotik devices out of the window.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Ovpn server on separate pool cannot reach lan

Fri Jul 26, 2019 2:11 pm

Try adding this to the top of your mangle rules:
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge
I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Ovpn server on separate pool cannot reach lan

Fri Jul 26, 2019 2:22 pm

Try adding this to the top of your mangle rules:
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge
I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.

That's what we get if the openvpn client tries to ping a host inside mgmt-bridge:
13:19:00 firewall,info prerouting: in:ovpn-instance out:(unknown 0), proto ICMP (type 8, code 0), 10.10.10.20->10.67.68.1, len 84 
13:19:01 firewall,info prerouting: in:ovpn-instance out:(unknown 0), proto ICMP (type 8, code 0), 10.10.10.20->10.67.68.1, len 84 
13:19:02 firewall,info prerouting: in:ovpn-instance out:(unknown 0), proto ICMP (type 8, code 0), 10.10.10.20->10.67.68.1, len 84 
13:19:03 firewall,info prerouting: in:ovpn-instance out:(unknown 0), proto ICMP (type 8, code 0), 10.10.10.20->10.67.68.1, len 84 
13:19:04 firewall,info prerouting: in:ovpn-instance out:(unknown 0), proto ICMP (type 8, code 0), 10.10.10.20->10.67.68.1, len 84 
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: Ovpn server on separate pool cannot reach lan

Fri Jul 26, 2019 4:27 pm

Step 1: Packets are coming to router (prerouting, from ovpn-instance) - YES
Step 2: Packets are going through router (forward) - ???
Step 3: Packets are sent to target device (postrouting, to mgmt-bridge / torch on mgmt-bridge) - ???
Step 4: Device responds and sends some packets back (prerouting, from mgmt-bridge) - ???
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Google [Bot], msatter and 114 guests