Community discussions

 
foxit
just joined
Topic Author
Posts: 5
Joined: Fri Feb 24, 2017 5:38 pm

Dual WAN with OpenVPN Clients - problem with LAN connections

Tue Aug 13, 2019 1:15 pm

Hi,

currently facing a problem with a Dual WAN setup and OpenVPN clients. Dual WAN works with some Mangle Rules. OpenVPN used to work before we added the second WAN. Now the OpenVPN client can connect to the MikroTik but not to the LAN. WAN1 is used for WAN access, WAN2 for Internet access from LAN.

It´s a RB750 with v6.45.2

LAN: 192.168.1.0/24
WAN1: 91.112.40.120/29
WAN2: 192.168.2.0/24
OpenVPN: 172.16.1.1

That´s what I used to setup the Mangle Rules based on this presentation: https://mum.mikrotik.com/presentations/US12/tomas.pdf
/ip firewall mangle
add chain=input connection-mark=no-mark in-interface=ether1-WAN-1 action=mark-connection new-connection-mark=WAN-1->ROS
add chain=input connection-mark=no-mark in-interface=ether3-WAN-2 action=mark-connection new-connection-mark=WAN-2->ROS

add chain=output connection-mark=WAN-1->ROS action=mark-routing new-routing-mark=1_Route
add chain=output connection-mark=WAN-2->ROS action=mark-routing new-routing-mark=2_Route

add chain=forward connection-mark=no-mark in-interface=ether1-WAN-1 action=mark-connection new-connection-mark=WAN-1->LANs
add chain=forward connection-mark=no-mark in-interface=ether3-WAN-2 action=mark-connection new-connection-mark=WAN-2->LANs
add chain=prerouting connection-mark=WAN-1->LANs src-address-list=LAN action=mark-routing new-routing-mark=1_Route
add chain=prerouting connection-mark=WAN-2->LANs src-address-list=LAN action=mark-routing new-routing-mark=2_Route

add chain=prerouting connection-mark=no-mark src-address-list=LAN dst-address-list=!Connected dst-address-type=!local action=mark-connection new-connection-mark=LAN->WAN
add chain=prerouting connection-mark=LAN->WAN src-address-list=LAN action=mark-routing new-routing-mark=1_Route comment="Load-Balancing here"

add chain=prerouting connection-mark=LAN->WAN routing-mark=1_Route action=mark-connection new-connection-mark=Sticky_1
add chain=prerouting connection-mark=LAN->WAN routing-mark=2_Route action=mark-connection new-connection-mark=Sticky_2
add chain=prerouting connection-mark=Sticky_1 src-address-list=LAN action=mark-routing new-routing-mark=1_Route
add chain=prerouting connection-mark=Sticky_2 src-address-list=LAN action=mark-routing new-routing-mark=2_Route
Already tried to add Mangle Rules for interface ppp but had no success so far. Any ideas?
Cheers, Ben
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

Wed Aug 14, 2019 8:43 pm

OpenVPN used to work before we added the second WAN.
Before you added the second WAN or before you added the mangle rules ;) ? Just a rhetoric question, of couse you did both in the same step.

Intuitively I feel that the packets coming in via the OpenVPN interface and with the destination addresses from the LAN subnet are handled as if they were coming from the LAN and thus routed using the routes with routing-mark (so out the WAN), so could it be that the OpenVPN clients' addresses are dynamically added, or have been manually added, to address-list name=LAN for other purposes (like common filtering rules for actual LAN hosts and OpenVPN clients)? If this is not the case, post the full export, not just the mangle rules. For anonymity concerns, see my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
foxit
just joined
Topic Author
Posts: 5
Joined: Fri Feb 24, 2017 5:38 pm

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

Mon Aug 19, 2019 7:12 pm

Hi sindy,

thanks for replying. Here´s the config export:
# aug/19/2019 17:54:49 by RouterOS 6.45.2
# software id = X4AM-I8GM
#
# model = 750
# serial number = 2F2C02A30581
/interface bridge
add admin-mac=D4:CA:6D:3C:5C:FF auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether1-WAN-1
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master-local
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether3-WAN-2
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether4-slave-local
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether5-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-OVPN ranges=172.16.1.0-172.16.1.200
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
    bridge1 name=default
/ppp profile
add dns-server=192.168.1.11 local-address=172.16.1.1 name=profile-OVPN \
    remote-address=pool-OVPN
/interface bridge port
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether2-master-local
add bridge=bridge1 interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/ipv6 settings
set max-neighbor-entries=1024
/interface list member
add interface=bridge1 list=discover
add interface=ether3-WAN-2 list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge1 list=mactel
add interface=ether3-WAN-2 list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-WAN-2 list=mac-winbox
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether5-slave-local list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=mikrotik.crt_0 cipher=aes256 default-profile=\
    profile-OVPN enabled=yes require-client-certificate=yes
/ip address
add address=192.168.1.254/24 comment="default configuration" interface=\
    bridge1 network=192.168.1.0
add address=91.112.40.122/29 comment=WAN interface=ether1-WAN-1 network=\
    91.112.40.120
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-WAN-1
# DHCP client can not run on slave interface!
add dhcp-options=hostname,clientid disabled=no interface=ether5-slave-local
add dhcp-options=hostname,clientid disabled=no interface=ether3-WAN-2
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" gateway=\
    192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=213.33.99.70,80.120.17.70
/ip dns static
add address=192.168.1.254 name=router
/ip firewall address-list
add address=192.168.1.11 list=WAN-1
add address=192.168.1.1-192.168.1.10 list=WAN-2
add address=192.168.1.12-192.168.1.253 list=WAN-2
add address=172.16.1.0-172.16.1.254 list=WAN-1
add address=192.168.1.0/24 list=LAN
add address=172.16.1.0-172.16.1.254 list=openvpn
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input comment="allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-WAN-1
add action=drop chain=input in-interface=ether3-WAN-2
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="allow VPN" in-interface=all-ppp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-WAN-1
add action=drop chain=forward in-interface=ether3-WAN-2
/ip firewall mangle
add action=mark-routing chain=prerouting comment="OpenVPN prerouting" \
    connection-mark=ovpn_conn_mark in-interface=all-ppp log=yes log-prefix=\
    ovpn_route_mark new-routing-mark=ovpn_route_mark passthrough=yes
add action=mark-connection chain=prerouting in-interface=all-ppp \
    new-connection-mark=ovpn_conn_mark passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=WAN-1 passthrough=\
    no src-address-list=WAN-1
add action=mark-routing chain=prerouting new-routing-mark=WAN-2 \
    passthrough=no src-address-list=WAN-2
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether1-WAN-1 new-connection-mark=WAN-1->ROS passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether3-WAN-2 new-connection-mark=WAN-2->ROS passthrough=\
    yes
add action=mark-routing chain=output connection-mark=WAN-1->ROS \
    new-routing-mark=1_Route passthrough=yes
add action=mark-routing chain=output connection-mark=WAN-2->ROS \
    new-routing-mark=2_Route passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=ether1-WAN-1 new-connection-mark=WAN-1->LANs passthrough=\
    yes
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=ether3-WAN-2 new-connection-mark=WAN-2->LANs \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN-1->LANs \
    new-routing-mark=1_Route passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN-2->LANs \
    new-routing-mark=2_Route passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_1 passthrough=yes routing-mark=1_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_2 passthrough=yes routing-mark=\
    2_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_1 \
    new-routing-mark=1_Route passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_2 \
    new-routing-mark=2_Route passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!Connected dst-address-type=!local new-connection-mark=\
    LAN->WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load-Balancing here" \
    connection-mark=LAN->WAN new-routing-mark=1_Route passthrough=yes \
    src-address-list=LAN
/ip firewall nat
# no interface
add action=masquerade chain=srcnat out-interface=*F0003E
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-WAN-1
add action=masquerade chain=srcnat out-interface=ether3-WAN-2
/ip route
add distance=1 gateway=91.112.40.121 routing-mark=WAN-1 scope=255
add distance=1 gateway=192.168.2.254 routing-mark=WAN-2 scope=255
add distance=1 gateway=91.112.40.121 routing-mark=1_Route
add distance=1 gateway=192.168.2.254 routing-mark=2_Route
add distance=1 gateway=91.112.40.121
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=client1 password=mypassword profile=profile-OVPN service=ovpn
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
cheers, Ben
 
sindy
Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

Mon Aug 19, 2019 10:52 pm

Your mangle rule action=mark-routing chain=prerouting new-routing-mark=WAN-1 passthrough=no src-address-list=WAN-1 assigns routing-mark=WAN-1 to packets coming from OpenVPN client(s) because you've put 172.16.1.0-172.16.1.254, of which the /ip pool pool-OVPN is a subrange, to address list WAN-1. And the only route with routing-mark=WAN-1 is the default one so it matches any destination address, including the one of the LAN subnet. See this loosely related topic for more details.

Other than that, the /ip pool default used by the /ip dhcp-server attached to bridge1 doesn't match the IP subnet attached to bridge1. So I assume all hosts connected to bridge1 have manual IP configuration?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
foxit
just joined
Topic Author
Posts: 5
Joined: Fri Feb 24, 2017 5:38 pm

Re: Dual WAN with OpenVPN Clients - problem with LAN connections

Tue Aug 20, 2019 2:03 pm

Hi sindy,

thanks for looking at it. The DHCP Server for bridge1 is deactivated.
I´ll look into the link you mentioned.

thanks,
Ben

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 54 guests