Community discussions

 
nellson
just joined
Topic Author
Posts: 1
Joined: Wed Nov 06, 2019 9:10 am

OpenVPN and routing

Wed Nov 06, 2019 9:52 pm

Hi There;

I just bought my first MikroTik RB952UI-5AC2 running 6.45.7, and I almost got everything to work, but I am having a bit of trouble with an openvpn tunnel. The layout is as follows:

Mikrotik (192.168.88.1/24) <-10.30.30.2 openvpn tunnel 10.30.30.1 -> pfsense (172.17.0.1/24)

What works!
The tunnel is up, and the routers can ping each other.
Clients from the pfsense side in (172.17.0.0/24) can ping the openvpn interface on the mikrotik (10.30.30.2).
On the mikrotik router, one can ping clients in 172.17.0.0/24, as long as it it is done from the ovpn-out interface.

What does not work
Clients in 192.168.88.0/24 can ping 10.30.30.2 but not 10.30.30.1 (pfsense ovpn if)
Clients from 192.168.88.0/24 cannot ping clients in 172.17.0.0/24
On the mikrotik router from LAN if (192.168.88.1), one cannot ping 10.30.30.1 or 10.30.30.2

Mikrotik routing table
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 ADC 10.30.30.0/24 10.30.30.2 ovpn-out 0
2 ADS 172.17.0.0/24 10.30.30.1 1
3 ADC 192.168.1.0/24 192.168.1.7 ether1 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0

What am I missing here ? :)
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN and routing

Thu Nov 07, 2019 11:26 pm

You are missing routes at pfsense towards the 192.168.88.0/24. Be aware that it's not enough to set them in the kernel routing table (indicating the openvpn TUN interface as a gateway), but the openvpn configuration must contain routes too - the kernel routing table sends the packets to the openvpn process, but the openvpn process must route them to the proper client (assuming that the pfsense acts as a server and Mikrotik acts as a client, I haven't found this information in your post).
Mikrotik's implementation of openvpn deals with this automatically (which is unfortunately more than compensated by its drawbacks).

I didn't get the difference between the two cases below:
What does not work
Clients in 192.168.88.0/24 can ping 10.30.30.2 but not 10.30.30.1 (pfsense ovpn if)
...
On the mikrotik router from LAN if (192.168.88.1), one cannot ping 10.30.30.1 or 10.30.30.2
Did you mean, by the second one, that you ping from the Mikrotik itself but with interface=LAN? If so, that's no surprise :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 131 guests