Community discussions

MikroTik App
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

OpenVPN with VLANs

Sat May 16, 2020 6:18 pm

Dear Community!

I have a network seperated with VLANs. I wanted to enable openVPN server on this system, however I'm not able to get it working.
Currently I can connect to the server both from inside and outside of the network and I get an IP from the specified pool, but I'm not able to access the local LAN. Not even the router.
When connected, from local I'm able to ping the device connected through VPN. So it works in one direction.
The setup in brief:
I have a Bridge with VLAN filtering turned on, on this bridge you can find all of the VLAN interfaces.
I have created another bridge which I assigned as the openVPN bridge. That bridge is set as a port on the appropriate VLAN. Also I have set this bridge as an untagged port for its VLAN.
From this VLAN if I connect to it locally, I can access every VLAN on the network.

But still, it won't work and I don't know what I'm missing. Hope someone can help.
Flags: X - disabled, R - running 
 0 R name="bridge_ovpn" mtu=auto actual-mtu=1500 l2mtu=1588 arp=proxy-arp arp-timeout=auto 
     mac-address=C4:AD:34:E9:0F:AF protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no 
     dhcp-snooping=no 

 1 R name="bridge_vlan" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto 
     mac-address=C4:AD:34:E9:0F:AF protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=yes 
     ageing-time=5m vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no 
     dhcp-snooping=no 
    
    Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default 
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 1   name="ppp_private" local-address=10.0.99.9 remote-address=dhcp_pool_ovpn bridge=bridge_ovpn use-mpls=default 
     use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default 
     address-list="" dns-server=10.0.0.3 on-up="" on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default 
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Sat May 16, 2020 8:08 pm

Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic?

Printing the bridge and PPP profile entries provides no useful information, post the output of /export hide-sensitive after redacting public IPs (if any).
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sat May 16, 2020 9:27 pm

Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic?

Printing the bridge and PPP profile entries provides no useful information, post the output of /export hide-sensitive after redacting public IPs (if any).
Thanks for your help!
Hmm... I'm not sure about that. The VLAN is connected to a bridge which has all the VLANs and the other bridge is just added to one of the VLANs as a port (to vlan_ovpn). I thought that in this sense that Bridge work the same as a physical port and setting it as an access port will work.
Also I think Bridging it will be enough, because that bridge_ovpn is only needed so I could add that bridge as the Bridge of the OVPN profile. I think adding the bridge_vlan will not work, because that bridge has vlan-filtering set.

Here is my full config, hope you can help and understand how I want to achieve this. Anyway if you have a better solution on how I could attach an ovpn server to a VLAN I would gladly use that as this.

I have tried it many ways so it now may seem to complicated, but any of the changes did not help. I was not able to access anything on LAN.

Config:
/export hide-sensitive 
# may/16/2020 20:26:00 by RouterOS 6.46.6
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/interface bridge
add arp=proxy-arp name=bridge_ovpn
add name=bridge_vlan protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether9 ] comment="Guest VLAN interface"
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add interface=bridge_vlan name=vlan_ovpn vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add name=BASE
add comment="Needed for inside PATs" name=BASE+WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" group-key-update=1h \
    mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=\
    dynamic-keys name=profile_private supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Private Wi-Fi 5GHz" \
    country=no_country_set disabled=no frequency=5260 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas \
    security-profile=profile_private ssid=atlas wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas \
    multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n country=hungary disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan_fujijama security-profile=profile_private ssid=fujijama wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama \
    multicast-buffering=disabled name=wlan_fujijama_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.3.3-10.0.3.254
add name=dhcp_pool_ovpn ranges=10.0.99.10-10.0.99.253
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h name=dhcp_guest
/ppp profile
add bridge=bridge_ovpn dns-server=10.0.0.3 local-address=10.0.99.9 name=ppp_private remote-address=dhcp_pool_ovpn \
    use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/interface bridge port
add bridge=bridge_vlan ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 \
    pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 \
    pvid=10
add bridge=bridge_ovpn interface=vlan_ovpn pvid=99
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan untagged=\
    ether3,ether2,ether4,ether5,ether6,ether7,ether8,wlan_atlas,wlan_fujijama vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=ether9,wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10,bridge_ovpn vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=BASE wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_ovpn list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_ovpn list=BASE
add interface=vlan_private list=BASE
add interface=ether1 list=BASE+WAN
add interface=vlan_private list=BASE+WAN
add interface=vlan_ovpn list=BASE+WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes require-client-certificate=\
    yes
/ip address
add address=10.0.99.2/24 interface=vlan_ovpn network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.3.2/24 interface=vlan_guest network=10.0.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.3.0/24 dns-server=10.0.0.3 gateway=10.0.3.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN_HOME Full Access" in-interface-list=BASE
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" connection-nat-state=dstnat connection-state=new
add action=fasttrack-connection chain=forward comment="Allow Fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs UDP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs TCP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow internal access to servers using router's external IP addresses" \
    dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface-list=BASE+WAN \
    protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8080
add action=dst-nat chain=dstnat comment="OH  link" dst-port=61082 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8081
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ppp secret
add name=kristof profile=ppp_private service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal3-led,wla\
    n_fujijama_signal4-led,wlan_fujijama_signal5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool graphing interface
add allow-address=10.0.0.0/24
/tool graphing resource
add allow-address=10.0.0.0/24
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Thanks for your help!
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Sat May 16, 2020 10:33 pm

The Mikrotik OpenVPN implementation is shoehorned into their PPP model, and it does not quite fit, so some of the PPP profile settings have no meaning when used with the OpenVPN server - in particular setting bridge= under /ppp profile has no effect, this is used by PPP Bridge Control Protocol (BCP) for PPP, PPTP, L2TP and PPPoE interfaces only.

/interface bridge port entries should only include real interfaces, not VLAN interfaces unless you really know what you are doing - see points 6 to 9 of https://wiki.mikrotik.com/wiki/Manual:L ... figuration.
/interface bridge vlan entries only work for ports attached to the specified bridge.

Your OpenVPN server is configured in IP (tun) mode, not ethernet (tap), so having a local bridge with an IP address and DHCP server is unnecessary - the local address and remote addresses of the IP tunnel come directly from the PPP profile.

When your client connects you will see an interface <ovpn-kristof> appear - your traffic initially passes through this, not any VLAN or bridge, so needs to be permitted by the firewall rules. You could use either a static server binding to give an interface name which can be added to interface lists, or use the address-list= interface-list= option under /ppp profile to dynamically add and remove the interface from a list - you can only have one list, but this list could be included in multiple lists if required.

Edit: fixed typo with list type.
Last edited by tdw on Sun May 17, 2020 2:02 am, edited 1 time in total.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sun May 17, 2020 1:00 am

The Mikrotik OpenVPN implementation is shoehorned into their PPP model, and it does not quite fit, so some of the PPP profile settings have no meaning when used with the OpenVPN server - in particular setting bridge= under /ppp profile has no effect, this is used by PPP Bridge Control Protocol (BCP) for PPP, PPTP, L2TP and PPPoE interfaces only.

/interface bridge port entries should only include real interfaces, not VLAN interfaces unless you really know what you are doing - see points 6 to 9 of https://wiki.mikrotik.com/wiki/Manual:L ... figuration.
/interface bridge vlan entries only work for ports attached to the specified bridge.

Your OpenVPN server is configured in IP (tun) mode, not ethernet (tap), so having a local bridge with an IP address and DHCP server is unnecessary - the local address and remote addresses of the IP tunnel come directly from the PPP profile.

When your client connects you will see an interface <ovpn-kristof> appear - your traffic initially passes through this, not any VLAN or bridge, so needs to be permitted by the firewall rules. You could use either a static server binding to give an interface name which can be added to interface lists, or use the address-list= option under /ppp profile to dynamically add and remove the interface from a list - you can only have one list, but this list could be included in multiple lists if required.
Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else for it to work or I still don't really understand how this works?!
I want to achieve to access all subnets in 10.0.0.0/16.

Also what I can't understand even from your post, is the local and remote address in the /ppp profile setting.
If I understand it right, I can link multiple /ppp secrets to a profile, so multiple users can use the VPN with different username/password. Or not? Anyway I still have to set the local address/remote address at the profile settings. What is the best approach here? I thought the best is to set a pool for the local and remote also so it can assign multiple IPs.
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Sun May 17, 2020 1:59 am

Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else for it to work or I still don't really understand how this works?!
I want to achieve to access all subnets in 10.0.0.0/16.
A typo in my previous post, I should have said interface-list= rather than address-list= as you can't include and address list in an interface list.

Are you using split-tunneling i.e. is only some of the client traffic (to your 10.x.x.x addresses) being sent via the VPN tunnel? If so the route created by the VPN client is /24, i.e. 10.0.99.0/24 - you can either add static routes to the client OVPN configuration file, or change netmask= under /interface ovpn-server server

Also what I can't understand even from your post, is the local and remote address in the /ppp profile setting.
If I understand it right, I can link multiple /ppp secrets to a profile, so multiple users can use the VPN with different username/password. Or not? Anyway I still have to set the local address/remote address at the profile settings. What is the best approach here? I thought the best is to set a pool for the local and remote also so it can assign multiple IPs.
Yes, the profile local and remote address is used as the server and client end of the IP tunnel respectively. If you specify a pool for the remote address the client is assigned an address from that pool. It is possible to override the profile settings by setting a local or remote address in individual PPP secrets if desired.

The latest /export hide-sensitive may be worthwhile.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sun May 17, 2020 3:10 am

Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else for it to work or I still don't really understand how this works?!
I want to achieve to access all subnets in 10.0.0.0/16.
A typo in my previous post, I should have said interface-list= rather than address-list= as you can't include and address list in an interface list.

Are you using split-tunneling i.e. is only some of the client traffic (to your 10.x.x.x addresses) being sent via the VPN tunnel? If so the route created by the VPN client is /24, i.e. 10.0.99.0/24 - you can either add static routes to the client OVPN configuration file, or change netmask= under /interface ovpn-server server

Also what I can't understand even from your post, is the local and remote address in the /ppp profile setting.
If I understand it right, I can link multiple /ppp secrets to a profile, so multiple users can use the VPN with different username/password. Or not? Anyway I still have to set the local address/remote address at the profile settings. What is the best approach here? I thought the best is to set a pool for the local and remote also so it can assign multiple IPs.
Yes, the profile local and remote address is used as the server and client end of the IP tunnel respectively. If you specify a pool for the remote address the client is assigned an address from that pool. It is possible to override the profile settings by setting a local or remote address in individual PPP secrets if desired.

The latest /export hide-sensitive may be worthwhile.
Yes my bad also I knew that it must be interface-list. This is how I could access the router. I have added the VLAN interface-list which contains all of my VLANs, but still it won't work. Hope you can help.
Here is my current config - tried to remove everything what is not needed:
/export hide-sensitive 
# may/17/2020 02:10:39 by RouterOS 6.46.6
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/interface bridge
add name=bridge_vlan protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether9 ] comment="Guest VLAN interface"
set [ find default-name=ether10 ] comment="Management VLAN interface" poe-out=off
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add interface=bridge_vlan name=vlan_management vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add name=BASE
add comment="Needed for inside PATs" name=BASE+WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" group-key-update=1h \
    mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=\
    dynamic-keys name=profile_private supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Private Wi-Fi 5GHz" \
    country=no_country_set disabled=no frequency=5260 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas \
    security-profile=profile_private ssid=atlas wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas \
    multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n country=hungary disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan_fujijama security-profile=profile_private ssid=fujijama wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama \
    multicast-buffering=disabled name=wlan_fujijama_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.3.3-10.0.3.254
add name=dhcp_pool_ovpn ranges=10.0.99.10-10.0.99.253
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h name=dhcp_guest
/ppp profile
add dns-server=10.0.0.3 interface-list=VLAN local-address=10.0.99.9 name=ppp_private remote-address=dhcp_pool_ovpn \
    use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/interface bridge port
add bridge=bridge_vlan ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 \
    pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 \
    pvid=99
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan untagged=\
    ether3,ether2,ether4,ether5,ether6,ether7,ether8,wlan_atlas,wlan_fujijama vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=ether9,wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10 vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=BASE wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_management list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_management list=BASE
add interface=vlan_private list=BASE
add interface=ether1 list=BASE+WAN
add interface=vlan_private list=BASE+WAN
add interface=vlan_management list=BASE+WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes require-client-certificate=\
    yes
/interface wireless access-list
add comment=COMP1 interface=wlan_atlas mac-address=08:62:66:BC:8C:BF
add comment="Kristof iPhone" interface=wlan_atlas mac-address=40:9C:28:6C:0B:F4
add comment="Kristof iPad" interface=wlan_atlas mac-address=F4:5C:89:5D:9C:1C
/ip address
add address=10.0.99.2/24 interface=vlan_management network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.3.2/24 interface=vlan_guest network=10.0.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.99 mac-address=78:11:DC:55:9E:00 server=dhcp_private
add address=10.0.0.100 client-id=1:0:4:20:f0:af:64 mac-address=00:04:20:F0:AF:64 server=dhcp_private
add address=10.0.0.195 mac-address=EC:FA:BC:12:83:9F server=dhcp_private
add address=10.0.0.85 mac-address=DC:4F:22:C0:7A:BB server=dhcp_private
add address=10.0.0.84 mac-address=DC:4F:22:C0:74:57 server=dhcp_private
add address=10.0.0.83 mac-address=DC:4F:22:C0:73:5B server=dhcp_private
add address=10.0.0.59 mac-address=EC:FA:BC:86:CD:DD server=dhcp_private
add address=10.0.0.135 client-id=1:dc:a6:32:d:4b:73 mac-address=DC:A6:32:0D:4B:73 server=dhcp_private
add address=10.0.0.93 mac-address=78:11:DC:EB:54:08 server=dhcp_private
add address=10.0.0.101 mac-address=40:31:3C:D0:D9:30 server=dhcp_private
add address=10.0.0.105 mac-address=98:F4:AB:B8:64:0F server=dhcp_private
add address=10.0.0.110 mac-address=98:F4:AB:B8:6D:01 server=dhcp_private
add address=10.0.0.112 mac-address=C8:2B:96:10:AB:53 server=dhcp_private
add address=10.0.0.109 mac-address=04:CF:8C:15:BD:5E server=dhcp_private
add address=10.0.0.120 mac-address=C8:2B:96:11:4F:B4 server=dhcp_private
add address=10.0.0.87 mac-address=E4:F0:42:20:42:53 server=dhcp_private
add address=10.0.0.103 mac-address=04:CF:8C:25:61:92 server=dhcp_private
add address=10.0.0.138 mac-address=98:F4:AB:F3:43:E2 server=dhcp_private
add address=10.0.0.175 mac-address=EC:FA:BC:14:83:26 server=dhcp_private
add address=10.0.0.86 mac-address=DC:4F:22:C0:75:0A server=dhcp_private
add address=10.0.0.111 mac-address=C8:2B:96:10:AF:4F server=dhcp_private
add address=10.0.0.98 mac-address=34:CE:00:FB:DB:F3 server=dhcp_private
add address=10.0.0.53 client-id=1:50:13:95:bf:f7:dc comment=Yi-Hack mac-address=50:13:95:BF:F7:DC server=\
    dhcp_private
add address=10.0.0.3 mac-address=B8:27:EB:06:5F:0F server=dhcp_private
add address=10.0.0.131 client-id=1:8:62:66:bc:8c:bf mac-address=08:62:66:BC:8C:BF server=dhcp_private
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.3.0/24 dns-server=10.0.0.3 gateway=10.0.3.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN_HOME Full Access" in-interface-list=BASE
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" connection-nat-state=dstnat connection-state=new
add action=fasttrack-connection chain=forward comment="Allow Fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs UDP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs TCP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow internal access to servers using router's external IP addresses" \
    dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface-list=BASE+WAN \
    protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8080
add action=dst-nat chain=dstnat comment="OH  link" dst-port=61082 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8081
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ppp secret
add name=kristof profile=ppp_private service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal3-led,wla\
    n_fujijama_signal4-led,wlan_fujijama_signal5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool e-mail
set address=smtp.gmail.com from="\"Mikrotik Router\" <radokristof12@gmail.com>" port=587 start-tls=yes user=\
    radokristof12@gmail.com
/tool graphing interface
add allow-address=10.0.0.0/24
/tool graphing resource
add allow-address=10.0.0.0/24
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN with VLANs

Sun May 17, 2020 10:06 am

Is the OpenVPN client another Mikrotik or a Windows/Linux machine?

You may have missed the point of what @tdw wrote - it is not enough to add the routes towards your Mikrotik LAN subnets to the routing table of the client machine's kernel, you also have to add them to the openvpn configuration file. Adding them to kernel routing table just tells the kernel to give the packets for these addresses to the openvpn process, but the openvpn process needs to know through which of its (potentially multiple) connections to send them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sun May 17, 2020 12:45 pm

Is the OpenVPN client another Mikrotik or a Windows/Linux machine?

You may have missed the point of what @tdw wrote - it is not enough to add the routes towards your Mikrotik LAN subnets to the routing table of the client machine's kernel, you also have to add them to the openvpn configuration file. Adding them to kernel routing table just tells the kernel to give the packets for these addresses to the openvpn process, but the openvpn process needs to know through which of its (potentially multiple) connections to send them.
It is a Windows PC with the openVPN client.
Ok so if you say that this config is right on the router, I will look into the configuration file.
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Sun May 17, 2020 2:18 pm

Per my previous email either add routing statements to the OpenVPN client configuration file route 10.0.0.0 255.255.0.0 vpn_gateway OR change the Mikrotik VPN server
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 require-client-certificate=yes


Other than that, as you have used overlapping IP addresses for the VPN pool and devices on the management VLAN (anything connected to ether10 with the current configuration) you should enable proxy ARP, otherwise those devices are unable to return packets to the VPN client:
/interface vlan
....
add arp=proxy-arp interface=bridge_vlan name=vlan_management vlan-id=99
....


There is a description of proxy ARP https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP and example https://wiki.mikrotik.com/wiki/Manual:I ... ote_Client, albeit for a PPTP VPN but the principal is the same.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sun May 17, 2020 5:41 pm

Per my previous email either add routing statements to the OpenVPN client configuration file route 10.0.0.0 255.255.0.0 vpn_gateway OR change the Mikrotik VPN server
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 require-client-certificate=yes


Other than that, as you have used overlapping IP addresses for the VPN pool and devices on the management VLAN (anything connected to ether10 with the current configuration) you should enable proxy ARP, otherwise those devices are unable to return packets to the VPN client:
/interface vlan
....
add arp=proxy-arp interface=bridge_vlan name=vlan_management vlan-id=99
....


There is a description of proxy ARP https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP and example https://wiki.mikrotik.com/wiki/Manual:I ... ote_Client, albeit for a PPTP VPN but the principal is the same.
Thanks!
I have already tried setting the netmask to 16 yesterday and enabling proxy-arp on the vlan_management VLAN but it still not working. Now I'm not even able to access the router on the 10.0.99.0/24 network (Router: 10.0.99.2)

The current config:
/export hide-sensitive 
# may/17/2020 16:41:09 by RouterOS 6.46.6
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/interface bridge
add name=bridge_vlan protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether9 ] comment="Guest VLAN interface"
set [ find default-name=ether10 ] comment="Management VLAN interface" poe-out=off
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add arp=proxy-arp interface=bridge_vlan name=vlan_management vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add name=BASE
add comment="Needed for inside PATs" name=BASE+WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" group-key-update=1h \
    mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=\
    dynamic-keys name=profile_private supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Private Wi-Fi 5GHz" \
    country=no_country_set disabled=no frequency=5260 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas \
    security-profile=profile_private ssid=atlas wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas \
    multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n country=hungary disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan_fujijama security-profile=profile_private ssid=fujijama wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama \
    multicast-buffering=disabled name=wlan_fujijama_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.3.3-10.0.3.254
add name=dhcp_pool_ovpn ranges=10.0.99.10-10.0.99.253
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h name=dhcp_guest
/ppp profile
add dns-server=10.0.0.3 interface-list=VLAN local-address=10.0.99.9 name=ppp_private remote-address=dhcp_pool_ovpn \
    use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/interface bridge port
add bridge=bridge_vlan ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 \
    pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 \
    pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 \
    pvid=99
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan untagged=\
    ether3,ether2,ether4,ether5,ether6,ether7,ether8,wlan_atlas,wlan_fujijama vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=ether9,wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10 vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=BASE wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_management list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_management list=BASE
add interface=vlan_private list=BASE
add interface=ether1 list=BASE+WAN
add interface=vlan_private list=BASE+WAN
add interface=vlan_management list=BASE+WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 \
    require-client-certificate=yes
/interface wireless access-list
add comment=COMP1 interface=wlan_atlas mac-address=08:62:66:BC:8C:BF
add comment="Kristof iPhone" interface=wlan_atlas mac-address=40:9C:28:6C:0B:F4
add comment="Kristof iPad" interface=wlan_atlas mac-address=F4:5C:89:5D:9C:1C
/ip address
add address=10.0.99.2/24 interface=vlan_management network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.3.2/24 interface=vlan_guest network=10.0.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.99 mac-address=78:11:DC:55:9E:00 server=dhcp_private
add address=10.0.0.100 client-id=1:0:4:20:f0:af:64 mac-address=00:04:20:F0:AF:64 server=dhcp_private
add address=10.0.0.195 mac-address=EC:FA:BC:12:83:9F server=dhcp_private
add address=10.0.0.85 mac-address=DC:4F:22:C0:7A:BB server=dhcp_private
add address=10.0.0.84 mac-address=DC:4F:22:C0:74:57 server=dhcp_private
add address=10.0.0.83 mac-address=DC:4F:22:C0:73:5B server=dhcp_private
add address=10.0.0.59 mac-address=EC:FA:BC:86:CD:DD server=dhcp_private
add address=10.0.0.135 client-id=1:dc:a6:32:d:4b:73 mac-address=DC:A6:32:0D:4B:73 server=dhcp_private
add address=10.0.0.93 mac-address=78:11:DC:EB:54:08 server=dhcp_private
add address=10.0.0.101 mac-address=40:31:3C:D0:D9:30 server=dhcp_private
add address=10.0.0.105 mac-address=98:F4:AB:B8:64:0F server=dhcp_private
add address=10.0.0.110 mac-address=98:F4:AB:B8:6D:01 server=dhcp_private
add address=10.0.0.112 mac-address=C8:2B:96:10:AB:53 server=dhcp_private
add address=10.0.0.109 mac-address=04:CF:8C:15:BD:5E server=dhcp_private
add address=10.0.0.120 mac-address=C8:2B:96:11:4F:B4 server=dhcp_private
add address=10.0.0.87 mac-address=E4:F0:42:20:42:53 server=dhcp_private
add address=10.0.0.103 mac-address=04:CF:8C:25:61:92 server=dhcp_private
add address=10.0.0.138 mac-address=98:F4:AB:F3:43:E2 server=dhcp_private
add address=10.0.0.175 mac-address=EC:FA:BC:14:83:26 server=dhcp_private
add address=10.0.0.86 mac-address=DC:4F:22:C0:75:0A server=dhcp_private
add address=10.0.0.111 mac-address=C8:2B:96:10:AF:4F server=dhcp_private
add address=10.0.0.98 mac-address=34:CE:00:FB:DB:F3 server=dhcp_private
add address=10.0.0.53 client-id=1:50:13:95:bf:f7:dc comment=Yi-Hack mac-address=50:13:95:BF:F7:DC server=\
    dhcp_private
add address=10.0.0.3 mac-address=B8:27:EB:06:5F:0F server=dhcp_private
add address=10.0.0.131 client-id=1:8:62:66:bc:8c:bf mac-address=08:62:66:BC:8C:BF server=dhcp_private
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.3.0/24 dns-server=10.0.0.3 gateway=10.0.3.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN_HOME Full Access" in-interface-list=BASE
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" connection-nat-state=dstnat connection-state=new
add action=fasttrack-connection chain=forward comment="Allow Fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs UDP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs TCP" dst-address=10.0.0.3 dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow internal access to servers using router's external IP addresses" \
    dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface-list=BASE+WAN \
    protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
    10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8080
add action=dst-nat chain=dstnat comment="OH  link" dst-port=61082 in-interface-list=BASE+WAN protocol=tcp \
    to-addresses=10.0.0.252 to-ports=8081
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ppp secret
add name=kristof profile=ppp_private service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal3-led,wla\
    n_fujijama_signal4-led,wlan_fujijama_signal5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool e-mail
set address=smtp.gmail.com from="\"Mikrotik Router\" <radokristof12@gmail.com>" port=587 start-tls=yes user=\
    radokristof12@gmail.com
/tool graphing interface
add allow-address=10.0.0.0/24
/tool graphing resource
add allow-address=10.0.0.0/24
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Mon May 18, 2020 11:31 pm

Nothing immediately jumps out. Is the Open VPN client connecting from an address within the IP range you are trying to tunnel? I've never tried it myself to see if handles this situation.

Also, IIRC there have been comments about /internet detect-internet causing odd behaviour so it may be worth removing it as you set list membership manually in any case.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Tue May 19, 2020 2:00 am

Nothing immediately jumps out. Is the Open VPN client connecting from an address within the IP range you are trying to tunnel? I've never tried it myself to see if handles this situation.

Also, IIRC there have been comments about /internet detect-internet causing odd behaviour so it may be worth removing it as you set list membership manually in any case.
Thanks. I will try to remove the internet detect feature.
I don't know what is causing the problem. Tried different setups.
I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...).

What I might try and I would like it to configure this way: openVPN should use a different subnet for connections (like 10.0.98.0/24). This could eliminate a lot of problem as I get it from your answers or what is the "standard" way to go with VPN?
I wanted to try out this, but I did not know how to get this working. I want to specify a pool of IP addresses because multiple users will use this profile. However if I want to specify a IP Pool, an interface is also required... How can I overcome this?

Thank you!
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Wed May 20, 2020 2:28 am

I don't know what is causing the problem. Tried different setups.
It is odd that you got to a point where you had some connectivity and then lost it.

I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...).
Yes, that was the question. If the address spaces overlap there can be issues ensuring the outer tunnel traffic is sent directly and the inner tunnel traffic is sent in the tunnel.

What I might try and I would like it to configure this way: openVPN should use a different subnet for connections (like 10.0.98.0/24). This could eliminate a lot of problem as I get it from your answers or what is the "standard" way to go with VPN?
Using a different subnet (really a different range of IP addresses) would be preferable, it does not require using proxy ARP.

I wanted to try out this, but I did not know how to get this working. I want to specify a pool of IP addresses because multiple users will use this profile. However if I want to specify a IP Pool, an interface is also required... How can I overcome this?
The pool of IP addresses is referenced by the PPP profile, not interface. The Open VPN server uses the information from the profile to allocate an address and dynamic route. Even if the same PPP user connects more than once it works - the first interface is <ovpn-someuser>, the subsequent one <ovpn-someuser-1>, and so on.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Thu May 21, 2020 6:27 pm

I don't know what is causing the problem. Tried different setups.
It is odd that you got to a point where you had some connectivity and then lost it.

I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...).
Yes, that was the question. If the address spaces overlap there can be issues ensuring the outer tunnel traffic is sent directly and the inner tunnel traffic is sent in the tunnel.

What I might try and I would like it to configure this way: openVPN should use a different subnet for connections (like 10.0.98.0/24). This could eliminate a lot of problem as I get it from your answers or what is the "standard" way to go with VPN?
Using a different subnet (really a different range of IP addresses) would be preferable, it does not require using proxy ARP.

I wanted to try out this, but I did not know how to get this working. I want to specify a pool of IP addresses because multiple users will use this profile. However if I want to specify a IP Pool, an interface is also required... How can I overcome this?
The pool of IP addresses is referenced by the PPP profile, not interface. The Open VPN server uses the information from the profile to allocate an address and dynamic route. Even if the same PPP user connects more than once it works - the first interface is <ovpn-someuser>, the subsequent one <ovpn-someuser-1>, and so on.
Thanks! Yes that's what I want to achieve. I know that I should set the IP pool in the Profile not on the interface, but I don't know how I could set an unique IP pool for the PPP profile.
For example entering 10.0.98.0/24 in local address will not work, because it wants 1 address there. That's why I tried to create a an IP Pool under /ip pool for the PPP profile, but to create an IP pool I need to specify an Interface there... I'm confused here.
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Thu May 21, 2020 7:58 pm

There is nowhere to enter an interface in /ip pool - just a pool name, addresses and an optional next pool. So, based on your config, something along the lines of:

/ip pool
add name=pool_ovpn ranges=10.0.98.10-10.0.98.254
...

/ppp profile
add dns-server=10.0.0.3 interface-list=VLAN local-address=10.0.98.2 name=ppp_private remote-address=pool_ovpn use-encryption=yes



As an aside, I've not checked if the DNS server setting is pushed to Open VPN clients, or not, by the Mikrotik server implementation.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Thu May 21, 2020 8:10 pm

There is nowhere to enter an interface in /ip pool - just a pool name, addresses and an optional next pool. So, based on your config, something along the lines of:

/ip pool
add name=pool_ovpn ranges=10.0.98.10-10.0.98.254
...

/ppp profile
add dns-server=10.0.0.3 interface-list=VLAN local-address=10.0.98.2 name=ppp_private remote-address=pool_ovpn use-encryption=yes



As an aside, I've not checked if the DNS server setting is pushed to Open VPN clients, or not, by the Mikrotik server implementation.
You are right! I don't know what I was looking at then...
Anyway why I should set the pool only to the remote address? What will happen if 2 user wants to connect through this profile and only that one local address is already used by another user?!
Or I assume wrong and the local address is the local one on the client? And the remote address is the address on the LAN (where ovpn server is running?).
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Thu May 21, 2020 8:18 pm

I have set everything, different pool for ovpn, removed DNS server as well.

Connected, got an IP from the specified pool. However now even when I try to ping a local device from remote device, it does not respond.
The other way, from local to remote works... I might think that vlan filtering has to do something with this. It might not be that it won't accept the packets sent by the ovpn server binding because I have vlan filtering? And I suspect that it does not tag the packets automatically with vlan tags...
It looks like there is no route between the the ovpn subnet and the other subnets...
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Thu May 21, 2020 8:52 pm

Local is server, remote is client. For point-to-point interfaces you can have the same local address on multiple interfaces.

VLANs are not the issue, they only have significance for layer 2 ethernet. IP routes are automatically added to the routing table (/ip route print or Winbox, IP > Routes), only firewall rules will prevent the traffic being forwarded - is the dynamic Open VPN interface being added to the address list?
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Thu May 21, 2020 9:14 pm

Local is server, remote is client. For point-to-point interfaces you can have the same local address on multiple interfaces.

VLANs are not the issue, they only have significance for layer 2 ethernet. IP routes are automatically added to the routing table (/ip route print or Winbox, IP > Routes), only firewall rules will prevent the traffic being forwarded - is the dynamic Open VPN interface being added to the address list?
No I haven't changed anything regarding firewall. That's possible that I don't have the rules needed for openvpn and also that would explain why it only works for egress traffic.
The only rule I have for ovpn is this:
 1    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 
How could I add it to the address list?
I have added a static ovpn server binding for my username but it still creates the dynamic interface and I don't know what rule is needed for this.
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Thu May 21, 2020 11:48 pm

That rule is for the outer tunnel, not the inner tunnelled traffic.

As discussed in post #4 with having firewall rules referring to the lists 'BASE', 'VLAN', 'BASE+VLAN' the open VPN server interface has to be added to these if you wish the VPN traffic to use the rules. Having interface-list=VLAN in the PPP profile will add the interface to the 'VLAN' interface list only, not being in the 'BASE' interface list the VPN client has no access to the Mikrotik as you permit established/related, anything in the 'BASE' interface list and drop everything else.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Fri May 22, 2020 12:03 am

That rule is for the outer tunnel, not the inner tunnelled traffic.

As discussed in post #4 with having firewall rules referring to the lists 'BASE', 'VLAN', 'BASE+VLAN' the open VPN server interface has to be added to these if you wish the VPN traffic to use the rules. Having interface-list=VLAN in the PPP profile will add the interface to the 'VLAN' interface list only, not being in the 'BASE' interface list the VPN client has no access to the Mikrotik as you permit established/related, anything in the 'BASE' interface list and drop everything else.
Yes you are right! I forgot to add them. However I have tried adding the ovpn server binding to all of the interface lists (BASE, BASE+WAN, VLAN) and I was able to access the router on 10.0.0.2 but nothing else on the network.
I was able to create a static interface, I didn't know why it was not working before, same as before I just entered the username... Now it works.
Added it to all of the interface lists, still no success, I can only access and ping the router (10.0.0.2)
 
tdw
Member
Member
Posts: 367
Joined: Sat May 05, 2018 11:55 am

Re: OpenVPN with VLANs

Fri May 22, 2020 12:41 am

You can only have one server binding per username - if the same username is used more than once you end up with the server binding plus additional dynamic interfaces <ovpn-someuser-1>, <ovpn-someuser-2>, etc.

If a connection is interrupted you can end up with the user connected via a dynamic interface if they reconnect before the old connection times out, it is possible to limit the number of connections to prevent this.

I thought lists could contain other lists, but this appears not to be the case. You can either use server bindings manually added to all of the required lists (specifying an interface list in the PPP profile is not required in this case), or rationalise the bulk of the firewall rules to use a single list and use specify this list in the PPP profile instead of using server bindings.
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Fri May 22, 2020 2:38 am

You can only have one server binding per username - if the same username is used more than once you end up with the server binding plus additional dynamic interfaces <ovpn-someuser-1>, <ovpn-someuser-2>, etc.

If a connection is interrupted you can end up with the user connected via a dynamic interface if they reconnect before the old connection times out, it is possible to limit the number of connections to prevent this.

I thought lists could contain other lists, but this appears not to be the case. You can either use server bindings manually added to all of the required lists (specifying an interface list in the PPP profile is not required in this case), or rationalise the bulk of the firewall rules to use a single list and use specify this list in the PPP profile instead of using server bindings.
That's what I did.
Made a static ovpn server binding, verified that now that is the one used by my connection and added that interface to all of the available lists (just to make sure first that nothing blocks).
It works from all of my device, it gets a correct IP, connects normally, but I can only access the router. Typing in one of the local addresses or pinging them, none of them are available..
 
rkrisi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri May 08, 2020 11:54 am

Re: OpenVPN with VLANs

Sat May 23, 2020 12:23 am

Finally I was able to get this working.
Basically I needed to add a firewall rule that explicitly says to forward packets originated from the BASE interface (this is where I added the ovpn bindings).
Now everything works as it should.

Thanks for your help!

Who is online

Users browsing this forum: Google [Bot], Jacka, markos222, mtgate, pe1chl, roe1974, td32 and 146 guests