Community discussions

MikroTik App
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Help with OVPN and pfSense

Wed Sep 30, 2020 10:09 pm

Hello.

I'm new to Mikrotik and I need to perform site-to-site VPN.
I configured pfSense as an OpenVPN server running on the matrix.

The VPN is active. In the subnet next to the Mikrotik I can access all the services of the matrix, but from the matrix, I cannot access any IP of the subnet after Mikrotik.

I believe it is some rule of Mikrotik, but I am not able to configure.

Some help?

Route
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1               1
 1 A S                          172.18.1.1                1
 2 ADC         10.2.26.1       bridge                    0
 3 ADC  172.18.1.0/24      172.18.1.2      ovpn-out1                 0
 4 ADC  192.168.1.0/24     192.168.1.2     ether1                    0


[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  chain=srcnat action=accept src-address=10.0.0.0/15 dst-address=10.2.26.0/24 log=no log-prefix="" 
 1 X  chain=srcnat action=accept src-address=10.2.26.0/24 dst-address=10.0.0.0/15 log=no log-prefix="" 
 2    chain=srcnat action=masquerade log=no log-prefix="" 
 3    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=yes log-prefix="masquerade " ipsec-policy=out,none 
 4 X  chain=srcnat action=accept log=yes log-prefix="nat "
Last edited by rafaelwzs on Mon Oct 05, 2020 4:52 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 12:13 am

Follow the hint in my automatic signature right below. The few bits of information you've posted are insufficient for any analysis. Also, does "the subnet next to the Mikrotik" mean the same as "the subnet after Mikrotik"?

But with some qualified guess: a common mistake is that people forget to tell the OpenVPN server through which client to route traffic to which subnets. See this post for details. As you have disabled the rules excluding the inter-site traffic from getting masqueraded, whatever is sent from 10.2.26.0/24 via the OpenVPN tunnel gets src-nated to 172.18.1.2, which is the address assigned by the OpenVPN server to the Mikrotik, so the server sends the responses to this address and Mikrotik un-src-nats them and forwards them to the actual destination. For connections initiated in the opposite direction (client/initiator in matrix and server/responder in Mikrotik's LAN), this does not work and the initial packets of these connections never reach the Mikrotik for the reason explained above.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 12:41 am

Company =
pfSense = 172.18.1.1
Mikrokit = 172.18.1.2
Branch =

Everything that leaves the branch (), goes to the company (), NAT is working.
Not the opposite.

So should I create a PREROUTING rule in Mikrotik?

Thank you.
Last edited by rafaelwzs on Mon Oct 05, 2020 4:51 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 9:14 am

  1. a listing of subnets is not a configuration export. Some of the NAT rules you've listed seemed to be random shots so without the complete picture it is impossible to suggest anything.
  2. any prerouting rule in Mikrotik cannot help if the issue eventually is at the pfSense side (as I suspect). Can you post your openvpn client configuration file for the Mikrotik client as set at the pfSense side?
  3. please have a look what connection tracking in ipfilter (iptables) is and how is it related to NAT.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 2:54 pm

The settings I use in pfSense are:

Server mode: peer to peer (SSL / TLS)
Protocol: TCP
Device mode: tun
Interface: ITD
Local port: 24100
TLS authentication: NO
Peer certification authority: vpn-tunnel-ca
Server certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128 bits)
Auth Digest Algorithm: SHA1 (160 bits)
IPv4 tunnel network: IP_TUNNEL
Local IPv4 network (s): LAN_COMPANY
Remote IPv4 network (s): LAN_BRANCH
Compression: No preference
Advanced: client to client

The mikrotik is new, without any configuration. For this reason there are no firewall rules. His only function will be to concentrate a vpn.

Thank you.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 3:08 pm

OK, so it seems that like Mikrotik, pfSense has some user-friendly front-end to the actual OpenVPN configuration files which obfuscates what is actually set up under the hood.

If LAN_COMPANY translates to 10.0.0.0/15 somewhere, and LAN_BRANCH translates to 10.2.26.0/24, the settings are correct at pfSense side.

If you say there are no rules whatsoever in Mikrotik's firewall, there is also no reason why the incoming connections from LAN_COMPANY to LAN_BRANCH should be blocked at Mikrotik side.

As pfSense is a blackbox, I can only recommend to start pinging from LAN_COMPANY to LAN_BRANCH with some 500 byte packets (to be distinguishable from normal TCP packets with payload which will be larger and from just ACK packets which will be smaller) and sniff on the WAN of the Mikrotik for the OpenVPN transport packets carrying these 500-byte pings, to see whether the issue is already at the pfSense end (not sending them) or at the Mikrotik end (not forwarding the received ones).

If you restrict the "masquerade everything" rule only to what exits via WAN, can you still reach addresses in LAN_COMPANY from LAN_BRANCH or not any more?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 4:37 pm

If I put NAT only for the WAN, I won't drop the company.

I put a Packet Sniffer on the Mikrotik on all ports and fired a ping from pfSense, and nothing reaches Mikrotik.

The strange thing is that if I change the Mikrotik to another router with OpenWRT and the connection happens on both sides.
So I thought that the problem could be Mikrotik.

However, as nothing arrives in Mikrotik, I think it's pfSense. But the strange thing is that with OpenWRT it works.

Thank you for your help.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 5:04 pm

If you say that even without masquerading the traffic from the Mikrotik's LAN through the OpenVPN tunnel, the sessions initiated by clients in Mikrotik's LAN towards servers in company LAN succeed, it cannot be a routing problem, because without the masquerade rule, the requests arrive to the company side with the actual addresses of the clients in the Mikrotik LAN, so the responses are sent towards these real addresses. So if you can sniff at some server in company LAN and double check that it really can see packets coming with source addresses from 10.2.26.0/24, we can move further, but this is the very first step to do, to know what we're actually looking for.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 7:24 pm

The IP that arrives on the other side is the IP of pfSense. He's masking.

Do you believe it is a question of routes in Mikrotik?
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Fri Oct 02, 2020 7:40 pm

The IP that arrives on the other side is the IP of pfSense. He's masking.
Is this intentional or just a secondary effect of something?

Do you believe it is a question of routes in Mikrotik?
No, as if it was, the connections from clients in Mikrotik's LAN to servers in pfSense's LAN would fail was well. As they don't, routing must be OK in both directions. But I am still not sure whether it's not thanks to the masquerade at Mikrotik end, which would hide the existence of 10.2.26.0/24 from the pfSense end as everything from there would be masqueraded behind 172.18.1.2 for connections initiated from Mikrotik side. For connections initiated from pfSense side, the masquerade rule at Mikrotik side does nothing, and wouldn't do anything even if those packets reached the Mikrotik (well, it would masquerade the packets as they would leave Mikrotik towards the device in its LAN if it wouldn't care about the out-interface).

As you say that pings to something in 10.2.26.0/24 from pfSense side do not spawn OpenVPN transport packets from pfSense to Mikrotik, either the pfSense's firewall blocks these requests, or the OpenVPN at pfSense doesn't know that 10.22.26.0/24 is accessible via 172.18.1.2.

So to check whether the masquerade acts or not on the tunnel interface, open a command line window on the Mikrotik, make it as wide as your screen allows, and run /tool sniffer quick interface=ovpn-out1 ip-protocol=icmp in it. Then start pinging from something in 10.22.26.0/24 to something in 10.0.0.0/15, and see what the sniffer shows, maybe post the result here.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Sat Oct 03, 2020 2:36 am

I did a test with IPsec, now the opposite works. The company accesses the IPs at the branch, but the branch does not access the company's IPs.

Any idea?
INTERFACE                                                                                                                                                                                   TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
ether1                                                                                                                                                                                     0.468      1 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 
ether1                                                                                                                                                                                     1.478      2 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                   ip:icmp     162   0 no 
ether1                                                                                                                                                                                     2.489      3 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 
ether1                                                                                                                                                                                     3.499      4 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                 ip:icmp     162   0 no 
ether1                                                                                                                                                                                     4.509      5 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                               ip:icmp     162   0 no 
ether1                                                                                                                                                                                     5.519      6 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                   ip:icmp     162   0 no 
ether1                                                                                                                                                                                     6.529      7 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                   ip:icmp     162   0 no 
ether1                                                                                                                                                                                     7.543      8 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                   ip:icmp     162   0 no 
ether1                                                                                                                                                                                     8.559      9 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                      ip:icmp     162   0 no 
ether1                                                                                                                                                                                     9.568     10 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 
ether1                                                                                                                                                                                    10.579     11 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 
ether1                                                                                                                                                                                    11.588     12 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                      ip:icmp     162   0 no 
ether1                                                                                                                                                                                    12.599     13 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                      ip:icmp     162   0 no 
ether1                                                                                                                                                                                    13.616     14 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 
ether1                                                                                                                                                                                    14.629     15 ->  08:00:27:A8:8D:36 B0:95:75:06:A0:16        177.180.12.14                                                     ip:icmp     162   0 no 

Last edited by rafaelwzs on Mon Oct 05, 2020 4:50 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Sat Oct 03, 2020 12:12 pm

Any idea?
I don't know why you keep ignoring the information that from the random bits of the configuration you choose to post about the problem, no one is able to find out enough information to help you. Until you post the complete anonymized configuration of at least the Mikrotik (see my automatic signature below on how to do that), you won't get any useful advice.

Next, as you mix and match products of two distinct vendors (nothing bad about that), the Mikrotik-speaking crowd can only help you with the Mikrotik side. However, it seems that the issue you experience with the IPsec setup could be easier to handle as in this case, the root cause is more likely at Mikrotik end.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 2:49 pm

This is all the configuration of a RouterOS that I created for testing.
# oct/04/2020 11:45:29 by RouterOS 6.47.4
# software id = 71RX-HEHV
#
#
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=ether2 name=server1
/ip ipsec peer
add address=IP_VPN exchange-mode=ike2 name=pfsense
/ip ipsec profile
set [ find default=yes ] enc-algorithm=3des
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address= interface=ether2 network=
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=log chain=forward disabled=yes log=yes protocol=icmp
add action=log chain=input disabled=yes log=yes protocol=icmp
add action=log chain=output disabled=yes log=yes protocol=icmp
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat dst-address= log=yes \
    log-prefix=teste src-address=
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=pfsense secret=teste123
/ip ipsec policy
add dst-address= peer=pfsense sa-dst-address=IP_VPN \
    sa-src-address=0.0.0.0 src-address= tunnel=yes
/ip route
add distance=1 dst-address=10.0.0.0/15 gateway=ether2
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
/tool sniffer
set filter-interface=all filter-ip-protocol=icmp
/tool user-manager database
set db-path=user-manager
Last edited by rafaelwzs on Mon Oct 05, 2020 4:49 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 3:22 pm

OK, so you've started from scratch, good.

In this configuration, change the action in the action=masquerade chain=srcnat dst-address=10.0.0.0/15 log=yes log-prefix=teste src-address=10.2.26.0/24 rule in /ip firewall mangle to accept and you should be fine. Even if it is not sufficient, doing this is still necessary.

The point is that the IPsec traffic selection (matching of an outgoing packet to policies' traffic selectors) is done as the very last step, after all the other packet processing including NAT has been done.

The NAT handling is chosen per connection, and the choice is done as the very first packet of the connection is handled. So
  • if the initial packet of the connection comes from the pfSense side, no NAT handling is chosen for that connection, and thus the source address of the response packets in this connection is not modified, and they match to the policy's traffic selector. As connection initiated from the pfSense side work, the policy matching must be working fine.
  • if the initial packet of the connection towards an address in 10.0.0.0/15 comes from Mikrotik's LAN, the "normal" routing finds a route through ether2 (which is the LAN again), so in the better case, the masquerade rule assigns Mikrotik's own address at this interface as a source one to all downstream packets of this connections, in a worse case I have no idea which address it uses, but you can see that by running a ping and then having a look using /ip firewall connection print detail where protocol~"icmp" and look at the reply-dst-address. If the new address is 10.2.26.1, the IPsec policy does match, and it must be the firewall at pfSense side what blocks these connections; if some other address is eventually assigned, the IPsec policy doesn't match.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 3:47 pm

The reply is for ether1 address. Even if I ping with source of
[admin@MikroTik] > ping src-address=                                                                                                        SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                            0                                               timeout                                                                                           sent=1 received=0 packet-loss=100%                                                                                                                                                                                                                                                                                  [admin@MikroTik] > ip firewall connection print detail where protocol~"icmp"                                                                                Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat                                            0    C  s  protocol=icmp src-address= dst-address= reply-src-address=                                                                         reply-dst-address=10.25.3.27 icmp-type=8 icmp-code=0 icmp-id=40193 timeout=6s orig-packets=2                                                                orig-bytes=112 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0                                                                  repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps             
Last edited by rafaelwzs on Mon Oct 05, 2020 4:48 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 3:56 pm

OK, in that case, changing that rules' action from masquerade to accept should resolve the issue. You have to stop the ping and let the connection time out (10 seconds are enough) before trying again after changing the rule - the s which stands for src-nat should not be shown, and the reply-dst-address should be the same like the src-address.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rafaelwzs
just joined
Topic Author
Posts: 9
Joined: Wed Sep 30, 2020 9:48 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 6:04 pm

Now it's perfect. How do I buy you a beer?

Thank you!
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with OVPN and pfSense

Sun Oct 04, 2020 6:08 pm

Tell me what country you live in via PM, maybe I'll be visiting it one day :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], gkoleff, Maximusmce, onnyloh, Raphaelype, sabnamtkgeeta and 150 guests