Community discussions

MikroTik App
 
sirnef
just joined
Topic Author
Posts: 19
Joined: Sat Dec 07, 2019 4:52 pm

OpenVPN and VLANs

Wed Jun 30, 2021 6:22 pm

Hi,
I need help setting up an OpenVPN server for my home network. I have configured VLANs in the past and it works very well. Later I tried to add this VPN, but from what I remember I had no connection to other devices on the local network after connecting.

Right now my VPN client won't connect at all.

Previously I followed some tutorials I found in this forum. Unfortunately with time I forgot the configuration details (what and why I set up).

Below is my configuration. Can you please help? I come back to work from the office and I would really appreciate an outside access to my network.
[dsa@RouterSwitchAP] > /export hide-sensitive 
# jun/28/2021 12:56:06 by RouterOS 6.48
# software id = HF3B-E918
#
# model = RB962UiGS-5HacT2HnT
# serial number = BEC40ADFD700
/interface bridge
add admin-mac=74:4D:28:CD:FC:48 auto-mac=no name=mybridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=ether2-tv
set [ find default-name=ether3 ] name=ether3-nas
set [ find default-name=ether4 ] name=ether4-dekoder
set [ find default-name=ether5 ] name=ether5-switchpoe
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=mybridge name=BASE_PURPLE_VLAN vlan-id=99
add interface=mybridge name=IOT_RED_VLAN vlan-id=50
add interface=mybridge name=MASTER_BLUE_VLAN vlan-id=10
add interface=mybridge name=NAS_YELLOW_VLAN vlan-id=40
add interface=mybridge name=PRINTER_GREEN_VLAN vlan-id=20
add interface=mybridge name=TV_BLACK_VLAN vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan-main-security supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan-5-security supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=wlan-printer-security supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=wlan-iot-security supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan-base-security supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set distance=indoors frequency=auto \
    frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=wlan-5 security-profile=wlan-5-security ssid=mtv-m station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto \
    frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=wlan-main security-profile=wlan-main-security ssid=mtii-m station-roaming=enabled \
    wireless-protocol=802.11
add disabled=no mac-address=76:4D:28:CD:FC:4E master-interface=wlan-main name=wlan-printer security-profile=wlan-printer-security ssid=mtii-p station-roaming=\
    enabled
add disabled=no mac-address=76:4D:28:CD:FC:50 master-interface=wlan-main name=wlan-base security-profile=wlan-base-security ssid=mtii-b station-roaming=enabled
add disabled=no mac-address=76:4D:28:CD:FC:4F master-interface=wlan-main name=wlan-iot security-profile=wlan-iot-security ssid=mtii-i station-roaming=enabled
/ip pool
add name=MASTER_BLUE_POOL ranges=192.168.10.2-192.168.10.XXX
add name=PRINTER_GREEN_POOL ranges=192.168.20.2-192.168.20.XXX
add name=TV_BLACK_POOL ranges=192.168.30.2-192.168.30.XXX
add name=NAS_YELLOW_POOL ranges=192.168.40.2
add name=IOT_RED_POOL ranges=192.168.50.2-192.168.50.XXX
add name=BASE_PURPLE_POOL ranges=192.168.99.2-192.168.99.XXX
add name=OPENVPN_POOL ranges=192.168.60.2-192.168.60.XXX
/ip dhcp-server
add address-pool=MASTER_BLUE_POOL disabled=no interface=MASTER_BLUE_VLAN name=MASTER_BLUE_DHCP
add address-pool=PRINTER_GREEN_POOL disabled=no interface=PRINTER_GREEN_VLAN name=PRINTER_GREEN_DHCP
add address-pool=TV_BLACK_POOL disabled=no interface=TV_BLACK_VLAN name=TV_BLACK_DHCP
add address-pool=NAS_YELLOW_POOL disabled=no interface=NAS_YELLOW_VLAN name=NAS_YELLOW_DHCP
add address-pool=IOT_RED_POOL disabled=no interface=IOT_RED_VLAN name=IOT_RED_DHCP
add address-pool=BASE_PURPLE_POOL disabled=no interface=BASE_PURPLE_VLAN name=BASE_PURPLE_DHCP
/ppp profile
add dns-server=192.168.99.1 local-address=192.168.60.250 name=vpn-profile remote-address=OPENVPN_POOL use-encryption=yes
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-main pvid=10
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-5 pvid=555
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-printer pvid=20
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-iot pvid=50
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2-tv pvid=30
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3-nas pvid=40
add bridge=mybridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-base pvid=99
add bridge=mybridge ingress-filtering=yes interface=ether4-dekoder pvid=30
add bridge=mybridge interface=ether5-switchpoe multicast-router=disabled pvid=50
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=mybridge tagged=mybridge vlan-ids=10
add bridge=mybridge tagged=mybridge vlan-ids=20
add bridge=mybridge tagged=mybridge vlan-ids=30
add bridge=mybridge tagged=mybridge vlan-ids=40
add bridge=mybridge tagged=mybridge vlan-ids=50
add bridge=mybridge tagged=mybridge vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=MASTER_BLUE_VLAN list=VLAN
add interface=PRINTER_GREEN_VLAN list=VLAN
add interface=TV_BLACK_VLAN list=VLAN
add interface=NAS_YELLOW_VLAN list=VLAN
add interface=IOT_RED_VLAN list=VLAN
add disabled=yes interface=BASE_PURPLE_VLAN list=VLAN
add interface=BASE_PURPLE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 default-profile=vpn-profile enabled=yes require-client-certificate=yes
/interface wireless access-list
add comment="Roza Dell" interface=wlan-main mac-address=C4:85:08:06:4B:F4
add comment="iPhone " interface=wlan-main mac-address=9C:35:EB:95:88:57
add comment="Shelly Roleta Sypialnia " interface=wlan-iot mac-address=2C:F4:32:68:66:E1
add comment=Kamera interface=wlan-iot mac-address=5E:E5:0C:0C:8B:7D
add comment=Szambo interface=wlan-iot mac-address=98:F4:AB:CD:5F:50
add comment=Odkurzacz interface=wlan-iot mac-address=7C:49:EB:9C:B1:6C
add comment=SP4 interface=wlan-base mac-address=98:5F:D3:3F:07:B1
add comment=MyNote9 interface=wlan-base mac-address=8E:EA:E7:72:38:69
add comment="BR Note9" interface=wlan-main mac-address=CA:80:BE:F1:74:EE
add comment="\?\?\? co to" interface=wlan-main mac-address=64:27:37:75:66:79
/ip address
add address=192.168.10.1/24 interface=MASTER_BLUE_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=PRINTER_GREEN_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=TV_BLACK_VLAN network=192.168.30.0
add address=192.168.40.1/24 interface=NAS_YELLOW_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=IOT_RED_VLAN network=192.168.50.0
add address=192.168.99.1/24 interface=BASE_PURPLE_VLAN network=192.168.99.0
add address=XXX.XXX.XXX.XXX/26 interface=ether1 network=XXX.XXX.XXX.192
/ip arp
add address=192.168.50.130 interface=IOT_RED_VLAN mac-address=0A:DF:70:CD:96:CB
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.50.4 comment=kamera mac-address=5E:E5:0C:0C:8B:7D server=IOT_RED_DHCP
add address=192.168.50.3 comment="roleta sypialnia" mac-address=2C:F4:32:68:66:E1 server=IOT_RED_DHCP
add address=192.168.50.6 client-id=1:7c:49:eb:9c:b1:6c comment=odkurzacz mac-address=7C:49:EB:9C:B1:6C server=IOT_RED_DHCP
add address=192.168.40.2 client-id=1:0:11:32:ba:25:c3 comment=nas mac-address=00:11:32:BA:25:C3 server=NAS_YELLOW_DHCP
add address=192.168.30.3 mac-address=68:63:59:DD:5C:A7 server=TV_BLACK_DHCP
add address=192.168.50.2 comment=szambo mac-address=98:F4:AB:CD:5F:50 server=IOT_RED_DHCP
add address=192.168.10.8 client-id=1:ca:80:be:f1:74:ee mac-address=CA:80:BE:F1:74:EE server=MASTER_BLUE_DHCP
add address=192.168.30.2 client-id=1:14:bb:6e:43:34:7d mac-address=14:BB:6E:43:34:7D server=TV_BLACK_DHCP
add address=192.168.10.6 client-id=1:64:27:37:75:66:79 mac-address=64:27:37:75:66:79 server=MASTER_BLUE_DHCP
add address=192.168.20.6 comment=drukarka mac-address=54:35:30:31:B1:39 server=PRINTER_GREEN_DHCP
add address=192.168.50.5 client-id=1:ee:df:70:cd:96:cb comment="fritz repeater" mac-address=EE:DF:70:CD:96:CB server=IOT_RED_DHCP
add address=192.168.50.9 comment="przycisk sypialnia" mac-address=A4:CF:12:F4:53:24 server=IOT_RED_DHCP
add address=192.168.50.11 mac-address=68:C6:3A:FA:DA:07 server=IOT_RED_DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.99.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.99.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.99.1 gateway=192.168.30.1
add address=192.168.40.0/30 dns-server=192.168.99.1 gateway=192.168.40.1
add address=192.168.50.0/26 dns-server=192.168.99.1 gateway=192.168.50.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.40.2 name=serwer.dom
add address=192.168.50.3 name=roleta.sypialnia
add address=192.168.50.11 name=lampka.salon
add address=192.168.50.6 name=odkurzacz.dom
/ip firewall filter
add action=accept chain=input comment="Accept established,related" connection-state=established,related
add action=accept chain=input disabled=yes dst-address=XXX.XXX.XXX.XXX dst-port=6622 protocol=tcp
add action=accept chain=forward dst-address=XXX.XXX.XXX.XXX dst-port=6633 protocol=tcp
add action=accept chain=input comment="WWW access" disabled=yes dst-address=XXX.XXX.XXX.XXX dst-port=80 protocol=tcp
add action=accept chain=input comment="WWW access" dst-address=XXX.XXX.XXX.XXX dst-port=443 protocol=tcp
add action=accept chain=input comment=OPENVPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-address=192.168.40.2
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow BASE_VLAN Full Access" in-interface=BASE_PURPLE_VLAN
add action=drop chain=input comment="Drop others"
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related
add action=accept chain=forward comment="Accept established,related" connection-state=established,related
add action=accept chain=forward dst-address=192.168.40.2 dst-port=80 protocol=tcp
add action=accept chain=forward dst-address=192.168.40.2 dst-port=443 protocol=tcp
add action=accept chain=forward dst-address=192.168.40.2
add action=accept chain=forward in-interface=MASTER_BLUE_VLAN out-interface=NAS_YELLOW_VLAN
add action=accept chain=forward in-interface=IOT_RED_VLAN out-interface=NAS_YELLOW_VLAN
add action=accept chain=forward in-interface=IOT_RED_VLAN out-interface=MASTER_BLUE_VLAN
add action=accept chain=forward in-interface=MASTER_BLUE_VLAN out-interface=IOT_RED_VLAN
add action=accept chain=forward in-interface=TV_BLACK_VLAN out-interface=NAS_YELLOW_VLAN
add action=accept chain=forward in-interface=MASTER_BLUE_VLAN out-interface=PRINTER_GREEN_VLAN
add action=accept chain=forward disabled=yes in-interface=BASE_PURPLE_VLAN out-interface=PRINTER_GREEN_VLAN
add action=accept chain=forward disabled=yes in-interface=PRINTER_GREEN_VLAN out-interface=BASE_PURPLE_VLAN
add action=drop chain=forward comment="Disable Internet access for the printer" in-interface=PRINTER_GREEN_VLAN out-interface-list=WAN
add action=drop chain=forward comment="Disable Internet access for the IOT" disabled=yes in-interface=IOT_RED_VLAN out-interface-list=WAN
add action=accept chain=forward comment="BASE Internet access" in-interface=BASE_PURPLE_VLAN
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop others"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=XXX.XXX.XXX.XXX dst-port=6622 protocol=tcp to-addresses=192.168.40.2 to-ports=6622
add action=dst-nat chain=dstnat dst-address=XXX.XXX.XXX.XXX dst-port=6633 protocol=tcp to-addresses=192.168.40.2 to-ports=6633
add action=dst-nat chain=dstnat disabled=yes dst-address=XXX.XXX.XXX.XXX dst-port=80 protocol=tcp src-port="" to-addresses=192.168.40.2 to-ports=80
add action=dst-nat chain=dstnat dst-address=XXX.XXX.XXX.XXX dst-port=443 protocol=tcp src-port="" to-addresses=192.168.40.2 to-ports=443
/ip route
add distance=1 gateway=XXX.XXX.XXX.193
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24,192.168.99.0/24 port=8880
set ssh address=192.168.10.0/24,192.168.99.0/24 port=5050
set api disabled=yes
set winbox address=192.168.99.0/24 port=5051
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=d profile=vpn-profile
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterSwitchAP
/system routerboard settings
set silent-boot=yes
/tool graphing interface
add interface=ether1
add
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1 threshold=0 traffic=received
add disabled=yes interface=ether1 name=tmon2 threshold=0

Who is online

Users browsing this forum: No registered users and 58 guests