Community discussions

MikroTik App
 
dexznrl
just joined
Topic Author
Posts: 10
Joined: Sat Jul 10, 2021 9:59 am

Mikrotik RB1100x4 as OpenVPN client with traffic passthrough

Tue Sep 07, 2021 8:45 pm

Hello to you all...

I'm still a bit new to Mikrotik, it's not as easy as I would have wished for but on the other hand I learn alot :).

I have a windows 2019 VPS machine that runs OpenVPN as server and I use the RB1100x4 as a OpenVPN-client.

Behind the RB1100x4 I have a network 192.168.88.0/24
The VPN has the network 10.9.0.0/24.
The ovpn IP-address of the server is 10.9.0.1.
The ovpn IP-address of the RB1100x4 is 10.9.0.2.

I can ping from 10.9.0.1 - 10.9.0.2.
I can ping from 192.168.88.x to 10.9.0.1.
I can NOT ping from 10.9.0.1 to 192.168.88.x.

Routes on windows server are set as follows:
Network Destination Netmask Gateway Interface Metric
192.168.88.0 255.255.255.0 10.9.0.2 10.9.0.1 35

To be able to ping from computers behind RB1100x4 to the server I had to add:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ovpn-out1

But still no luck in the other direction.

Any help would be most appreciated.

Best regards
Johan
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Mikrotik RB1100x4 as OpenVPN client with traffic passthrough

Wed Sep 08, 2021 3:30 am

Would be helpful to have the rest of your firewall rules, but you likely need to add a forward chain rule, and make sure its above any drop rules in the forward chain.
/ip firewall filter
add chain=forward src-address=10.9.0.0/24 dst-address=192.168.88.0/24 action=accept
In the client machine you are connecting to the vpn with, you will either need to make sure default route is checked in the vpn config or add a static route for 192.168.88.0/24 using the 10.9.0.1 gateway as well.
 
dexznrl
just joined
Topic Author
Posts: 10
Joined: Sat Jul 10, 2021 9:59 am

Re: Mikrotik RB1100x4 as OpenVPN client with traffic passthrough

Wed Sep 08, 2021 9:43 am

The forward chain did not solve the issue.

Here are the rest of the config :)

This is the client machine. The server runs on a Windows VPS machine.
The route on the windows vps is correct but still no ping from 10.9.0.1 to 192.168.88.x

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add name=openvpn-client use-compression=no use-encryption=yes use-mpls=no
/interface ovpn-client
add certificate=betongvagen.crt_0 cipher=aes256 connect-to="not showing this" \
mac-address=02:BD:7B:5E:F6:26 name=ovpn-out1 port=1195 profile=\
openvpn-client user=betongvagen
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall filter
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
10.9.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ovpn-out1
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=not showing this :)
/tool sniffer
set file-limit=10000KiB file-name=packet-sniffer filter-interface=all
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Mikrotik RB1100x4 as OpenVPN client with traffic passthrough

Wed Sep 08, 2021 5:22 pm

The fact you added a masquerade rule to the rb1100 on the ovpn out interface and can now ping the server leads me to believe the route in the server (dst-192.168.88.0/24) to use the vpn client isnt correct. A trace route from the server to 192.168.88.x should show if its trying to use the proper gateway.

Who is online

Users browsing this forum: adimihaix, Bing [Bot] and 81 guests