Hy
Some time ago i wrote about problem with my OpenVPN.
I have investigated a bit and foud. If i have 2 devices connected via OpenVPN or L2PT (both with the same VPN or each seperate). They see each other and i can access between them..
(example. Teltonika RUT950 connected with L2PT via SIM card can be accessed with laptop - connected thru mobile phone hotspot.. these works normaly)
The problem i am having is that if i want to access one of them thru my PC witch is connected directly to my router in LAN i cant access it. But in reverse works.. if i connect to VPN i can access my PC in LAN.
Examples:
My LAN setup: 192.168.1.0/24
Teltonika remote VPN IP: 192.168.1.73
Laptop remote VPN IP: 192.168.1.72
My PC in LAN IP: 192.168.1.10
Is there a problem with masqurade or route?
Re: VPN access problem
It looks like missing proxy ARP on LAN interface and too broad masquerade rule that hides it, which works for one direction but not the other. But better post your config.
Re: VPN access problem
My configuration:
# oct/27/2022 23:21:51 by RouterOS 6.47.10
# software id = ZWRC-FBTF
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460C19DA7E
/interface bridge
add name=TV
add name=Telefon
add name=bridge1
add name=bridge_WiFi
/interface wireless
set [ find default-name=wlan1 ] country=slovenia disabled=no frequency=auto \
mode=ap-bridge ssid="Bezan 5G" station-roaming=enabled wireless-protocol=\
802.11
set [ find default-name=wlan2 ] antenna-gain=50 band=2ghz-b/g/n \
channel-width=20/40mhz-Ce country=japan disabled=no frequency=auto \
frequency-mode=superchannel mode=ap-bridge ssid=Bezan station-roaming=\
enabled wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
password=xxxx use-peer-dns=yes user=xxxxx
/interface vlan
add interface=ether6 name="TV BOX1" vlan-id=3999
add interface=ether7 name="TV BOX2" vlan-id=3999
add interface=sfp-sfpplus1 name="TV IN" vlan-id=3999
add interface=ether2 name="TV NEO1" vlan-id=3999
add interface=sfp-sfpplus1 name="Telefon IN" vlan-id=3998
add interface=ether4 name="Telefon Out" vlan-id=3998
add name=vlan100 vlan-id=100
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxx wpa2-pre-shared-key=mobitel123
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=dhcp_WiFi ranges=192.168.1.200-192.168.1.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_WiFi disabled=no interface=bridge_WiFi name=dhcp_WiFi
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/ppp profile
add bridge=bridge1 local-address=192.168.1.1 name=vpn_profile
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether2
add bridge=TV interface="TV IN"
add bridge=TV interface="TV BOX1"
add bridge=TV interface="TV BOX2"
add bridge=Telefon interface="Telefon IN"
add bridge=Telefon interface="Telefon Out"
add bridge=TV interface="TV NEO1"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=luftP0st! use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.100.1/24 disabled=yes network=192.168.100.0
/ip dhcp-client
add !dhcp-options interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.1.60 always-broadcast=yes mac-address=34:E1:D1:80:C0:F7 \
server=dhcp1
add address=192.168.1.61 mac-address=00:1E:42:4D:26:DC server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
192.168.1.1,193.189.160.13,193.189.160.23 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.189.160.13,193.189.160.23
/ip dns static
add address=192.168.1.26 comment="MK Raubritter Spletna Stran" name=\
mk-raubritter.com
add address=192.168.1.26 name=www.mk-raubritter.com
add address=192.168.1.26 comment="Arja Spletna Stran" name=\
pomoc-zivalim-arja.si
add address=192.168.1.26 name=www.pomoc-zivalim-arja.si
/ip firewall address-list
add address=192.168.1.70-192.168.0.79 disabled=yes list=VPN
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="Allow t2p" in-interface=pppoe-out1 \
protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=pppoe-out1 \
protocol=udp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=80,443,8291 protocol=tcp src-address=\
192.168.1.0/24
add action=drop chain="log and drop" disabled=yes
add action=jump chain=input disabled=yes jump-target="log and drop"
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=route chain=prerouting disabled=yes dst-address-list=!VPN \
passthrough=yes protocol=!icmp route-dst=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=VPN src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-port=1194 protocol=udp
/ip upnp
set enabled=yes
/ppp secret
add local-address=192.168.1.1 name=rocky password=Passw0rd0 remote-address=\
192.168.1.70
add local-address=192.168.1.1 name=teltonika password=Passw0rd0 \
remote-address=192.168.1.71
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager
# oct/27/2022 23:21:51 by RouterOS 6.47.10
# software id = ZWRC-FBTF
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460C19DA7E
/interface bridge
add name=TV
add name=Telefon
add name=bridge1
add name=bridge_WiFi
/interface wireless
set [ find default-name=wlan1 ] country=slovenia disabled=no frequency=auto \
mode=ap-bridge ssid="Bezan 5G" station-roaming=enabled wireless-protocol=\
802.11
set [ find default-name=wlan2 ] antenna-gain=50 band=2ghz-b/g/n \
channel-width=20/40mhz-Ce country=japan disabled=no frequency=auto \
frequency-mode=superchannel mode=ap-bridge ssid=Bezan station-roaming=\
enabled wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
password=xxxx use-peer-dns=yes user=xxxxx
/interface vlan
add interface=ether6 name="TV BOX1" vlan-id=3999
add interface=ether7 name="TV BOX2" vlan-id=3999
add interface=sfp-sfpplus1 name="TV IN" vlan-id=3999
add interface=ether2 name="TV NEO1" vlan-id=3999
add interface=sfp-sfpplus1 name="Telefon IN" vlan-id=3998
add interface=ether4 name="Telefon Out" vlan-id=3998
add name=vlan100 vlan-id=100
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxx wpa2-pre-shared-key=mobitel123
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=dhcp_WiFi ranges=192.168.1.200-192.168.1.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_WiFi disabled=no interface=bridge_WiFi name=dhcp_WiFi
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/ppp profile
add bridge=bridge1 local-address=192.168.1.1 name=vpn_profile
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether2
add bridge=TV interface="TV IN"
add bridge=TV interface="TV BOX1"
add bridge=TV interface="TV BOX2"
add bridge=Telefon interface="Telefon IN"
add bridge=Telefon interface="Telefon Out"
add bridge=TV interface="TV NEO1"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=luftP0st! use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.100.1/24 disabled=yes network=192.168.100.0
/ip dhcp-client
add !dhcp-options interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.1.60 always-broadcast=yes mac-address=34:E1:D1:80:C0:F7 \
server=dhcp1
add address=192.168.1.61 mac-address=00:1E:42:4D:26:DC server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
192.168.1.1,193.189.160.13,193.189.160.23 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.189.160.13,193.189.160.23
/ip dns static
add address=192.168.1.26 comment="MK Raubritter Spletna Stran" name=\
mk-raubritter.com
add address=192.168.1.26 name=www.mk-raubritter.com
add address=192.168.1.26 comment="Arja Spletna Stran" name=\
pomoc-zivalim-arja.si
add address=192.168.1.26 name=www.pomoc-zivalim-arja.si
/ip firewall address-list
add address=192.168.1.70-192.168.0.79 disabled=yes list=VPN
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="Allow t2p" in-interface=pppoe-out1 \
protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=pppoe-out1 \
protocol=udp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=80,443,8291 protocol=tcp src-address=\
192.168.1.0/24
add action=drop chain="log and drop" disabled=yes
add action=jump chain=input disabled=yes jump-target="log and drop"
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=route chain=prerouting disabled=yes dst-address-list=!VPN \
passthrough=yes protocol=!icmp route-dst=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=VPN src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-port=1194 protocol=udp
/ip upnp
set enabled=yes
/ppp secret
add local-address=192.168.1.1 name=rocky password=Passw0rd0 remote-address=\
192.168.1.70
add local-address=192.168.1.1 name=teltonika password=Passw0rd0 \
remote-address=192.168.1.71
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager
Re: VPN access problem [SOLVED]
If only I could predict lottery numbers as easily as I can tell what's wrong with configs that I don't see. 
This rule should not needed for anything:
But you need proxy ARP. Either on interface:
Or for individual addresses:
This rule should not needed for anything:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment=VPN src-address=192.168.1.0/24Code: Select all
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arpCode: Select all
/ip arp
add interface=ether1 address=192.168.1.70 published=yes
add interface=ether1 address=192.168.1.71 published=yes
...Re: VPN access problem
/interface
Etherne 1 - 10 are ethernet LAN ports? My PC is on Ethernet 3 port. So if i want to access VPN device (teltonika) witch has 192.168.1.71 remote address i should add arp: "add interface=ether1 address=192.168.1.71 published=yes" ?
Etherne 1 - 10 are ethernet LAN ports? My PC is on Ethernet 3 port. So if i want to access VPN device (teltonika) witch has 192.168.1.71 remote address i should add arp: "add interface=ether1 address=192.168.1.71 published=yes" ?
Re: VPN access problem
The interface should be bridge1. I originally went by IP address for LAN, which you have on ether1, but it should actually be on bridge1, because ether1 is bridge port, so LAN interface, as the router sees it, is bridge1.
Re: VPN access problem
I have tried both and thank you. When i set up in Bridge1 proxy-arp. it worked with L2PT and OpenVPN. i have also tried only in arp and same working resault.