Community discussions

MikroTik App
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Openvpn

Wed Oct 31, 2012 9:32 pm

Hi,
I have an openvpn connection (mikrotik it's a client) from lan to lan, it's something like this

lan1 <----->openvpn_server <------------->mikrotik<------------->lan2

i can ping from the openvpn_server to any pc in the lan2 (using the ip from the tunnel as source), also i can ping from mikrotik to any pc in lan1 but cannot reach lan2 or the mikrotik from lan1.

I have the same configuration in 3 other locations and they are working.

I look at the packet sniffer and the ping from a pc in lan1 reachs the mikrotik but it's not responded, what else can i look, the firewall it's accepting INPUT, OUTPUT and FORWARD

the routeros is v5.21

Thank you, sorry for my english it's not my first language
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Openvpn

Fri Nov 02, 2012 2:24 am

Do you have a route in the mikrotik for lan1?

Is the openvpn_server a mikrotik? If not, you should contact the support for that device.
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Tue Nov 06, 2012 3:10 pm

The route to lan1 it's added when the openvpn is up

The OpenVpn Server it's a Debian Server, it's working perfectly, I have other 3 locations with the same topology and configuration with no problems at all.
 
duncant123
just joined
Posts: 5
Joined: Mon May 29, 2006 7:39 am
Location: New Zealand

Re: Openvpn

Wed Nov 07, 2012 11:10 am

I am guessing you have your route set up as you say you can see packets reaching MT, am making the assumption you are looking at that in Mikrotik and not openvpn server as seeing packets going into tunnel isn't the same as reaching the MT

If you check the firewall logs and log icmp pre and post routing in mangle then you can see a bit more about whats happening to the packets at the MT. You should see the post routing logs in mangle showing the interface the packets leave on, and the addresses they have

Does Lan2 have a default route pointing to the MT to get back to Lan1? Or is the MT the main server of Lan2. Since the openvpn server can ping successfully it probably does but what is the difference in the packets between these and the ones from Lan1?
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Wed Nov 07, 2012 2:28 pm

Yes duncant123, I'm watching the packets in the MT.
The MT is the main server to the LAN2 it's connected to an ADSL router
Since the openvpn server can ping successfully it probably does but what is the difference in the packets between these and the ones from Lan1?
The differences is that the ones from the openvpn_server have the source address from the ovpn tunnel, while from the lan has another IP range, I can't 'nat' that because I need to see where the connections are coming from (different branches)

I will log the post routing mangle and post it.

Thank you!
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Wed Nov 07, 2012 4:06 pm

I logged the postrouting and the prerouting but i just get pre routing, it's like the MT it's discarding packets from my IP range

10:58:01 firewall,info PRE_ prerouting: in:ovpn-out1 out:(none), proto ICMP (type 8, code 0), 172.16.2.133->192.168.253.1, len 60
10:58:06 firewall,info PRE_ prerouting: in:ovpn-out1 out:(none), proto ICMP (type 8, code 0), 172.16.2.133->192.168.253.1, len 60
10:58:11 firewall,info PRE_ prerouting: in:ovpn-out1 out:(none), proto ICMP (type 8, code 0), 172.16.2.133->192.168.253.1, len 60
10:58:16 firewall,info PRE_ prerouting: in:ovpn-out1 out:(none), proto ICMP (type 8, code 0), 172.16.2.133->192.168.253.1, len 60
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Wed Nov 07, 2012 5:31 pm

Continue with the tests i get this

[admin@MikroTik] > /ping 172.16.2.133 src-address=192.168.253.1
HOST SIZE TTL TIME STATUS
packet rejected
packet rejected
packet rejected
packet rejected
packet rejected
packet rejected
sent=6 received=0 packet-loss=100%

So I'm start to think that is something with the firewall altough It doesn't have any rules to block
 
duncant123
just joined
Posts: 5
Joined: Mon May 29, 2006 7:39 am
Location: New Zealand

Re: Openvpn

Thu Nov 08, 2012 12:01 am

Hi

It sounds like a routing issue then, in openvpn you can specify the subnets behind the client using CCD, I wonder if you can do that with the MT version, or what has to be done to tell the MT that the route for those packets is in the openvpn? If you look at the route table can you see the routes pointing to the tunnel

I am guessing you can already ping from Lan2 to any pc in Lan 1 as thats your basic connection model. So the issue is from the clients at the server end back. The clients at the server end all have ips in the local network? Can the clients at the server end ping the MT address?

But if it works on other machines it should work here, are the other scenarios different at all? I wonder if Lan2 is the primary destination then whether you might be better running it as server and have the openvpn as a client at the other end?

Sorry not much help, but its probably trial and error and a comparison with the working links
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Sat Nov 10, 2012 1:15 am

It sounds like a routing issue then, in openvpn you can specify the subnets behind the client using CCD, I wonder if you can do that with the MT version, or what has to be done to tell the MT that the route for those packets is in the openvpn? If you look at the route table can you see the routes pointing to the tunnel
I've setted up the subnets behind the clients in the ovpn server, I can see the routes in the MT, pointing to the tunnel and to the other LAN
I am guessing you can already ping from Lan2 to any pc in Lan 1 as thats your basic connection model. So the issue is from the clients at the server end back. The clients at the server end all have ips in the local network? Can the clients at the server end ping the MT address?
No, the clients at the server end can't ping the MT address (they can ping the public address, but not the LAN2 address)

But if it works on other machines it should work here, are the other scenarios different at all? I wonder if Lan2 is the primary destination then whether you might be better running it as server and have the openvpn as a client at the other end?

The only difference is that this connection has an ADSL modem that initiates the connection (router mode) the other scenarios has the ADSL modem in bridge modem and is the mikrotik who initiates the connection and get the public IP

thanks!
 
duncant123
just joined
Posts: 5
Joined: Mon May 29, 2006 7:39 am
Location: New Zealand

Re: Openvpn

Sat Nov 10, 2012 4:25 am

I would think you should be able to ping the internal MT address from the clients in the server Lan. I can in my examples. It may mean you need to add a route in the default gateway of that LAN that points to the openvpn server so they can find the right address.

What is your address arrangement? What subnet is the server on? What subnet is the MT on and what subnet is LAN2 on? (and a subnet of working LAN)

Cheers Duncan
 
panlactal
just joined
Topic Author
Posts: 7
Joined: Tue Sep 25, 2012 5:40 pm

Re: Openvpn

Sat Nov 10, 2012 5:43 pm

it's something like this, openvpn_server it's connected to the internet directly with a public address, and the mikrotik in the branch has an adsl connection

lan1 <----------->openvpn_server <----------------->mikrotik<-------------------->lan2
172.16.0.0/16 172.16.0.1 (lan side) 192.168.0.3 (adsl side) 192.168.253.0/24
10.0.0.0/8 (tunnel side) 192.168.253.1 (lan side)
10.0.0.0/8 (tunnel side)

Thank you!
 
StuartUSA
just joined
Posts: 3
Joined: Tue Nov 13, 2012 4:28 pm

Re: Openvpn

Tue Nov 13, 2012 4:36 pm

Did you have any luck with this? I have a very similar problem.
 
spidergen
just joined
Posts: 2
Joined: Thu Jan 03, 2013 2:04 pm

Re: Openvpn

Thu Jan 03, 2013 2:21 pm

I also have the same problem. There's an older thread with this problem, but i't seems dead: http://forum.mikrotik.com/viewtopic.php?f=3&t=36318

Who is online

Users browsing this forum: Sob and 48 guests