Community discussions

MikroTik App
 
zhazell
just joined
Topic Author
Posts: 5
Joined: Tue May 03, 2022 11:52 pm

VLANS unable to route through OpenVPN

Thu Oct 06, 2022 7:48 pm

I have a hAP ac which I have configured VLANs on through the switch level, as this was the recommended way via documentation to get L3 HW routing. Routing between VLANs works at line speed and I can route out the internet no problem. The issue is that I have a OpenVPN client connection on the router, but I'm unable to route out this connection when VLANs are connected. Routing table looks okay. What am I missing?

Addresses:
Screen Shot 2022-10-06 at 9.34.16 AM.png
Routing Table:
Screen Shot 2022-10-06 at 9.35.23 AM.png
Export:
# sep/15/2022 14:27:11 by RouterOS 7.5
# software id = KZC9-0J2H
#
# model = RB962UiGS-5HacT2HnT
/interface bridge
add admin-mac=DC:2C:6E:31:E6:97 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-31E69D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-31E69C wireless-protocol=802.11
/interface vlan
add interface=bridge name=05.MGMT_VLAN vlan-id=5
add interface=bridge name=20.NAC_QUAR_VLAN vlan-id=20
add interface=bridge name=25.NAC_REG_VLAN vlan-id=25
add interface=bridge name=30.GUEST_VLAN vlan-id=30
add interface=bridge name=35.VENDOR_VLAN vlan-id=35
add interface=bridge name=50.VISION_VLAN vlan-id=50
add interface=bridge name=55.COMPUTE_VLAN vlan-id=55
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=ZND100
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=VLAN55 ranges=10.26.16.98-10.26.16.126
add name=VLAN05 ranges=10.26.16.5-10.26.16.14
add name=VLAN20 ranges=10.26.16.18-10.26.16.30
add name=VLAN25 ranges=10.26.16.34-10.26.16.46
add name=VLAN30 ranges=10.26.16.50-10.26.16.62
add name=VLAN35 ranges=10.26.16.66-10.26.16.94
add name=VLAN50 ranges=10.26.16.130-10.26.16.254
/ip dhcp-server
add address-pool=VLAN55 interface=55.COMPUTE_VLAN name=VLAN55
add address-pool=VLAN05 interface=05.MGMT_VLAN name=VLAN05
add address-pool=VLAN20 interface=20.NAC_QUAR_VLAN name=VLAN20
add address-pool=VLAN25 interface=25.NAC_REG_VLAN name=VLAN25
add address-pool=VLAN30 interface=30.GUEST_VLAN name=VLAN30
add address-pool=VLAN35 interface=35.VENDOR_VLAN name=VLAN35
add address-pool=VLAN50 interface=50.VISION_VLAN name=VLAN50
/interface ovpn-client
add certificate=Network+Lab.p12_0 cipher=aes256 connect-to=99.99.99.99 \
    mac-address=FE:F1:0E:52:B4:52 name="Site-2-Site Tunnel(s)" \
    port=1111 profile=default-encryption use-peer-dns=no user=zippin
/user group
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=5
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=25
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=30
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=35
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=50
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=55
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=05.MGMT_VLAN list=LAN
add interface=55.COMPUTE_VLAN list=LAN
add interface=20.NAC_QUAR_VLAN list=LAN
add interface=25.NAC_REG_VLAN list=LAN
add interface=30.GUEST_VLAN list=LAN
add interface=35.VENDOR_VLAN list=LAN
add interface=50.VISION_VLAN list=LAN
/ip address
add address=10.26.16.1/28 interface=05.MGMT_VLAN network=10.26.16.0
add address=10.26.16.97/27 interface=55.COMPUTE_VLAN network=10.26.16.96
add address=10.26.16.17/28 interface=20.NAC_QUAR_VLAN network=10.26.16.16
add address=10.26.16.33/28 interface=25.NAC_REG_VLAN network=10.26.16.32
add address=10.26.16.49/28 interface=30.GUEST_VLAN network=10.26.16.48
add address=10.26.16.65/27 interface=35.VENDOR_VLAN network=10.26.16.64
add address=10.26.16.129/25 interface=50.VISION_VLAN network=10.26.16.128
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.26.16.0/28 comment=VLAN05 dns-server=10.26.16.1 gateway=\
    10.26.16.1 netmask=28 ntp-server=10.26.16.1
add address=10.26.16.16/28 comment=VLAN20 dns-server=10.26.16.17 gateway=\
    10.26.16.17 netmask=28 ntp-server=10.26.16.17
add address=10.26.16.32/28 comment=VLAN25 dns-server=10.26.16.33 gateway=\
    10.26.16.33 netmask=28 ntp-server=10.26.16.33
add address=10.26.16.48/28 comment=VLAN30 dns-server=10.26.16.49 gateway=\
    10.26.16.49 netmask=28 ntp-server=10.26.16.49
add address=10.26.16.64/27 comment=VLAN35 dns-server=10.26.16.65 gateway=\
    10.26.16.65 netmask=27 ntp-server=10.26.16.65
add address=10.26.16.96/27 comment=VLAN55 dns-server=10.26.16.97 gateway=\
    10.26.16.97 netmask=27 ntp-server=10.26.16.97
add address=10.26.16.128/25 comment=VLAN50 dns-server=10.26.16.129 gateway=\
    10.26.16.129 netmask=25 ntp-server=10.26.16.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=LABRTR100
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Amazon [Bot], holvoetn, infabo, InfraErik, loloski and 65 guests