i have problem with my configuration. I am trying to connect two Mikrotiks (v7) via OpenVPN but i cant make connection from lan side pc's without NAT on router.
So here is some information:
MT1:
VPN 10.0.0.1
LAN: 192.168.111.0/24
MT2(client):
VPN 10.0.0.113
LAN: 10.113.1.0/24
And if i add routing config on both side:
Code: Select all
[admin@MT1] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 10.67.0.1 1
DAc 10.0.0.113/32 <ovpn-xxx> 0
DAc 10.67.0.0/16 ether1-WAN 0
0 As+ 10.113.1.0/24 <ovpn-xxx> 1
1 As+ 10.113.1.0/24 10.0.0.113 1
DAc 192.168.111.0/24 INTERNAL 0
Code: Select all
[admin@MT2] > /ip/route/print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
1 As 0.0.0.0/0 ether1 1
DAc 10.0.0.0/24 MT1 0
DAc 10.113.1.0/24 bridge 0
DAc 192.168.32.0/24 ether1 0
5 As 192.168.111.0/24 MT1 1
Without NAT and with disabled ALL firewall filter rules i cant ping nothing from inside LAN 1 or 2. I can ping hosts in LANs but only from routers (even with firewall rules enabled).
Of course when i add NAT
Code: Select all
[admin@MT2] > /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=accept src-address=10.113.1.0/24 dst-address=192.168.111.0/24 log=no log-prefix=""
I was digging some time and saw that traffic is coming to second router via torch on VPN interface (when ping is not working) but in one direction without response.
I am just curious is it possible to run this setup but without NAT ?
The target i will switch to IPSec anyway because of speed but for my satisfy my curiosity i want to know how to do that with OpenVPN.
ps. when i trying make ping from router via local address i got "packet rejected":
Code: Select all
[admin@MT1] > /ping 10.113.1.100 src-address=192.168.111.1
SEQ HOST SIZE TTL TIME STATUS
0 packet rejected
1 packet rejected
RouterOS v7.6 on both.