Community discussions

MikroTik App
 
mkmt
just joined
Topic Author
Posts: 1
Joined: Fri Nov 04, 2022 6:13 pm

OpenVPN Site to Site without NAT

Fri Nov 04, 2022 6:27 pm

Hi,
i have problem with my configuration. I am trying to connect two Mikrotiks (v7) via OpenVPN but i cant make connection from lan side pc's without NAT on router.
So here is some information:

MT1:
VPN 10.0.0.1
LAN: 192.168.111.0/24

MT2(client):
VPN 10.0.0.113
LAN: 10.113.1.0/24

And if i add routing config on both side:
[admin@MT1] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS       GATEWAY               DISTANCE
  DAd  0.0.0.0/0         10.67.0.1                    1
  DAc  10.0.0.113/32     <ovpn-xxx>         0
  DAc  10.67.0.0/16      ether1-WAN                   0
0  As+ 10.113.1.0/24     <ovpn-xxx>         1
1  As+ 10.113.1.0/24     10.0.0.113                   1
  DAc  192.168.111.0/24  INTERNAL                     0
[admin@MT2] > /ip/route/print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY   DISTANCE
1  As 0.0.0.0/0         ether1           1
  DAc 10.0.0.0/24       MT1           0
  DAc 10.113.1.0/24     bridge           0
  DAc 192.168.32.0/24   ether1           0
5  As 192.168.111.0/24  MT1           1

Without NAT and with disabled ALL firewall filter rules i cant ping nothing from inside LAN 1 or 2. I can ping hosts in LANs but only from routers (even with firewall rules enabled).

Of course when i add NAT
[admin@MT2] > /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=accept src-address=10.113.1.0/24 dst-address=192.168.111.0/24 log=no log-prefix="" 
Everything works.

I was digging some time and saw that traffic is coming to second router via torch on VPN interface (when ping is not working) but in one direction without response.

I am just curious is it possible to run this setup but without NAT ?
The target i will switch to IPSec anyway because of speed but for my satisfy my curiosity i want to know how to do that with OpenVPN.

ps. when i trying make ping from router via local address i got "packet rejected":
[admin@MT1] > /ping 10.113.1.100 src-address=192.168.111.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                         
    0                                                              packet rejected                                
    1                                                              packet rejected   
ps2. i had some strange behavior with IPSec tunnel. I have connected this two routers with IPSec and it works fine for 10 minutes after that ping stopped work. i checked, policies had PH2 status estabilished but ping not worked. on MT1 /ping 10.113.1.100 src-address=192.168.111.1 result with packet rejected... after reboot 2 routers everything works of course except OpenVPN.

RouterOS v7.6 on both.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], giovanniv and 84 guests