Community discussions

MUM Europe 2020
 
robertbisom
just joined
Topic Author
Posts: 5
Joined: Wed Mar 29, 2017 4:08 am

OpenVPN into VLAN

Tue Dec 03, 2019 5:19 pm

Hello,
i have new setup with vlan (all VLAN in one bridge) and need L2 VPN (openvpn tap) into one of these VLAN.
In old vlan setup I have a few bridges and set ppp profile with bridge with vlan. But in new setup i have only one bridge and cannot found way to tag incomming vpn traffic.
Thank you
rob
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN into VLAN

Tue Dec 03, 2019 5:33 pm

I'm not sure whether you can make the OpenVPN L2 interface a member port of the common bridge and set pvid on that port to the VLAN in question (and place the port on the untagged list in the row under /interface bridge vlan). But if it doesn't work, you can still combine the two approaches - a common bridge for all VLANs, the tagged end of an /interface vlan on it (/interface vlan add name=for-Ovpn vlan-id=x interface=common-bridge), and the tagless end of that /interface vlan will have to be made a member port of the same other bridge (e.g. ovpn-bridge) to which the OpenVPN L2 interface will be enslaved. If you need a local IP configuration (static address or dhcp) in the OpenVPN VLAN, it has to be attached to that ovpn-bridge.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
robertbisom
just joined
Topic Author
Posts: 5
Joined: Wed Mar 29, 2017 4:08 am

Re: OpenVPN into VLAN

Tue Dec 03, 2019 8:24 pm

thank you,
set ovpn iface as a member port is not comfortable - the iface is only showed if client is connected. If not, the iface not exist.

i have 2 managed switches on ether2 and ether3 - both with vlan trunk. My devices is on this switches on specific vlan(s).
I need access via openvpn layer2 to this devices.
my conf (other vlans deleted)

/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
add name=bridge_LAN pvid=10 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2_switch1
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3_switch2

add bridge=bridge_LAN disabled=yes interface=vlan10_LAN pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2_switch1,ether3_switch2 vlan-ids=10

/ppp profile
add bridge=bridge_LAN local-address=10.2.99.5 name=ovpn_LAN_profile remote-address=LAN_pool use-encryption=required

/ppp secret
add name=robert.bisom-LAN password=hidden profile=ovpn_LAN_profile service=ovpn



bridge1 is main bridge with vlans, bridge-LAN is my test bridge for ovpn as a member
I need connect via secret robert.bisom-LAN with profile ovpn_LAN_profile to vlan10. That can add me as a member of bridge_LAN - and what next? I have set bridge_LAN with vlan-filtering and pvid=10, but after connect still have pvid=1

[robert.bisom@Router1] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether2_switch1 bridge1 yes 1 0x80 10 10 none
1 ether3_switch2 bridge1 yes 1 0x80 10 10 none
.....
12 D <ovpn-robert.bisom-LAN> bridge_LAN 1 0x80 10 10 none


Rob
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN into VLAN

Wed Dec 04, 2019 10:58 am

So you have to stay with the second configuration - instead of making the L2 interface a member port of the common bridge with pvid=x, refer to the bridge_OVPN like you did before, and link the two bridges using /interface vlan as I've suggested above. I didn't read carefully enough to notice that as you mention the ppp profile, you likely deal with the server side.

/interface bridge add name=bridge_OVPN

/interface vlan add name=bridge_LAN.10 vlan-id=10 interface=bridge_LAN

/interface bridge port add bridge=bridge_OVPN interface=bridge_LAN.10

/ppp profile set ovpn_LAN_profile bridge=bridge_OVPN
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
robertbisom
just joined
Topic Author
Posts: 5
Joined: Wed Mar 29, 2017 4:08 am

Re: OpenVPN into VLAN

Wed Dec 04, 2019 3:08 pm

ok, it works - openvpn client can access to lan.
But problem is now on my local network. I lost internet. This is because packet doesnť end on vlan iface but continues to bridge. Look at right configuration (my laptop is via switch on ether2_switch1 port and pppoe-TMO is PPPoE iface to VDSL line to internet (so pppoe-TMO is WAN (internet) iface):

4 1.596 ether2_switch1 10.2.98.30:58546 10.2.98.1:53 (dns) udp 74 1 no
5 1.596 bridge1 10.2.98.30:58546 10.2.98.1:53 (dns) udp 74 1 no
6 1.596 vlan1_MGMT 10.2.98.30:58546 10.2.98.1:53 (dns) udp 70 1 no
7 1.596 pppoe-TMO 109.183.190.84:53771 8.8.8.8:53 (dns) udp 56 1 no
8 1.621 pppoe-TMO 8.8.8.8:53 (dns) 109.183.190.84:53771 udp 72 1 no
9 1.621 vlan1_MGMT 10.2.98.1:53 (dns) 10.2.98.30:58546 udp 86 1 no
10 1.621 bridge1 10.2.98.1:53 (dns) 10.2.98.30:58546 udp 90 1 no
11 1.621 ether2_switch1 10.2.98.1:53 (dns) 10.2.98.30:58546 udp 90 1 no

when add vlan iface as a member of openvpn bridge:
0 2.276 ether2_switch1 10.2.98.30:60862 10.2.98.1:53 (dns) udp 74 1 no
1 2.276 bridge1 10.2.98.30:60862 10.2.98.1:53 (dns) udp 74 1 no
2 2.276 vlan1_MGMT 10.2.98.30:60862 10.2.98.1:53 (dns) udp 70 1 no
3 2.276 bridge_MGMT 10.2.98.30:60862 10.2.98.1:53 (dns) udp 70 1 no <---- packets aren´t going to WAN, but to bridge_MGMT:( I think it is because bridge_MGMT is master iface of vlan1_MGMT

my conf:
bridge1 is main bridge with all vlans and with vlan-filtering (new vlan mode from i think v6.42), bridge_MGMT is second bridge for ovpn with vlan1_MGMT as member

[robert.bisom@Router1] /interface> export
# dec/04/2019 13:47:12 by RouterOS 6.45.7
# model = RouterBOARD 3011UiAS

/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
add name=bridge_MGMT

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_switch1
set [ find default-name=ether3 ] name=ether3_switch2

/interface vlan
add interface=bridge1 name=vlan1_MGMT vlan-id=1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2_switch1
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3_switch2
add bridge=bridge_MGMT interface=vlan1_MGMT

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2_switch1,ether3_switch2 vlan-ids=1

Thank you
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN into VLAN

Wed Dec 04, 2019 4:46 pm

Slow down, there are too many VLAN IDs hanging in the air now. Your previously published configuration doesn't match the current one.

First of all - the configuration row under /interface bridge actually holds parameters of two distinct objects - the "bridge" as in "virtual switch" and the "bridge" as a local virtual interface which is a member port of that virtual switch (all the L3 configuration is attached to this interface, and also the tagged ends of /interface vlan are attached to this virtual interface, not to the virtual switch). The pvid parameter is the ID of the native VLAN on its respective port, and the default value is 1. So when you have pvid=1 on the /interface bridge itself, you cannot attach an /interface vlan with vlan-id=1 to it - or, better to say, you can but it won't work properly. So the L3 (IP) configuration for the pvid of the bridge must be attached directly to the bridge itself.

Once this is clear, we may get back to the L2 OpenVPN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
robertbisom
just joined
Topic Author
Posts: 5
Joined: Wed Mar 29, 2017 4:08 am

Re: OpenVPN into VLAN

Wed Dec 04, 2019 6:54 pm

ok sindy,
thank you for your replies - but i dont understand. Desription of things we want to do is:
we have one rb3011 in our office. On that we have a lot of ipsec tunnels to our customers. We have some switches with vlans and set vlans on rb3011. If i connect to untagged port with vlan of one our customer, everything is well - we have in that customers network.

But we need connect to customer network from everywhere - I want connect via openvpn from my laptop everywhere to that customer network.
I hope you understand me.

But i don't want how i can do this. I thought that I will connect via openvpn (via ppp profile) to specific vlan. But don't know how.

After my unsuccessful attempts I discovered Openvpn Server Binding interface. Now i have intefrace added to /bridge vlan and bridge port with specific tag on bridge1 (only bridge I have) and it work on my office network - i can touch my office printer etc in current vlan. But cannot route to ipsec tunnel.

I don't want if its possible with mikrotik.

Thank you tips how can i do this.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN into VLAN

Wed Dec 04, 2019 11:55 pm

Desription of things we want to do is:
we have one rb3011 in our office. On that we have a lot of ipsec tunnels to our customers. We have some switches with vlans and set vlans on rb3011. If i connect to untagged port with vlan of one our customer, everything is well - we have in that customers network.

But we need connect to customer network from everywhere - I want connect via openvpn from my laptop everywhere to that customer network.
I hope you understand me.

...

I discovered Openvpn Server Binding interface. Now i have intefrace added to /bridge vlan and bridge port with specific tag on bridge1 (only bridge I have) and it work on my office network - i can touch my office printer etc in current vlan. But cannot route to ipsec tunnel.

I don't want if its possible with mikrotik.
It did not even come to my mind that interface binding might work for OpenVPN L2 interfaces as not long ago out of all PPP flavors, only L2TP supported interface binding, the rest had to make do with the address-list and bridge properties of /ppp profile. So I've just tried that, at server side:
/interface ovpn-server
add name=ovpn-hugo user=hugo

/interface bridge vlan
...
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ovpn-hugo vlan-ids=6

/interface bridge port
...
add bridge=bridge interface=ovpn-hugo pvid=6

/interface vlan
...
add interface=bridge name=bridge.ovpn.6 vlan-id=6


/ip address
...
add address=192.168.59.1/24 interface=bridge.ovpn.6 network=192.168.59.0

At client side:
/interface ovpn-client
add certificate=fv1 connect-to=192.168.5.1 mac-address=FE:E4:7C:DA:FD:DB mode=ethernet name=ovpn-out1 user=hugo

/ip address
...
add address=192.168.59.2/24 interface=ovpn-out1 network=192.168.59.0
And it works normally. So now the question is what is missing in your case that it doesn't work with the IPsec tunnels to customers.

As you gave no details, I suppose that in each VLAN representing a remote customer, you have a distinct local subnet which is used as src-address of /ip ipsec policy items whose dst-address match the various customers' internal addresses. So if your OpenVPN client gets an IP address from the subnet which "lives" in the VLAN, the IPsec should handle it properly, so there must be something else missing.

Can you export the complete configuration of the 3011, obfuscating only passwords and other secrets, customer names, and public IP addresses? Because all the other things must match each other (policies vs. local IP addresses and address pools), so any change in the exported data may hide some relationship.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 80 guests