Community discussions

MikroTik App
 
alexanderkgr
just joined
Topic Author
Posts: 5
Joined: Mon Nov 01, 2021 6:45 pm

Grandstream - mikrotik - pfsense - pbx server

Tue Nov 02, 2021 8:54 am

Hello everyone,
New member in mikrotik family and realy impressed about specs and performance. But as we know....every new start has difficulties...
I have something that might be really easy to fix but i am trying hard as a newbie.
gs.png
I have a grandstream device connected with the mikrotik rb750r2 then the web, a pfsense and the pbx server.
Between grandstream and mikrotik apart from connection there is also a openvpn connection.
Between mikrotik and pfsense there is a openvpn connections.
All traffic should be only on openvpn connections and without nat. Pbx server could connect to the grandstream device with its ip at the openvpn network.
This was working when i had pfsense instead of the mikrotik. But with the mikrotik i have some issues.
I have achieved and established every openvpn connection.
But....
I cannot send data between mikrotik and pfsense. When i masquerade traffic it is possible. But this is something that i don't want.
Searching the forum and the documentation i came across nat bypass. Tried it but with no success...
Can anyone help with this issue?
You do not have the required permissions to view the files attached to this post.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: Grandstream - mikrotik - pfsense - pbx server

Wed Nov 03, 2021 11:18 pm

Are you saying that there is an OpenVPN tunnel between the Grandstream and the Mikrotik, and a different OpenVPN tunnel between the Mikrotik and the PFsense box?

How many subnets do you have in play altogether, and what mode are you running the OpenVPN instances in?

There is not a lot to go on, but if it works with masquerade (srcnat) then you either have routing or firewalling issues (probably).

Essentially, it sounds like the Grandstream and PBX are on different subnets and you want to route between them, but are having issues with the tunnels, but more detail on what you have setup would be nice.
 
alexanderkgr
just joined
Topic Author
Posts: 5
Joined: Mon Nov 01, 2021 6:45 pm

Re: Grandstream - mikrotik - pfsense - pbx server

Thu Nov 04, 2021 6:31 am

Are you saying that there is an OpenVPN tunnel between the Grandstream and the Mikrotik, and a different OpenVPN tunnel between the Mikrotik and the PFsense box?

How many subnets do you have in play altogether, and what mode are you running the OpenVPN instances in?

There is not a lot to go on, but if it works with masquerade (srcnat) then you either have routing or firewalling issues (probably).

Essentially, it sounds like the Grandstream and PBX are on different subnets and you want to route between them, but are having issues with the tunnels, but more detail on what you have setup would be nice.
Exactly, there is a OpenVPN tunnel between Grandstream and Mikrotik and another one between Mikrotik and Pfsense.
Around 4 different subnets. When i was using pfsense instead of Mikrotik everything was working.
gs2.png
When i masquerade the traffic from mikrotik to OpenVPN tunnel it is possible to have connection but problems in sip because of nat.
When i disable masquerade i can see on torch that there is not traffic going out from Mikrotik through OpenVpn tunnel (192.168.22.0/29).
I suppose that it is as you said issue with nat or firewall but everything is blank. No deny - allow rules nor nat rules.
I have said i am quite new to Mikrotik technology - philosophy.
You do not have the required permissions to view the files attached to this post.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: Grandstream - mikrotik - pfsense - pbx server

Fri Nov 05, 2021 1:48 am

Are you running an OpenVPN server and an OpenVPN client on the Mikrotik, or are they PtP tunnels?

If the pfSense box is the default router for the SIP server then you don't need to worry about routes and such on it, as long as the firewall on the SIP server is OK.
As the issue happens when you added the Mikrotik, I suspect there may be a route missing on the Mikrotik, but the best way to check is if you could provide the Mikrotik config.
/export hide-sensitive file=some-file-name
 
alexanderkgr
just joined
Topic Author
Posts: 5
Joined: Mon Nov 01, 2021 6:45 pm

Re: Grandstream - mikrotik - pfsense - pbx server

Sat Nov 06, 2021 8:11 am

Are you running an OpenVPN server and an OpenVPN client on the Mikrotik, or are they PtP tunnels?

If the pfSense box is the default router for the SIP server then you don't need to worry about routes and such on it, as long as the firewall on the SIP server is OK.
As the issue happens when you added the Mikrotik, I suspect there may be a route missing on the Mikrotik, but the best way to check is if you could provide the Mikrotik config.
/export hide-sensitive file=some-file-name
thanks again for your help.
the ip ranges i have given above were wrong
new diagram.
gs2.png
Todays update is that with vpn enabled (masquerade disabled) between grandstream and mikrotik pbx is not working.
mikrotik config
exportwittvpnbetweenmikrophone_notworking_editedwithoutips.rsc
with vpn disabled between grandstream and mikrotik (masquerade disabled), pbx is working but it is something wrong for the configuration of whole network.
mikrotik config
exportwithoutvpnbetweenmikrophone_workingwithoutpublicips.rsc
i have removed from config files personal info - ips - ports - etc
You do not have the required permissions to view the files attached to this post.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: Grandstream - mikrotik - pfsense - pbx server

Tue Nov 09, 2021 5:21 pm

Sorry for the delay in replying.

I think that with the VPN between the Grandstream and the Mikrotik enabled but no masquerade, the source IP of the traffic from the Grandstream is not in the routing table of one of the devices downstream, and the return traffic from the PBX is getting lost somewhere, going out a default route.

Do you control all the downstream devices, to check their routing tables?
One other point, from the diagram, it appears that the Grandstream and the Mikrotik are on the same subnet/link on 192.168.90.32/30, so in this case what benefit is the extra OpenVPN hop giving you? The /30 is essentially a point to point link, so running a point to point VPN over the point to point link seems unnecessary, unless I've missed something.
 
alexanderkgr
just joined
Topic Author
Posts: 5
Joined: Mon Nov 01, 2021 6:45 pm

Re: Grandstream - mikrotik - pfsense - pbx server

Tue Nov 16, 2021 8:31 am

Sorry for the delay in replying.

I think that with the VPN between the Grandstream and the Mikrotik enabled but no masquerade, the source IP of the traffic from the Grandstream is not in the routing table of one of the devices downstream, and the return traffic from the PBX is getting lost somewhere, going out a default route.

Do you control all the downstream devices, to check their routing tables?
One other point, from the diagram, it appears that the Grandstream and the Mikrotik are on the same subnet/link on 192.168.90.32/30, so in this case what benefit is the extra OpenVPN hop giving you? The /30 is essentially a point to point link, so running a point to point VPN over the point to point link seems unnecessary, unless I've missed something.
i control all the downstream devices. will check again the routing tables.
Mikrotik and grandstream will be in different floors and far away from the building. I want to keep connection as much secure as possible.

Who is online

Users browsing this forum: esj, otoobiney, rarlup and 41 guests