Community discussions

MikroTik App
 
atakacs
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

OVPN site to site routing issue

Mon Jan 24, 2022 6:55 pm

I am having a weird (at least to me) issue with a site to site setup using OVPN (Mikrotik to Mikrotik).

The tunnel is up and from Site A I can reach the subnet on Site B.

However from site B I can not reach the site A subnet. Yet from router B I can reach subnet A, but not from the devices "behind" router B.

From Router:
user@mkt-sx-00] > ping 172.16.181.254
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 172.16.181.254                             56  64 1ms974us
    1 172.16.181.254                             56  64 1ms716us
    2 172.16.181.254                             56  64 50ms968us
    sent=3 received=3 packet-loss=0% min-rtt=1ms716us avg-rtt=18ms219us
   max-rtt=50ms968us
From device behind router
C:\Users\user>tracert 172.16.181.254

Tracing route to 172.16.181.254 over a maximum of 30 hops

  1     *        *       <1 ms  172.16.200.254
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
So my packet goes to the mikrotik but does not route further to 172.16.181.254 via the openVPN tunnel

My routes on router
[user@mkt-sx-00] /ip/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#       DST-ADDRESS       GATEWAY            DISTANCE
0  As   0.0.0.0/0         x.x.x.x             1
  DAc   10.20.30.0/30     wireguard1                0
  DAc   10.99.99.75/32    <ovpn-scanvpn174>         0
  DAc   10.99.99.80/32    <ovpn-scanvpn176>         0
  DAc   10.99.99.94/32    <ovpn-scanvpn173>         0
  DAc   10.99.99.96/32    <ovpn-scanvpn181>         0
  DAc   10.99.99.98/32    <ovpn-scanvpn179>         0
  DAc   172.16.172.0/24   bridgeA                   0
  DAv   172.16.173.0/24   <ovpn-scanvpn173>         1
  DAv   172.16.174.0/24   <ovpn-scanvpn174>         1
  DAv   172.16.176.0/24   <ovpn-scanvpn176>         1
  DAv   172.16.179.0/24   <ovpn-scanvpn179>         1
  DAv   172.16.181.0/24   <ovpn-scanvpn181>         1
  DAc   172.16.200.0/24   bridgeA             0
  DAc + x.x.x.x/29  ether1                    0
Any idea ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OVPN site to site routing issue

Mon Jan 24, 2022 7:53 pm

Usually when one direction works and opposite doesn't, it's either because of firewall, or there's misconfigured routing that can be masked by some srcnat rule, which makes one direction work.

Who is online

Users browsing this forum: eddieb, Google [Bot], hatred, infabo, Michiganbroadband, PavelRadvan and 83 guests