we have a problem with the firewall / NAT rules when trying to reach a server in a network through an OpenVPN connection and 2 IPSec tunnels.
Our setup is as follows: We have a site with a CCR1036-12G-4S (RouterOS v6.49.2) where our employees log on via OpenVPN. To achieve a separation between normal employees and administrative employees there are two separate networks from which the employees get an IP via OpenVPN:
Normal employees: 192.168.3.0/24
Administrative employees: 192.168.4.0/24
Furthermore, there is an IPSec tunnel that routes both networks to another site. At this second location a RouterOS v6.49.2 is running on a VM. Here, also via IPSec tunnel, different customer networks are connected. We now try to reach a destination in the customer network 10.49.255.0/24 from both OpenVPN networks. It is still important that there is a network 192.168.20.0/24 at this second location and access to the customer network 10.49.255.0/24 is only possible from this network - therefore we use a Srcnat with the IP 192.168.20.3.
Our procedure so far:
Site 1 (with OpenVPN connection):
Code: Select all
/ip firewall filter add action=accept chain=forward src-address=192.168.3.0/24 dst-address=10.49.255.0/24
/ip firewall filter add action=accept chain=forward src-address=192.168.4.0/24 dst-address=10.49.255.0/24
/ip firewall nat add action=accept chain=srcnat src-address=192.168.3.0/24 dst-address=10.49.255.0/24
/ip firewall nat add action=accept chain=srcnat src-address=192.168.4.0/24 dst-address=10.49.255.0/24
Site 2:
Code: Select all
/ip firewall filter add action=accept chain=forward src-address=192.168.3.0/24 dst-address=10.49.255.0/24
/ip firewall filter add action=accept chain=forward src-address=192.168.4.0/24 dst-address=10.49.255.0/24
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.3.0/24 dst-address=10.49.255.0/24 to-addresses=192.168.20.3
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.4.0/24 dst-address=10.49.255.0/24 to-addresses=192.168.20.3
Although all rules are identical, the procedure only works for requests from the OpenVPN network 192.168.4.0/24. For requests from the network 192.168.3.0/24, the Srcnat rule directly at the first site doesn't seem to pull, we don't see any traffic here anyway. There are other rules at both locations, but we have already set the corresponding rules to the first positions as well. The OpenVPN configurations and profiles have also been matched.
Is there a setting in OpenVPN that prevents the srcnats from being used? Or are we missing something else?