Community discussions

MikroTik App
 
virgo
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 6:51 pm

Share 192.168.88.00/24 subnet on VPN with OpenVPN

Mon May 16, 2022 6:54 pm

Hi,

I have a small mikrotik device with 1 WAN port and 2 ETH ports. I was able to configure an OpenVPN server on my NAS with iroute in order to share subnets based on common-name and using username as common-name (mikrotik does not support tls auth). I was also able to configure Mikrotik to connect to the VPN.

However the 192.168.88.0/24 subnet is not reachable from VPN, just 192.168.88.1 IP assigned to the mikrotik is reachable. I have a device with a static IP attached to the mikrotik, 192.168.88.100, and if I try to ping it I get what you can see in the attachment. I set a packet sniffer, in the top of it you can see the answer pinging .100 and in the bottom of it the correct traffic pinging .1
mikrotik.png
What I’m missing?
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

Mon May 16, 2022 7:46 pm

As two unconnected networks (the VPN tunnel and the local LAN) share the same address range any devices attached to the LAN will expect those addresses to be directly reachable on the local ethernet network. If you set arp=proxy-arp on the bridge the Mikrotik will return its own MAC address to requests from devices attached to the LAN.

This is a common issue when the Mikrotik is acting as the VPN server, it isn't clear what your topology is so may be something else. Generally take the output of /export hide-sensitive done in a terminal window, redact any other information such as public IPs and serial number, and post in a code block (the [] icon above the text box when composing posts in the forum). This describes exactly how your Mikrotik is set up, wordy descriptions and/or screenshots do not provide the whole story.
 
virgo
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 6:51 pm

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

Mon May 16, 2022 8:28 pm

Hi,

tnx for the answer. I tested the proxy-arp feature however it did not work. About the topology, the Mikrotik is not a VPN server, it is just a client connected to a NAS that acts as OpenVPN server. The connection is established correctly btw them. The iroute is working as I set the username as common-name even if I'm not using certificates for the authentication. I know Mikrotik does not support TLS auth yet. Attached to the Mikrotik I have a device I'm trying to reach out from another remote device attached to the VPN too.

Device A ---> MIKROTIK --- via VPN ---> NAS <--- via VPN --- Device B

following the export you were mentioning
# may/16/2022 19:06:24 by RouterOS 6.47.10
# software id = XXX
#
# model = RB931-2nD
# serial number = XXX
/interface ovpn-client
add cipher=aes256 connect-to=xx.xx.xx.xx mac-address=XX:XX:XX:XX:XX:XX name=ovpn-out1 password=XXX user=XXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:X arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-19EDBE wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ovpn-out1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ovpn-out1
/ip route
add distance=1 dst-address=10.8.0.0/24 gateway=ovpn-out1
add distance=1 dst-address=192.168.88.0/24 gateway=ovpn-out1
/system clock
set time-zone-name=xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-protocol=icmp
 
virgo
just joined
Topic Author
Posts: 3
Joined: Mon May 16, 2022 6:51 pm

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

Mon May 16, 2022 8:46 pm

let me add the mikrotik routing table here
I'm thinking the rule #7 is blocking me, however I can't delete it as it is not static.
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

Mon May 16, 2022 9:57 pm

Routes specify the destination, 192.168.88.0/24 is from the locally attached LAN so adding the static route for the same subnet is incorrect.

The Mikrotik OpenVPN client automatically adds a static route back to the server with the netmask specified by the server, so the static route to 10.8.0.0/24 is not necessary.

If the OpenVPN server is in IP / tun mode the ovpn-out1 interface should not be a member of the bridge.

You have a mix of routing and NAT on the VPN connection. If fully routing then add action=masquerade chain=srcnat out-interface=ovpn-out1 is not required, if you do want to NAT outbound traffic then you would usually also have dstnat rules for inbound traffic.

You have disabled all of the firewall rules, it should only be necessary to modify the drop all not coming from LAN input rule to allow conections to the Mikrotik via ovpn-out1

Who is online

Users browsing this forum: Ferdinando1968, mkx and 22 guests