-
I'm fairly new back to mikrotik after about a 5+ year stint of using other devices. So I'm relearning all over again. I have a openvpn site to site going from a hex (client) to pfsense (server). Both on newest versions. I'm trying to achieve a site to multi site openvpn setup.
I can ping the pfsense from terminal on the hex.
I can ping computers behind the pfsense from terminal on the hex.
I cannot ping the pfsense from a pc behind the hex.
Nothing on the pfsense side can ping anything on the hex side.PC (192.168.1.9/24) -> hex (192.168.1.1/24) -> INTERNET <- Pfsense (192.168.140.1/24)
Trace route from PC side shows it going thru router.lan 192.168.1.1 and then that's it.
For the most part this hex is mostly default except the openvpn, and basic quick setup. I've set a firewall rule to allow all just for testing purposes. I'm wondering if I need to setup nat or mangle with something.
I need to be able to ping all devices on the clients side from the systems on the pfsense's subnet.
Firewall on both sides are wide open set to allow everything on all interfaces for the moment.
hex (192.168.1.1/24)
pfsense (192.168.140.1/24)
lan interface on hex arp was set to "enabled" now it's set to "proxy-arp"/ip firewall filter add action=accept chain=input add action=accept chain=input in-interface=ovpn-out1 add action=accept chain=output out-interface=ovpn-out1 add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=accept chain=input protocol=icmp add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=drop chain=input in-interface=ether1 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=accept chain=srcnat dst-address=192.168.140.0/24 src-address=\ 192.168.1.0/24 add action=masquerade chain=srcnat out-interface=ether1^ firewall rules on my hex.
For some reason my routes are only exporting my disabled routes but heres how it is:
0.0.0.0/0 gw: wan ip on eth1
my.gateway.ip gw: eth1 reachable
172.16.32.0/24 gw: ovpn-out1 reachable
192.168.1.0/24 gw: bridge1 reachable
194.168.140.0/24 gw: 172.16.32.1 reachable ovpn-out1.On the PFSense side I've followed all the guides for setting up a site to site openvpn.
I have local ip set to 192.168.140.0/24 remote ip set to 192.168.1.0/24
-
If you are doing a site-to-multisite with pfSense as the hub are you doing individual tunnels to each client or a single server with multiple clients connecting to it?
If you have a single server you will need to add client specific overrides for each client with the subnet behind them so OpenVPN knows which client to route traffic to.
Either way it sounds like you have a missing route in one direction. Check the routing tables at each end and makes sure the opposite subnets are present.
Steve
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.