OpenVPN Connected. Mikrotik Hex can ping pfsense, local pc's can't.



  • I'm fairly new back to mikrotik after about a 5+ year stint of using other devices. So I'm relearning all over again. I have a openvpn site to site going from a hex (client) to pfsense (server). Both on newest versions. I'm trying to achieve a site to multi site openvpn setup.

    I can ping the pfsense from terminal on the hex.
    I can ping computers behind the pfsense from terminal on the hex.
    I cannot ping the pfsense from a pc behind the hex.
    Nothing on the pfsense side can ping anything on the hex side.

    PC (192.168.1.9/24) -> hex (192.168.1.1/24) -> INTERNET <- Pfsense (192.168.140.1/24)

    Trace route from PC side shows it going thru router.lan 192.168.1.1 and then that's it.

    For the most part this hex is mostly default except the openvpn, and basic quick setup. I've set a firewall rule to allow all just for testing purposes. I'm wondering if I need to setup nat or mangle with something.

    I need to be able to ping all devices on the clients side from the systems on the pfsense's subnet.

    Firewall on both sides are wide open set to allow everything on all interfaces for the moment.

    hex (192.168.1.1/24)
    pfsense (192.168.140.1/24)
    lan interface on hex arp was set to "enabled" now it's set to "proxy-arp"

    /ip firewall filter
    add action=accept chain=input
    add action=accept chain=input in-interface=ovpn-out1
    add action=accept chain=output out-interface=ovpn-out1
    add action=accept chain=forward comment="defconf: accept in ipsec policy" \
        ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" \
        ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
        connection-state=established,related
    add action=accept chain=forward comment=\
        "defconf: accept established,related, untracked" connection-state=\
        established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" \
        connection-state=invalid
    add action=drop chain=forward comment=\
        "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
        connection-state=new in-interface-list=WAN
    add action=accept chain=input protocol=icmp
    add action=accept chain=input connection-state=established
    add action=accept chain=input connection-state=related
    add action=drop chain=input in-interface=ether1
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" \
        ipsec-policy=out,none out-interface-list=WAN
    add action=accept chain=srcnat dst-address=192.168.140.0/24 src-address=\
        192.168.1.0/24
    add action=masquerade chain=srcnat out-interface=ether1
    

    ^ firewall rules on my hex.

    For some reason my routes are only exporting my disabled routes but heres how it is:

    0.0.0.0/0 gw: wan ip on eth1
    my.gateway.ip gw: eth1 reachable
    172.16.32.0/24 gw: ovpn-out1 reachable
    192.168.1.0/24 gw: bridge1 reachable
    194.168.140.0/24 gw: 172.16.32.1 reachable ovpn-out1.

    On the PFSense side I've followed all the guides for setting up a site to site openvpn.

    I have local ip set to 192.168.140.0/24 remote ip set to 192.168.1.0/24


  • Netgate Administrator

    If you are doing a site-to-multisite with pfSense as the hub are you doing individual tunnels to each client or a single server with multiple clients connecting to it?

    If you have a single server you will need to add client specific overrides for each client with the subnet behind them so OpenVPN knows which client to route traffic to.

    Either way it sounds like you have a missing route in one direction. Check the routing tables at each end and makes sure the opposite subnets are present.

    Steve


Log in to reply