OpenVPN Connected. Mikrotik Hex can ping pfsense, local pc's can't.

  • I'm fairly new back to mikrotik after about a 5+ year stint of using other devices. So I'm relearning all over again. I have a openvpn site to site going from a hex (client) to pfsense (server). Both on newest versions. I'm trying to achieve a site to multi site openvpn setup.

    I can ping the pfsense from terminal on the hex.
    I can ping computers behind the pfsense from terminal on the hex.
    I cannot ping the pfsense from a pc behind the hex.
    Nothing on the pfsense side can ping anything on the hex side.

    PC ( -> hex ( -> INTERNET <- Pfsense (

    Trace route from PC side shows it going thru router.lan and then that's it.

    For the most part this hex is mostly default except the openvpn, and basic quick setup. I've set a firewall rule to allow all just for testing purposes. I'm wondering if I need to setup nat or mangle with something.

    I need to be able to ping all devices on the clients side from the systems on the pfsense's subnet.

    Firewall on both sides are wide open set to allow everything on all interfaces for the moment.

    hex (
    pfsense (
    lan interface on hex arp was set to "enabled" now it's set to "proxy-arp"

    /ip firewall filter
    add action=accept chain=input
    add action=accept chain=input in-interface=ovpn-out1
    add action=accept chain=output out-interface=ovpn-out1
    add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    add action=accept chain=forward comment=\
        "defconf: accept established,related, untracked" connection-state=\
    add action=drop chain=forward comment="defconf: drop invalid" \
    add action=drop chain=forward comment=\
        "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
        connection-state=new in-interface-list=WAN
    add action=accept chain=input protocol=icmp
    add action=accept chain=input connection-state=established
    add action=accept chain=input connection-state=related
    add action=drop chain=input in-interface=ether1
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" \
        ipsec-policy=out,none out-interface-list=WAN
    add action=accept chain=srcnat dst-address= src-address=\
    add action=masquerade chain=srcnat out-interface=ether1

    ^ firewall rules on my hex.

    For some reason my routes are only exporting my disabled routes but heres how it is: gw: wan ip on eth1
    my.gateway.ip gw: eth1 reachable gw: ovpn-out1 reachable gw: bridge1 reachable gw: reachable ovpn-out1.

    On the PFSense side I've followed all the guides for setting up a site to site openvpn.

    I have local ip set to remote ip set to

  • Netgate Administrator

    If you are doing a site-to-multisite with pfSense as the hub are you doing individual tunnels to each client or a single server with multiple clients connecting to it?

    If you have a single server you will need to add client specific overrides for each client with the subnet behind them so OpenVPN knows which client to route traffic to.

    Either way it sounds like you have a missing route in one direction. Check the routing tables at each end and makes sure the opposite subnets are present.


Log in to reply