Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Z
Z
zolotykx2018-03-03 20:38:01
openvpn
zolotykx, 2018-03-03 20:38:01

Mikrotik, 3rd party openvpn, no ping between openvpn network and LAN. How to set up a firewall?

Please help with setting up a firewall in Mikrotik. The network configuration is as follows:
Mikrotik LAN IP 192.168.88.1/24. It is the gateway for the local network.
There is a separate OpenVPN server on Ubuntu (with routing enabled), has the address 192.168.88.30.
OpenVPN is configured in L3 mode, subnet 10.0.8.0/24. Also, Mikrotik has a route to the 10.0.8.0/24 network through 192.168.88.30 (so that LAN clients can contact OpenVPN clients). The OpenVPN server has 192.168.88.1 as the gateway.
Also, DST-NAT is made on Mikrotik so that clients from the Internet can access the OpenVPN server and through it get into the main LAN.
When setting up a firewall, namely the drop invalid connections rule in the forward chain, clients cannot reach local LAN resources, pings do not go from OpenVPN clients. However, from the LAN, pings reach OpenVPN clients. If you disable the rule with invalid, then OpenVPN clients start pinging LAN resources. Please help or at least indicate in which direction to go in order to establish the correct two-way interaction between OpenVPN clients and the LAN. Also, it is not clear why this traffic gets into invalid.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
Ruslan Khairullin, 2018-03-04
@ruha02

Show me the correct firewall filter

Report
Z
zolotykx, 2018-03-04
@zolotykx

Here are the current rules:
add action=drop chain=input comment="Drop echo request" icmp-options=8:0 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="Accept ICMP" protocol= icmp
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow remote WinBox access from WAN" dst-port=8291 in -interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list= !LAN
add action=accept chain=forward comment="Accept established,related, untracked"connection-state=established, related, untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed"connection-nat-state=!dstnat connection-state=new in- interface-list=WAN

Similar questions
I
Ivan2014-11-11 17:59:13
How to increase the number of concurrent connections on openvpn_as? 2Reply
M
mirus2014-11-16 14:39:21
How to make openssl work with all cpu cores? 1Reply
G
gismthedwarf2019-04-16 09:34:21
How to redirect ALL traffic from OpenVPN-vps to another vps with proxy? 0Reply
G
Greg VanBuren2021-01-05 19:02:39
How to start Usb 4g dongle + OpenVpn connection? 2Reply
A
AV22021-01-06 01:55:35
How to organize remote access to the server via RDP in a micro-office? 8Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question