Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Z
Z
zolotykx2018-03-03 20:38:01
openvpn
zolotykx, 2018-03-03 20:38:01

Mikrotik, 3rd party openvpn, no ping between openvpn network and LAN. How to set up a firewall?

Please help with setting up a firewall in Mikrotik. The network configuration is as follows:
Mikrotik LAN IP 192.168.88.1/24. It is the gateway for the local network.
There is a separate OpenVPN server on Ubuntu (with routing enabled), has the address 192.168.88.30.
OpenVPN is configured in L3 mode, subnet 10.0.8.0/24. Also, Mikrotik has a route to the 10.0.8.0/24 network through 192.168.88.30 (so that LAN clients can contact OpenVPN clients). The OpenVPN server has 192.168.88.1 as the gateway.
Also, DST-NAT is made on Mikrotik so that clients from the Internet can access the OpenVPN server and through it get into the main LAN.
When setting up a firewall, namely the drop invalid connections rule in the forward chain, clients cannot reach local LAN resources, pings do not go from OpenVPN clients. However, from the LAN, pings reach OpenVPN clients. If you disable the rule with invalid, then OpenVPN clients start pinging LAN resources. Please help or at least indicate in which direction to go in order to establish the correct two-way interaction between OpenVPN clients and the LAN. Also, it is not clear why this traffic gets into invalid.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
Ruslan Khairullin, 2018-03-04
@ruha02

Show me the correct firewall filter

Report
Z
zolotykx, 2018-03-04
@zolotykx

Here are the current rules:
add action=drop chain=input comment="Drop echo request" icmp-options=8:0 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="Accept ICMP" protocol= icmp
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow remote WinBox access from WAN" dst-port=8291 in -interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list= !LAN
add action=accept chain=forward comment="Accept established,related, untracked"connection-state=established, related, untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed"connection-nat-state=!dstnat connection-state=new in- interface-list=WAN

Similar questions
A
alexei_lukhanin2016-06-08 14:03:11
How to prohibit traffic bypassing the VPN (in case of a break)? 1Reply
M
MakNait2018-11-24 21:58:11
How to forward ports from vds through ovpn channel to home pfsense to get static ip for home servers? 1Reply
A
Artem Kuryanov2016-06-30 11:30:52
Why does OpenVPN assign the same name to the client's machine as the assigned address? 1Reply
A
Alex Helber2018-11-29 18:44:28
OpenWRT: OPKG installs the openvpn-easy-rsa package without the PKI generation scripts. How to decide? 2Reply
V
vika_san2020-10-01 09:26:17
Is it possible to view the list of visited sites and user actions if using OpenVPN in a company? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question