oVPN routing question, in merlin FW

[MasterMax_san]

Hi !

I use latest merlin FW 374.43, I successfully created oVPN conection router to router, and I have 1 problem, below is my connection cheme:

+----------------+ +----------------+
|LAN 192.168.11.2 | |LAN 192.168.11.3 | ....
+----------------+ +----------------+
| |
+-------------------+-------- ....
|
{lan}
|
+----------------+
|LAN 192.168.11.1 |
| | server
|WAN xx.xx.xx.xx | (rt-n66u)
|VPN 10.4.0.5|
+----------------+
|
.....
{vpn}
.....
|
+----------------+
|VPN 10.4.0.6| client
|WAN xx.xx.xx.xx | (rt-n66u)
|LAN 192.168.111.1
| |
+----------------+
|
{lan}
|
+-------------------+-------- ....
| |
+----------------+ +----------------+
|LAN 192.168.111.2 | |LAN 192.168.111.3 | ....
+----------------+ +----------------+

from client network all works perfect, from 192.168.111.2...xxx I can ping and access to any pc from server router's network 192.168.11.2..xxx

but I can't ping any PC from server network in client's router network. e.g. from 192.168.11.2 I can't ping 192.168.111.2 and others

option Allow Client <-> Client on server router is enabled

but from 192.168.11.2 I can ping client's router 10.4.0.6

I think I should somehow manually add route to client's network on server router, but I don't know how to do it.

can anybody help me?

tnx!

 

[extensi0n]

Is the Firewall set to Automatic (client) or Auto (server) in the VPN configurations?

 

[MasterMax_san]

Hi!

it's automatic on both sides...

 

[extensi0n]

Great. Got burned by that before. I think you want the route command.

for example:

server router 192.168.1.1 | VPN 10.1.0.1
client router 192.168.2.1 | VPN 10.2.0.1

Below is my server config minus the CCD locations on the router.

persist-tun
persist-key
keepalive 120 480
verb 3
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0
route 192.168.4.0 255.255.255.0
route 192.168.5.0 255.255.255.0
route 192.168.6.0 255.255.255.0
route 192.168.7.0 255.255.255.0
route 192.168.8.0 255.255.255.0
route 192.168.9.0 255.255.255.0
route 192.168.10.0 255.255.255.0
route 192.168.11.0 255.255.255.0
route 192.168.12.0 255.255.255.0
route 192.168.13.0 255.255.255.0
route 192.168.14.0 255.255.255.0
route 10.1.0.2 255.255.255.0
route 10.1.0.3 255.255.255.0
route 10.1.0.4 255.255.255.0
route 10.1.0.5 255.255.255.0
route 10.1.0.6 255.255.255.0
route 10.1.0.7 255.255.255.0
route 10.1.0.8 255.255.255.0
route 10.1.0.9 255.255.255.0
route 10.1.0.10 255.255.255.0
route 10.1.0.11 255.255.255.0
route 10.1.0.12 255.255.255.0
route 10.1.0.13 255.255.255.0
route 10.1.0.14 255.255.255.0

 

[MasterMax_san]

tnx!!!

tomorrow I'll try

 

[Rexcellent]

I too had a similar situation when setting up my VPN.

I scoured the web looking for hints and clues. The post that finally made the lightbulb go off for me was here.

I now have two-way communication between my server-side VPN and my client-side VPN. Good luck. I hope you have similar success.

 

[MasterMax_san]

tnx Rexcellent!!!

Your link was perfect for me!

I didn't try to write manual routes, I make (activate "allow only these clients")
as recommendation from Your link. And it's works perfectly, as I wished!!!
it's my settings screenshoot:

and I have very nice automatically generated routes:

and I make different net mask settings:

GKH Group Router (Client) 192.168.11.0/24 to see all network from server's router net (branch to server)
Accounting Router 192.168.12.0/24 to see all network from server's router net (branch to server)
CHRONOS Router (Client) 192.168.111.0/30 to see only 192.168.111.1 and 192.168.111.2 addresses, because it's my home network for remote administration.


tnx again for advices!!!

 

[extensi0n]

Sweet! Might have to think about changing that myself. Seems much more simple for configuration purposes!

Learned something new then...

 

[alex_mz]

Hi? i can't find "allow only these clients" and "allow clients-clients". Where is this options?
What router firmware in pictures.
Thanks

 

[MasterMax_san]

Hi!

You should go to VPN->VPN details-> "Manage Client-Specific Options" mark as "yes"

and all options will be enabled