1

Topic:

All greetings. There is server Openvpn on debian, with tun the adapter. As there is a microtic with 4 ip addresses. And so a problem in that that with OpenVPN servers are visible only 2 Ip on a microtic, and remaining as.
Now on was more specific:
On OpenVPN the server such table of routing:

 default via 192.168.16.1 dev eth0 metric 1
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.30.0.0/20 via 10.8.0.2 dev tun0
192.168.8.0/24 via 10.8.0.2 dev tun0
192.168.16.0/20 dev eth0 proto kernel scope link src 192.168.30.1 

On a microtic such ip addresses:

 # ADDRESS NETWORK INTERFACE
0 10.30.0.1/20 10.30.0.0 ether2
1 D 192.168.10.2/24 192.168.10.0 ether1
2 D 192.168.8.100/24 192.168.8.0 lte1
3 D 10.8.0.29/32 10.8.0.30 

And an essence in that that I on the server openVPN can  10.8.0.29 addresses and 10.30.0.1. But as I can not  192.168.8.100 and accordingly 192.168.8.1!!! And it is necessary for me.
I as cannot understand in what put.
In addition I will show filter a microtic:

Flags: X - disabled, I - invalid, D - dynamic
0 D;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X chain=forward action=log src-address=10.8.0.1 log=yes log-prefix = "XXX"
2;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix = ""
3;;; defconf: accept established, related
chain=input action=accept connection-state=established, related log=no log-prefix = ""
4;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix = ""
5;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix = ""
6;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix = ""
7;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix = ""
8;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established, related log=no log-prefix = ""
9;;; defconf: accept established, related
chain=forward action=accept connection-state=established, related log=no log-prefix = ""
10;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix = ""
11;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state =! dstnat in-interface=ether1 log=no log-prefix = ""
12;;; drop all from lte1
chain=input action=drop in-interface=lte1 log=no log-prefix = ""
13;;; drop all from lte1 not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state =! dstnat in-interface=lte1 log=no log-prefix = ""
14;;; failover
chain=output action=drop protocol=icmp dst-address=8.8.4.4 out-interface=lte1 log=no log-prefix = ""
15;;; failover
chain=output action=drop protocol=icmp dst-address=8.8.8.8 out-interface=ether1 log=no log-prefix = ""

And as NAT:

Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.8.0/24 out-interface=lte1 log=no log-prefix = ""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix = ""
2 chain=srcnat action=masquerade src-address=10.30.0.0/20 out-interface=myvpn log=no log-prefix = ""
3 chain=srcnat action=masquerade out-interface=lte1 log=no log-prefix = ""

The table of routing of a microtic:

Flags: X - disabled, A - active, D - dynamic, A C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S;;; adsl
0.0.0.0/0 192.168.10.1 1
1 X S;;; lte1
0.0.0.0/0 192.168.8.1 1
2 A S;;; google
8.8.4.4/32 192.168.10.1 1
3 A S;;; google
8.8.8.8/32 192.168.8.1 1
4 ADS 10.8.0.0/24 10.8.0.30 0
5 ADC 10.8.0.30/32 10.8.0.29 myvpn 0
6 A S 10.20.0.0/22 10.8.0.30 1
7 X S 10.21.0.0/22 10.8.0.30 1
8 ADC 10.30.0.0/20 10.30.0.1 bridge1 0
9 A S 10.30.100.0/24 10.8.0.30 1
10 ADC 192.168.8.0/24 192.168.8.100 lte1 0
11 ADC 192.168.10.0/24 192.168.10.2 ether1 0

If I do  on the server that such pattern floats:

traceroute to 192.168.8.100 (192.168.8.100), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

But it is thus quiet  10.30.0.1:

traceroute to 10.30.0.1 (10.30.0.1), 30 hops max, 60 byte packets
1 10.30.0.1(10.30.0.1) 60.182 ms 60.189 ms 74.119 ms

Explain to me that I do not understand here? Why routing does not work?

2

Re:

CJ1
On OpenVPN the server such table of routing:
And on it there is no route on 192.168.8.100/24
-2-, it is necessary to look and an OpanVPN-server config. If there p2p, , but if there tls-server in topology net30 it is necessary to register networks for the client a command iroute in a ccd-context
Adding from 7/5/2018 20:24:
CJ1
As I can not ... 192.168.8.1
192.168.8.1 should have reverse  through a microtic at least on 10.8.0.0/24, as a maximum on all networks of the server
Or src-nat'it all traffic to it IP on 192.168.8.100

3

Re:

vinni Thanks big for the help. Really simply it is not added iroute in ccd.....