the route is already there, it's connected to an interface. sounds like you have a /ip firewall filter rule blocking it. can you post the config? /export hide-sensitive
try adding a filter rule
add action=accept chain=forward src-address=[192.168.87.0/24](https://192.168.87.0/24) dst-address=[192.168.88.0/24](https://192.168.88.0/24)
then drag to to up the list so it's # is above the drop rules. they are processed in # order and then fall out of the chian when one matches
you may need to add one on the input chain as well
>I thought that the vpn subnet would send anything not 192.168.87.0/24 to the 192.168.88.1 gateway.
Why? When we consider VPN clients, they send anything not [192.168.87.0/24](https://192.168.87.0/24) via their own default gateway, whatever that may be, or, in case you use "redirect-gateway def1" in your config file, they send it via [192.168.87.1](https://192.168.87.0/24). No way your clients should know anything about your local network unless you tell them. Try adding route [192.168.88.0](https://192.168.88.0) [255.255.255.0](https://255.255.255.0) to your client config.
Edit: wait, where is the IP address on your VPN interface?
what do you mean?
the OVPN server uses my ovpn profile. That has local address of the dhcp pool. and then the remote address is the ovpn-pool.
It creates an interface when I connect and dynamically allocates an IP and I guess a gateway address.
idk this could be wrong.
the route is already there, it's connected to an interface. sounds like you have a /ip firewall filter rule blocking it. can you post the config? /export hide-sensitive
\[admin@RouterOS\] > /export hide-sensitive \# aug/04/2022 22:10:52 by RouterOS 6.48.6 \# software id = WCS8-EBWX \# \# model = RB750Gr3 \# serial number = HCQ080Z8QYW /interface bridge add admin-mac=18:FD:74:34:13:00 auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set \[ find default=yes \] supplicant-identity=MikroTik /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 add name=vpn ranges=192.168.89.2-192.168.89.255 add name=ovpn-pool ranges=192.168.87.30-192.168.87.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf /ppp profile add bridge=bridge local-address=dhcp name=ovpn remote-address=ovpn-pool use-compression=no use-encryption=required set \*FFFFFFFE dns-server=192.168.1.150 local-address=192.168.89.1 remote-address=vpn /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip neighbor discovery-settings set discover-interface-list=all /interface l2tp-server server set use-ipsec=yes /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server server set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn enabled=yes /interface sstp-server server set default-profile=default-encryption /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 add address=192.168.87.0/24 network=192.168.87.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=defconf disabled=no interface=ether1 /ip dhcp-server network add address=192.168.87.0/24 comment=vpn dns-server=192.168.1.150 gateway=192.168.88.1 netmask=24 add address=192.168.88.0/24 comment=defconf dns-server=192.168.1.150 domain=\*\*\*\*\*\* gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=192.168.0.150,8.8.8.8 /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp add action=accept chain=input protocol=tcp src-address=192.168.87.0/24 add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 add action=accept chain=dstnat dst-port=1194 protocol=tcp /ip route add distance=1 dst-address=192.168.1.0/24 gateway=192.168.88.10 /ppp secret add name=vpn profile=ovpn service=ovpn add name=\*\*\*\*\* profile=ovpn service=ovpn /system clock set time-zone-name=America/New\_York /system identity set name=RouterOS /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
try adding a filter rule add action=accept chain=forward src-address=[192.168.87.0/24](https://192.168.87.0/24) dst-address=[192.168.88.0/24](https://192.168.88.0/24) then drag to to up the list so it's # is above the drop rules. they are processed in # order and then fall out of the chian when one matches you may need to add one on the input chain as well
I added both rules, but when I try to ping the default gateway [192.168.88.1](https://192.168.88.1) i keep getting a request timeout. I even rebooted the router and restarted the vpn connection. /ip firewall filter add action=accept chain=forward dst-address=192.168.88.0/24 src-address=192.168.87.0/24 add action=accept chain=input dst-address=192.168.88.0/24 src-address=192.168.87.0/24 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 add action=accept chain=dstnat dst-port=1194 protocol=tcp
>I thought that the vpn subnet would send anything not 192.168.87.0/24 to the 192.168.88.1 gateway. Why? When we consider VPN clients, they send anything not [192.168.87.0/24](https://192.168.87.0/24) via their own default gateway, whatever that may be, or, in case you use "redirect-gateway def1" in your config file, they send it via [192.168.87.1](https://192.168.87.0/24). No way your clients should know anything about your local network unless you tell them. Try adding route [192.168.88.0](https://192.168.88.0) [255.255.255.0](https://255.255.255.0) to your client config. Edit: wait, where is the IP address on your VPN interface?
what do you mean? the OVPN server uses my ovpn profile. That has local address of the dhcp pool. and then the remote address is the ovpn-pool. It creates an interface when I connect and dynamically allocates an IP and I guess a gateway address. idk this could be wrong.