Currently Running on 6.47beta60 in the hopes of being able to use the new dns features.
I don’t have any non standard Firewall entries or custom routes. I’ve tried every combination I can but none worked.
On any client connected to Mikrotik 1 I can ping and access Mikrotik 2 itself and its clients. However, from Mikrotik 1 itself I can’t ping Mikrotik 2 or any of its clients unless I specify the src Address in the ping. Now normally this wouldn’t be a big deal, but the problem is that on Network 2 connected to Mikrotik 2 I have a DNS server that’s being used to lookup local machines and try as I may I can’t get Mikrotik 1 to use that DNS server.
Multiple reasons are possible but the following one is most common:
When forwarding packets, the router doesn’t change their source address unless NAT behaviour has been intentionally configured.
But when sending packets on its own, the router chooses the source address depending on the out-interface chosen by routing to send them. So if you only have a default route and you use plain IPsec with policy matching, the router itself uses its WAN address as source of the pings and DNS requests, hence the policy ignores them.
If this is the reason, you can either add a route to the destination subnet and set its pref-src to the LAN address of your Mikrotik which matches the policy’s src-address, or you can insert an exceptional action=src-nat rule with to-addresses set to the LAN address of your Mikrotik before the generic src-nat/masquearde one with dst-address matching the destination subnet.
Thank you very much for this insight. It helped me solve a long on-going DNS issue that I just could not pinpoint a clean way to resolve it.
I do however wish that MikroTik would auto add the appropriate items to make this work when the connection is established, but I can appreciate the learning curve
Also MikroTik please note if you’re reading this that DNS does not appear to work over IPSec unless you manually DST-NAT the traffic, or take out all other DNS servers or set the mode config DNS to exclusive.
I have the same problem that my router cannot reach a DNS-server through IPsec-tunnel.
For the machines behind the router, it’s working - so there’s a chance that your proposal could solve my issue.
I’d like to set-up the route-solution (@sindy) - but unfortunately it does not work.
The two networks are 10.8.0.0/16 ane 10.21.0.0/16 (MTs are on 10.8.210.250 and 10.21.210.250)
So I created a route with 10.8.0.0/16 as Dst. Address and 10.21.210.250 as Pref. Source (no value for Gateway).
Sadly, it’s considered as invalid - maybe I have to specify a value for gateway?
Thanks for any help - not being able to use the MT-DNS over IPsec is really a bad thing.
Yes, a route must have some gateway set. But for your purpose, you may set it to a name of any interface that stays up (such as the local bridge), because it is enough that the system would see the route as active; the IPsec policy will intercept the packets and send them down its Security Association.
I used “%bridge” (my bridge is named “bridge”) as gateway and it works immediately! GREAT!!
Your answer should be included in the official RouterOS docs.
Thanks again!
