add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

akarpas · May 12, 2018, 2:38pm

So i have 3(A, B, C) sites, ipsec tunnels between sites.
On site C i have this rule enabled add action=drop chain=forward comment=\ “defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=pppoe
On site A i have PRTG monitoring. So PRTG icmp sensonrs are nor able to communicate to devices on local network in C site.
As well as im not able to ping local devices on site C via vpn from site B.
ICMP is enabled on firewall on site C, so im able to ping router gateway on site C from site A and B , but cant ping anything else on local lan.

If i desable rule
add action=drop chain=forward comment=\ “defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat \ connection-state=new in-interface=pppoe
all comes back as normal and ICMP works with no problems, I may ping all from sites A and B.
Could someone explain WHY? and how to resolve this.

CZFan · May 12, 2018, 5:17pm

I suspect reason is IPSec decryption occurs before packet gets to forward chain, packet is not destination NATed so gets dropped. Rule order can affect this, so if you can paste export of your firewall filter and NAT rules, so we can have a look

Sob · May 12, 2018, 11:08pm

That’s it, from firewall’s perspective, traffic from IPSec tunnel is like any other traffic from internet. To distinguish it from internet traffic, you can use ipsec-policy matcher. For example, you can allow everything from IPSec tunnel, if you put this before the drop rule:

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec

akarpas · May 14, 2018, 8:07am

Thank you guys I really appreciated your help, both of you are right and your advise resolved my problem.