edit - 9/20/2015 - future readers, disregard this thread, (i cant see how to delete it).
last week i tried to deploy a new mikrotik router and ipsec vpn (just like i always have) yet it would not pass traffic (except for ping).
long story short, it seems the default enabling of fasttrack interferes with ipsec?? and the mikrotik for dummies documentation regarding this new reality is lacking. (so maybe fastrack shouldn't be enabled by default?)
i have tried disabling the default fasttrack firewall rule, but the vpn doesn't pass anything but icmp. can i disable fasttrack altogether?
following https://schemen.me/mikrotik-fast-track-that-excludes-ipsec/ i have tried to mark ipsec traffic and exclude that traffic from the fasttrack rule, but the vpn wont pass any traffic.
what changes/additions to the traditional NAT bypass firewall rule are needed to get ipsec working right with fastrack enabled?
Can you show VPN, Firewall, NAT config?
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established,related
add chain=input comment=“allow winbox remote” dst-port=8291 protocol=tcp
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment=“default configuration” connection-mark=!ipsec connection-state=
established,related
add chain=forward comment=“default configuration” connection-state=established,related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add action=drop chain=forward comment=“default configuration” connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
/ip firewall mangle
add action=mark-connection chain=forward comment=“Mark IPsec” ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=“Mark IPsec” ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add chain=srcnat dst-address=192.168.237.0/24 src-address=192.168.235.0/24
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway
/ip ipsec proposal
set [ find default=yes ] lifetime=1d pfs-group=modp1536
/ip ipsec peer
add address=1.1.1.1/32 dh-group=modp1536 enc-algorithm=aes-128 nat-traversal=no secret=password01
/ip ipsec policy
add dst-address=192.168.237.0/24 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.235.0/24 tunnel=yes
Looks good so far - are you sure VPN traffic is allowed in the firewall? (local and remote)
i was under the impression that my nat bypass rule on either side was sufficient to allow all traffic between the lans.
ie on my 192.168.237.0/24 network i have rule:
add chain=srcnat dst-address=192.168.237.0/24 src-address=192.168.235.0/24
ie on my 192.168.235.0/24 network i have rule:
add chain=srcnat dst-address=192.168.235.0/24 src-address=192.168.237.0/24
do i need to also allow traffic on the forward chain?
The NAT accept-rule does not permit traffic from/to IPsec. It is like an exception. If a packet leaves your WAN interface, it will be NATted usually. If the IPsec packet gets natted, the remote device will not find any policy for it.
The NAT accept-rule means that the packet source address will not be changed. For allowing the packets flowing through IPsec, you still need firewall rules which accept the traffic in input / forward chain.
i don’t know what i was thinking about the src nat rule, my bad
something like this should allow all traffic?
on my 192.168.237.0/24 network i have rule:
add action=accept chain=forward dst-address=192.168.237.0/24 src-address=192.168.235.0/24
on my 192.168.235.0/24 network i have rule:
add action=accept chain=forward dst-address=192.168.235.0/24 src-address=192.168.237.0/24
as a sanity check, i setup an ipsec vpn on older v6.25 (no fasttrack) routers (with the above rules in place) and still can’t ping other hosts on the remote lan. i have really lost the plot somewhere!