Please forgive a newbie if the answer is somewhere obvious but I can’t find it…
I am trying to set up 2 MikroTik routers to create:
a) A main site firewall for genereal web trafic with an IPSEC VPN connection for a branch office
b) The branch office VPN router
I have the IPSEC up and running in a test environement but my problem is I want very different firewall rules for the VPN to general web traffic. How do I flag all packets that will be going through the VPN so that I can put them down a seperate FORWARD filter?
Tried packet mark on mangle PreRouting but this only identifies incoming packets, outgoing packets appear to go through FORWARD que (where I would block them) before they are encapsulated. Had a brief play with connection marks but no joy (probably doing it wrong?)
I’m sure there is an obvious answer but I can’t find it/work it out. Can anyone point me in the right direction?
Ben
Take a look at the diagram here:
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
It’ll give you a better idea of where you need to place rules etc.
Regards
Andrew
Thanks Andrew, I had another look at this (and did a few test rules which seem to back up my assumptions)
I believe an outgoing packet going out on an IPSEC tunnel goes through:
Input Interface → Pre-Routing → Forward → Post-Routing
It is then encrypted before going through
Output → Post-Routing → Output-Interface
Assuming I’m right in this I guess my question boils down too “Is there a better way than Destination Address to identify an outgoing packet when it passes unencrypted through the Forward que?”
As far as I can work out destination address is the only thing that IDs the packet on the first pass through the foward que but future reconfiguration could leave a big hole in my firewall, I was hoping there might be something more concrete to base a jump out of a normal internet forward rules chain into a looser set of rules specific for the tunnel.
Destination address may well be the best idea (it will be a private 10.x.x.x address anyway so risk is not huge) but it just felt like there should be a better way…
Ben
Ben
Destination address would be the usual way of doing this.
Regards
Andrew
Can you run a tunnel down that ipsec? That way you have an incoming and outgoing interface you can filter against. Even if its just a simple IPIP tunnel …
Sam