I want to setup an IPSEC WAN between a Mikrotik and a Fortigate device. The VPN is running, BUT: I am totally confused about the firewall rules.
On the mikrotik-device, incoming packets through the VPN-tunnel are coming from interface ether-6 (WAN1).
How can I configure the firewall without loosing the spoofing rules?
Normally, I would configure:
Drop everything from LAN except established/related
If your IPsec tunnel is already running then your firewall already allows input traffic for ports UDP 500 or 4500 in case of IKEv2…
So what is the case ?
That’s how it works, IPSec in RouterOS doesn’t have any interface, it transparently encrypts and decrypts packets, so if you have tunnel over internet, incoming and outgoing interface for tunneled traffic is WAN interface. What you’re looking for is ipsec-policy option, e.g. ipsec-policy=in,ipsec will match packets that came from tunnel.
In that case, I do not need to allow “spoofed addresses” on the WAN-interface, but: Isn’t there still the danger, that one IPSEC-peer can spoof addresses of another one, or is this prevented by the Phase-2-definitions?
The default firewall in recent RouterOS versions already caters for your use case.
Reset a device to defaults and examine it in detail (a simple listview but via commandline (print or export) or by opening each rule and look at the details).
You can also do “/system default-configuration print” and study the output, which is a script that is run when reset-to-defaults is done.
I just want to make clear that when you have default configuration on your MikroTik router (at least when you have reset it to defaults in a recent RouterOS version), you will not have to configure anything because the rules necessary for what you want to accomplish are already there. Unencrypted input from internet is blocked, and input matched by an IPsec policy you configured is passed.
So when you have built your own firewall which maybe is very complicated, you might want to look at the current default firewall to see how they did that.
Ah, you probably have a CCR. For some reasone (probably the type of application devices usually perform) the CCR does not have the default firewall rules that other types have.
This is the default firewall for “routers typically used as internet NAT routers” in 6.46.1:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
As you can see, it explicitly accept ipsec-protected traffic before it drops invalid and incoming traffic from WAN. So it will pass any traffic in IPsec tunnels you set up.
(these devices populate the interface lists LAN and WAN with the interfaces used for local and external)
For me (ipsec-policy=in,ipsec) option AND put it on TOP by (place-before=0) option … do the trick
If You want use WAN through IPSec … You need put one more policy into Mikrotik NAT and have to use same tricks
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=local network/24
If you got IPsec policy destination to 0.0.0.0/0 that NAT rule do the every client from local Mikrotik network will use remote router for WAN connection
I got other problem because I got 3 routers
Fortigate1 with LAN1 - Fortigate2 with LAN2 - Mikrotik with LAN3
2 IPSEC tunels working fine
LAN1 see LAN2
LAN3 see LAN2
but LAN3 cant see LAN1
I suppose I need setup something specific into Fortigate (but suppose Fortigate2 is Mikrotik)
Can someone give mi a CLUE what I have to do if I want LAN3 see LAN1
This is the problem with policy-based IPsec. You can try to add extra policies for the other LAN addresses in your routers, but it always remains tricky and difficult to manage.
When you want an extensible system for multiple sites/routers, setup GRE over IPsec transport instead of an IPsec tunnel. Put a /30 network on each of the tunnels.
You then get virtual interfaces in each router for those tunnels and you can just use static routes (or automatic routing) to sent the traffic the correct direction.