Hi all.
I want to impliment an IPS in our organization, which will scan all traffic from branches (VPN) and HQ goes throught border GWs for blocking malicous traffic in real time.
And now I have a problem. IPSs are not inline (for some reasons), they are connected to Mirkotik via separate ports. I maked redirection rule in mangle, set interfaces, which traffic I want to redirect to IPS and nothing happend, users can’t go to the Internet. When I make traceroute, I see that traffic goes normally to border router, then redirects to IPS, goes back to router and that’s all. In firewall rules I’ve set a rule with accept action to see, thats traffic comes back to router, but NAT rule counters is 0. All going normally when i turn on nat rule on IPS interface, but i don’t need it.
Ok, i’ve deleted mangle rule for traffic redirection and gives the clients GW ip of IPS’s interface, but when I checked how traffic goes, mikrotik don’t send it to IPS and makes forwarding to ISP, so that user’s traffic can’t go throught IPS even if i set IPS interface as GW of clients.
How can it do that’s mikrotik works normally in this case ?
What mangle rule did you use ? What was the action ?
If you use “route” know that it only works in the “pre-routing chain”
Perhaps you should use the “mark-routing” action to mark these packets and process them with PBR (Policy Based Routing) ?
Most experts here will probably ask you as a start to post the config of your setup before anything usefull can be said.
I use just one rule in mangle with action “route”. Marking traffic is not possible, because traffic when marking will goes always to ips and we’ll cause a routing loop mikrotik - IPS, connection remarking is not have effect too with same reasons.
No any rules are present. Now I just test it all at test stand. Mikrotik’s config is empty at all. So, i’ve add traceroute how traffic goes without redirection to IPS and with redirection.
I saw at one forum, the discussion was in 2014 and one man said, that’s mikrotik can’t nat traffic, which redirected from mikrotik to other device and moves back to mikrotik for forwarding to isp throught NAT. Is it true? 1.rsc (1.88 KB)
You have another (free) interface on the IPS that you can cable to the Mikrotik ? So not “IPS-on-a-stick” but different interface?
Then configure another 172.16.4.x/30 subnet between them.
I don’t see why this should not work with some policy-route constructions ?
I have to say I don’t have experience with Mikrotik for these kinds of setups.
But if you work with another IPS-IN subnet you can add perhaps the inbound interface to make sure you only NAT that stream coming out of the IPS across the dedicated “out” interface.
Do you plan to have DNAT-static entries also ? Because you should force new “SYN” packets from the internet also across/through your IPS I guess on their way to internal systems/servers.
Still doesn’t work even if I maked separated link just with default route and separated link with internal subnets. Mikrotik still works how it was with single link… I’m sad
Now i will try another disign and use pbr on my L3 Cisco switch to separate internal LAN traffic (green) and guest (red) traffic.
Hope it will be ok… If not, we’ll buy pre-owned cisco routers.
