ip fireall nat and filter question

diego73 · June 22, 2021, 5:45pm

I have 2 concept questions

1.- What does ipsec-policy=out,none and what happen if delete it? It affect VPN connections that use ipsec?
the line in question is:

/ip firewall nat action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

2.- The rules in ip firewall filter are processed in the orden that they appear or first by chain? for example:

/ip firewall filter
1. add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
2. add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
3. add action=drop chain=input comment="rbMT" connection-state=invalid

are processed 1,2,3 or 1,3,2?

Thanks

xvo · June 22, 2021, 6:30pm

It will make a difference only if you use plain ipsec with policies that involve not only the routers own addresses.
By chain. However single packet can’t be processed by both input and forward chain, so it will be either 1,3 or 2, but not 1,3,2.

anav · June 22, 2021, 7:07pm

You can mix rules (not mandatory that all input chain rules are listed together etc.) but any IT person would recommend
that you do put like rules together as it makes it much easier to read, configure and troubleshoot.
The standard appears to be list all input chain rules first then forward chain rules.

Rule order within a chain is critical in terms of how the router will process the packets.

rextended · June 22, 2021, 7:16pm

And on last line, drop all…

diego73 · June 22, 2021, 7:43pm

may be some relation with this and the problem exposed here?

http://forum.mikrotik.com/t/mangle-l2tp-vpn/149788/1

diego73 · June 23, 2021, 8:32pm

It will make a difference only if you use plain ipsec with policies that involve not only the routers own addresses.

do you refer to police routing and mangle? and what that difference?

anav · June 23, 2021, 8:53pm

There is never a “better way” unless its my way of course!
Seriously, one is better off clearly stating the set of requirements based on use cases (what you want or dont want the users/devices to be able to do), without discussing the config details.
Then it will become crystal clear what set or mix of capabilities within the router need to be employed for an efficient design.