IPSEC - NAT question

Zsoltr · January 6, 2021, 2:21pm

Dear all,

I have the following problem:

MTHOME - (WAN: x.x.x.10)
LAN (192.168.93.0/24)
server <----------(smtp-only)------> (through x.x.x.1) <----> CHR (WAN: x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4)

I have a CHR with 4 IP and a home router with a dynamic IP.
I have a mail server on the LAN. I need the mail server to communicate on the CHR’s IP (x.x.x.1), but only the traffic on port 25 should go that way. The rest of the traffic should use the MTHOME route.

I have set up an IPSEC tunnel with dst-nat and src-nat rules that works, but that case all network traffic goes through the tunnel, and that’s not what I want. I only need port 25 to use the IPSEC tunnel.

Thanks in advance!

nagylzs · January 6, 2021, 2:43pm

How did you add your ipsec policies? Can you please post your config?

Zsoltr · January 6, 2021, 3:20pm

Thist is my policies config. This are different servers on the lan side and all configured as tunnels.
Thanks for your help!

[# jan/06/2021 15:39:55 by RouterOS 6.47.3
# software id = 
#
#
#
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.150/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.94.2/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.5/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.225/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.152/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.151/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.7/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.248/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.235/32 tunnel=yes

nagylzs · January 6, 2021, 5:37pm

Okay, so these policies have a dst-port and an src-port attribute. You can add dst-port=25 to limit the packets that needs to be encapsulated and encrypted.

Don’t forget to update your NAT rules as well. You need to have a NAT rule that will masquerade all packets that were not encapsulated.

For example:

/ip firewall nat
add chain=srcnat action=accept dst-port=25 dst-address=your.smtp.over.tunnel.address comment="bypass nat for packets that will be tunneled"
add chain=srcnat action=masquerade out-interface=your_wan_interface

Zsoltr · January 6, 2021, 6:00pm

Wow! Thanks for the help!
Works great! The only thing I have changed, that I had to change the src-port insted of dst-port for the policies. But that’s all!

Thanks again, you saved my night!

Zsolt