ipsec-policy question

mikrotak · June 2, 2020, 5:44pm

I am at the last piece of my first firewall and I’m wondering which direction I should go with the ip firewall NAT.

I notice that the default config adds an ipsec-policy=out,none
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

but the recommended firewall at https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
does not
add chain=srcnat out-interface=ether1 action=masquerade

I looked at the ipsec doc at https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
and it is too advanced for me at this early stage.
Is this another case of something was put in the default config that might be useful later but isn’t a drag on processing?

Sob · June 3, 2020, 1:19am

It’s for later. When you have policy-based IPSec tunnel, it’s usually between local subnet and remote subnet. Router sees packets from local subnet leaving via WAN interface. If you have unconditional srcnat/masquerade on WAN, everything will have its source changed to router’s WAN address. And it will break the tunnel, because packets will no longer match the policy. This extra option automatically exludes all tunnelled traffic from NAT.

mikrotak · June 3, 2020, 10:20pm

ok thanks … then I probably don’t need these either right now correct?

add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf: accept in ipsec policy”
add chain=forward action=accept ipsec-policy=out,ipsec comment=“defconf: accept out ipsec policy”

Sob · June 3, 2020, 11:07pm

If you don’t have any policy-based IPSec tunnels, then no, you don’t need these. And even when you do have some, you don’t necessarily want to allow everything.