Having difficulty passing traffic as regular client on LAN of each side of site-to-site ipsec VPN. Latest firmware on a pair of RB2011. Followed manual including Fasttrack rule and raw rule. VPN is up and I can ping through the vpn, router to router if I specify source and destination is the LAN address of each side - i.e. “ping to the other side’s LAN router address using this side’s LAN router address as the source”, that works. But the client on each side used to configure the router and manage the router, sitting within the LAN of each router it manages cannot ping the OTHER router’s lan address across the VPN. I can ping from the router and ping the local management PC sitting within it’s own LAN, so I know the client will respond to an external ping. Please help. This is so close but just isn’t right for some reason. Likely others suffer the same issues as I’ve read a large number of postings but nothing yet has solved these issues.
Check if NAT-exempt rules are in-place.
I believe this is what you are referring to and so yes,
/ip firewall nat print
on the router where the private subnet is 192.168.50.0/24 shows as rule 0 ahead of the default conf masquerade rule:
chain=srcnat action=accept src-address=192.168.50.0/24 dst-address=192.168.88.0/24 log=no
and on the other end where the private subnet is 192.168.88.0/24 this is rule 0 ahead of default masquerade rule:
chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.50.0/24 log=no
Sorry, I realize that rule is very critical but I left it out of my original problem description as ‘completed’.
I only saw one reference to this as potential problem/solution but configuration has been a hybrid of using GUI and command-line if that provides any clue. I don’t know if, for a vpn on Mikrotik, I must have a static route to pass traffic across vpn but my attempts to add one do not change the results unless I’m simply configuring it wrong. Again today, I have confirmed that vpn is up and each router can ping each other’s internal IP but client pings cannot traverse the vpn. A trace route from clients on both sides to the client on the other side hit their respective router and timeout on the next hop. I can post or send a dump of my config if that would help. There isn’t anything custom to the default config besides the attempted VPN at this point. Thinking this could be a test-bench config issue (testing vpn on a similar numbered private network) I changed the external network away from also being a 192.168.x.x address scheme to a fictitious fixed public scheme and it didn’t change the problem.
From the .50. router
This is the list (all default) of filter rules:
[admin@MikroTik] /ip firewall nat> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=“”
3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=“”
4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=“”
5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=“”
6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”
7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no
log-prefix=“”
8 ;;; FastTrack
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
and this is the list of nat rules:
[admin@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.50.0/24 dst-address=192.168.88.0/24 log=no
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
here is the list of mangle rules:
[admin@MikroTik] /ip firewall nat> /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 ;;; Mark IPsec connections
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=out,ipsec
4 chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=in,ipsec
and finally the list of raw rules
[admin@MikroTik] /ip firewall nat> /ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=notrack src-address=192.168.50.0/24 dst-address=192.168.88.0/24
1 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
Both are at the same firmware level of 6.38.3. I have confirmed that the .88. router firewall rules are identical to the .50. with the addresses appropriately flipped on the nat and raw rules.
For anyone else that ends up confused about how to implement pt-to-pt ipsec tunnels by following the manual… The lower manual section of the ipsec pt-to-pt instructions (the 2 boxes just above: Ipsec/L2TP behind NAT) is a bit confusing. The manual stops identifying (at the filter and raw instructions) what goes in which router.
To clarify, of the “filter” and “raw” rules shown ONLY THE RAW rules are actually necessary, the filter rules can be skipped (it says that (but easily missed) after the filter rules are laid out). If you’re unfamiliar with the equipment and simply following along (as I was), changing addresses to fit your own scheme and looking for a recipe that works and can be built upon, you might easily make the same mistake I did.
Also, and VERY important but not clearly stated, BOTH routers need BOTH lines of the raw rules:
/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
(put both lines, appropriately altered, in BOTH routers)
and I really think the manual should say that, even if it just repeats the box and lists exactly the same thing in both boxes while identifying each for each router to make it consistent with the earlier instructions, such as:.
Office1 router:
/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Office2 router:
/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
If you mistakenly attempt to split the rules, as I did, and make it follow the pattern of the instructions above that point the tunnel will absolutely not work. Combine that, as I did, with a test pc with a legacy configuration that is both wireless and wired and confused about how it should answer (remove the wireless from the equation) and you have a recipe for a non-functional tunnel and many frustrating attempts to get it to work.