Hey guys,
I’ve just replaced a Fortigate with a Mikrotik that’s been running an IPSEC tunnel for a private Webapp. The Fortigate had an IP Pool specified for use with the IPSEC tunnel and we need all traffic from the corporate LAN to flow through to the other end of the IPSEC tunnel on specific set of IP’s.
WE have the IPSEC tunnel working fine, and if we use the intermediary IP’s on a host in the corporate LAN, it works fine, we just need this to be used by everyone. Layout is like below:
Corporate LAN: 192.168.20.0/24
IP Pool Range: 19.168.1.1/29
Remote IPSEC: 10.224.14.0/24
The Remote IPSEC endpoint will ONLY accept traffic from the IP Pool Range.
Any ideas?
Use a SRC-NAT rule on the IPsec interface (out interface). That way all traffic from your IP pool or corporate LAN should appear to come from the IP address of your IPSec Interface.
So, this got me going:
/interface bridge
add name=VPN-Bridge
/ip address
add address=192.168.1.2 interface=VPN-Bridge network=192.168.1.2
add address=192.168.1.3 interface=VPN-Bridge network=192.168.1.3
add address=192.168.1.4 interface=VPN-Bridge network=192.168.1.4
add address=192.168.1.5 interface=VPN-Bridge network=192.168.1.5
add address=192.168.1.6 interface=VPN-Bridge network=192.168.1.6
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.224.14.0/24 out-interface=\
VPN-Bridge src-address=192.168.15.0/24
/ip route
add distance=1 dst-address=10.224.14.12/32 gateway=VPN-Bridge
Basically created a bridge with no interfaces assigned to it, and added the addresses to it, added a static route to the local endpoint to go out over the VPN bridge, then added a masquerade rule to send traffic going to the local endpoint address, from the local lan, to masquerade out over the VPN-Bridge.
Bit of mucking about, but works a treat!
Glad to hear you got sorted.