For me still not working:
This is what I put:
/ip firewall filter
add chain=forward comment=“” dst-address=192.168.17.0/24
src-address=172.16.20.0/24
add chain=forward comment=“” dst-address=172.16.20.0/24
src-address=192.168.17.0/24
it is place-before=0
/ip firewall nat
add chain=srcnat comment=“VPN Tunnel” dst-address=192.168.17.0/24 log=no
src-address=172.16.20.0/24
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=WAN
I got help from Mirotik after a mail to support@mikrotik.com (Maris B.) he was really helpfull
Is it possible that “fasttrack dummy rule” makes mess in firewall,what do you think? I have on one router but not on another one.
According to the support guy ‘We have to accept the traffic in firewall that should go through the ipsec tunnel before the fasttrack rule.’
this is why the place-before=0 is required
I know but I can not place the ipsec tunnel before the fasttrack rule. I can not even delete fasttrack rule. I’m just searching forum to find out how to remove or disable this rule but looks like it is not possible. Anyhow, thanks.
To get rid of fasttrack there is a firewall rule created by default directly below the two rules to allow established and related with an action=fasttrack-connection.
The rule looks like this:-
“add action=fasttrack-connection chain=forward comment=“default configuration”
connection-state=established,related”
Delete this then reboot your router - the dynamic rules should no longer be present.
If your VPN is only working one way try disabling (temporarily) any drop rules in the firewall. Does it now work ? If yes then you need to ensure your VPN traffic is allowed in. It’s incoming interface is the WAN interface (perhaps ether1 or pppoe-out1? )
Dont forget to re-enable your drop rules after this !!!
Enabling logging on any drop rules may also be helpful.
Also check any dst-nat rules are not catching your IPSEC traffic. Disable them while testing or make them very specific by specifying a dst-address that is your WAN address.
Lastly download and read the Packet Flow Diagram - it is very helpful in understanding how IPSEC is processed through the router.
Thank you scampbell for your useful tip to temporary disable firewall rules. I disabled them one by one and found out the following rule from the default configuration was blocking my ping from Microsoft Azure to on premise network:
add action=drop chain=forward comment=“default configuration”
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
I was also earlier in contact with Maris B. from support. He pointed me to the following information on the MikroTik WIKI: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy_and_proposal
You can find there that you need to put in the NAT Bypass. I think what is missing is you ALSO have to add a Firewall Filter Rule to allow the traffic from the remote side to forward into your on premise network. This was blocked by the above rule in my MikroTik router that I put in my router during initial setup and at that time (and still does) makes sense.
Could not find anything about this in the MikroTik WIKI link I shared above. But that’s ok because at least now I could figure out what I needed to solve this problem. I just allow the subnet in Microsoft Azure to communicate with the subnet on premise with this single line and put it on top of the Filter rules:
add chain=forward comment=“Allow from Azure” dst-address=192.168.0.0/22
src-address=192.168.4.0/22 place-before=0
Problem solved, everything working now.
Thanks a lot guys for your help!
Cheers,
Peter
Not only that, but also fast-track rule affects ipsec traffic. So for tunnel mode to work properly you need to allow tunnelled traffic before fast-track or rule with connection-nat-state=!dstnat.
And how can I do this? If I try yo move firewall rule before fast-track rule I’m getting this error message:
“Couldn’t move Firewall Rule <172.16.20.0/24->192.168.17.0/24> -cannot move builtin(6)”
If I try to delete this is what I’m getting:
"“Couldn’t move Firewall Rule <> - -cannot move builtin(6)”
So, is it the only way to reset configuration, remove configuration and start from beginning?
Thanks
Not sure what exactly you are trying to move, but none of my mentioned rules are built in. They are created either by default configuration or by user.
This is done by the place-before=0 option
This is what works for me:
/ip firewall filter
add chain=forward comment=“Allow from Azure” dst-address=10.200.0.0/16
src-address=192.168.1.0/24 place-before=0
/add chain=forward dst-address=192.168.1.0/24 src-address=10.200.0.0/16
place-before=0
Problem also solved, everything working now.THANKS
Hi guys,
I have same issue. If i ping from mikrotik to vm cloud was failed but if i test ping from vm cloud to my mikrotik was success.
I have set firewall nat in mikrotik :
add chain=srcnat action=accept place-before=0 src-address=10.62.1.0/24 dst-address=192.168.62.0/24
And add firewall filter :
add chain=forward dst-address=10.62.1.0/24 src-address=192.168.62.0/24 place-before=0
add chain=forward dst-address=192.168.62.0/24 src-address=10.62.1.0/24 place-before=0
This is my ip for vm cloud :
ip public : 119.202.xxx.xxx
ip private : 192.168.62.0/24
This is my ip for mikrotik :
ip public : 202.202.xxx.xxx
ip private : 10.62.1.0/24
Please any solution ? Thanks in advance
This worked me me!
Thanks
Same problem here. Unfortunately the solution #34 describes doesn’t work for me.
Here is my config:
/ip firewall filter
0 ;;; Allow from Local to Azure intern
chain=forward src-address=192.168.6.0/24 dst-address=10.0.0.0/16
1 ;;; Allow from Azure intern to Local
chain=forward action=accept src-address=10.0.0.0/24 dst-address=192.168.6.0/24 log=no log-prefix=“”
2 ;;; Allow from Azure extern
chain=input protocol=ipsec-esp src-address=52.233.x.x log=yes
/ip firewall nat
0 ;;; VPN Tunnel to Azure
chain=srcnat action=accept src-address=192.168.6.0/24 dst-address=10.0.0.0/16 log=no log-prefix=“”
1 ;;; VPN Tunnel from Azure
chain=srcnat src-address=10.0.0.0/16 dst-address=192.168.6.0/24 log=no
2 ;;; default configuration van forum
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
/ip ipsec policy
0 A src-address=192.168.6.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=213.127.x.x sa-dst-address=52.233.x.x
proposal=default ph2-count=1
1 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
/ip ipsec/peer
0 address=52.233.x.x/32 auth-method=pre-shared-key secret=“secret” generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha1 enc-algorithm=aes-256,aes-128
dh-group=modp1024 lifetime=8h dpd-interval=disable-dpd
1 R address=::/0 auth-method=pre-shared-key secret=“” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=disable-dpd
My version of RouterOS is 6.42.1.
Any idea’s will be appreciated.
Hi all,
I copied the code from the previous post into the Mikrotik. Unfortunately it didn’t let me ping my subnet after the Mikrotik.
I use version 6.42.1 of the RouterOS software. Is there some one who can verify this finding on the current RouterOS version ?
Hi All,
Emils of Mikrotik helped me out. He said I correctly configured the router. So I rechecked my firewall settings on the windows box. Icmp ports were open. I could ping locally. I shutted the windows firewall complete down. Et voila it worked. I enabled the firewall again. I decided to use the command line to open for ICMP.
netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow and netsh advfirewall firewall add rule name=“ICMP Allow incoming V6 echo request” protocol=icmpv6:8,any dir=in action=allow. This worked with 6.42.1
Regards,
Bas