Hi
So there is IPSec between two RB2011 - both sites have dynamic IP. Both routers acts as pppoe-clients (modems on both sites are in Bridge modes).
Everything was done as described here:
http://blog.pessoft.com/2016/05/29/mikrotik-ipsec-tunnel-with-ddns-and-nat/
=================================================================
Tunnel works (I think so). Went to Site 2 today and:
- I can map network share from Site 1 - everything is fine - Upload speed is near 100% so it’s good.
- I can connect with Remote Desktop from Site 1 - everything is nice and dandy.
- I CAN’T ping Site 1 → Site 2 ( got timeouts if I ping Site 2 router using bridge interface for ex.) and Site 2 → Site 1 ( got packet rejected if I ping Site 1 router or servers using bridge interface)
Don’t really know how to troubleshoot this.
Site 1 firewall configuration:
# dec/18/2016 13:07:33 by RouterOS 6.37.3
#
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall filter
add action=accept chain=input comment=ipsec-ike-natt dst-port=500,4500 \
in-interface=pppoe-out1 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=forward comment=vpn01 connection-state="" \
connection-type="" dst-address=192.168.10.0/24 in-interface=pppoe-out1 \
ipsec-policy=in,ipsec src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow DrayTek 2710 and Restaurant PC \
to communicate with 10.10.10.0 subnet" dst-address=192.168.10.0/24 \
src-address=10.10.10.1 src-mac-address=00:50:7F:56:AE:08
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
10.10.10.3 src-mac-address=00:60:EF:06:74:EC
add action=drop chain=forward comment=LTE-1 disabled=yes src-address=\
10.10.10.2
add action=drop chain=forward comment=LTE-2 disabled=yes src-address=\
10.10.10.4-10.10.10.254
add action=drop chain=forward comment="Blocking traffic between subnets" \
dst-address=192.168.10.0/24 src-address=10.10.10.0/24
add action=drop chain=forward dst-address=10.0.0.0/24 src-address=\
10.10.10.0/24
add action=accept chain=forward comment=\
"Exclude ether 6 (DrayTek 2710) from FastTrack for simple queues" \
connection-state=established,related out-interface=ether6
add action=accept chain=forward in-interface=ether6
add action=fasttrack-connection chain=forward comment="LAN FastTrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop Internet user USER" disabled=yes \
src-mac-address=50:E5:49:5D:E0:1C
add action=accept chain=input comment=PPTP disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=input comment=SSTP disabled=yes dst-port=443 \
protocol=tcp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" \
dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=drop chain=input comment="drop rdp brute forcers" dst-port=3389 \
protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp
add action=drop chain=forward comment="drop rdp brute downstream" dst-port=\
3389 protocol=tcp src-address-list=rdp_blacklist
add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=drop chain=forward comment="drop winbox brute downstream" \
dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.20.0/24 \
src-address=192.168.10.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.10.0/24 \
src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="MIKROTIK LTE1 MASQUERADE" \
out-interface=lte1
add action=masquerade chain=srcnat comment="MIKROTIK ETHER1 IP" dst-address=\
10.0.0.1 out-interface=ether1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="MIKROTIK ETHER6 IP" dst-address=\
10.10.10.1 out-interface=ether6
add action=dst-nat chain=dstnat comment="Pulpit Menadzera Port 9091" \
dst-address-type=local dst-port=9091 protocol=tcp to-addresses=\
192.168.10.113 to-ports=9091
add action=dst-nat chain=dstnat comment=ScreenConnect dst-port=8040 protocol=\
tcp to-addresses=192.168.10.113 to-ports=8040
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8041 \
protocol=tcp to-addresses=192.168.10.113 to-ports=8041
add action=dst-nat chain=dstnat comment="ePracownik Patron Port 1010" \
dst-address-type=local dst-port=1010 protocol=tcp to-addresses=\
192.168.10.113 to-ports=1010
add action=masquerade chain=srcnat comment=\
"ePracownik Patron Hairpin NAT dla wejsc z LAN" dst-address=\
192.168.10.113 dst-port=1010 out-interface=bridge1 protocol=tcp \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=\
"Pulpit Menadzera Hairpin NAT dla wejsc z LAN" dst-address=192.168.10.113 \
dst-port=9091 out-interface=bridge1 protocol=tcp src-address=\
192.168.10.0/24
add action=masquerade chain=srcnat comment=\
"ScreenConnect Hairpin NAT dla wejsc z LAN" dst-address=192.168.10.113 \
dst-port=8040 out-interface=bridge1 protocol=tcp src-address=\
192.168.10.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
Site 2 firewall configuration:
# dec/18/2016 13:08:02 by RouterOS 6.37.3
#
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall filter
add action=accept chain=input comment=ipsec-ike-natt dst-port=500,4500 \
in-interface=pppoe-out1 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=forward comment=vpn01 dst-address=192.168.20.0/24 \
in-interface=pppoe-out1 ipsec-policy=in,ipsec src-address=192.168.10.0/24
add action=fasttrack-connection chain=forward comment="LAN FastTrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop Internet user USER" disabled=yes \
src-mac-address=50:E5:49:5D:E0:1C
add action=accept chain=input comment=SSTP disabled=yes dst-port=443 \
protocol=tcp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" \
dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=drop chain=input comment="drop rdp brute forcers" dst-port=3389 \
protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
protocol=tcp
add action=drop chain=forward comment="drop rdp brute downstream" dst-port=\
3389 protocol=tcp src-address-list=rdp_blacklist
add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=drop chain=forward comment="drop winbox brute downstream" \
dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.10.0/24 \
src-address=192.168.20.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.20.0/24 \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="MIKROTIK ETHER1 IP" dst-address=\
10.0.0.1 out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
Site 1 route for IPSec:
/ip route add comment="vpn01" distance=1 dst-address=192.168.20.0/24 gateway=bridge1
Site 1 route for IPSec:
/ip route add comment="vpn01" distance=1 dst-address=192.168.10.0/24 gateway=bridge
Can anyone could help me?
Bart