Ipsec site to site problem fgt - mikrotik

RouterOS General
1

i have a problem in OS7
i have ipsec site to site with fortigate
tunnel is up phase one and phase2 , when i ping from fgt network to mikrotik network it works while when i ping from mikrotik network it goes through wan and get
[admin@MikroTik] > ping 192.168.10.17
SEQ HOST SIZE TTL TIME STATUS
0 xxx.112.90.49 84 55 18ms459us TTL exceeded
1 xxx.112.90.49 84 55 17ms51us TTL exceeded
2 xxx.112.90.49 84 55 18ms857us TTL exceeded
sent=3 received=0 packet-loss=100%

[admin@MikroTik] > ping 192.168.10.17 src-address=192.168.20.254
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.17 56 63 31ms182us
1 192.168.10.17 56 63 29ms919us
2 192.168.10.17 56 63 29ms932us
sent=3 received=3 packet-loss=0% min-rtt=29ms919us avg-rtt=30ms344us max-rtt=31ms182us

[admin@MikroTik] >

i set policy on mikrotik

image
image383×276 7.1 KB

I also tried to set ipsec out none in masquerade rule with no luck

Any chance i can make this vpn work?

thanks in advance

2

Should mean that TTL exceeded :wink:.

Try running a traceroute, maybe it show what happens.

Normally TTL is more than adequate, exceeding it is usually the result of a routing loop of some klnd.

3

thank you for your answer, so how to fix my problem ?

4

IPsec has some specific behavior - it matches packet headers against IPsec policy traffic selectors as the very last step before sending a packet via the out-interface chosen by normal routing.

And when the router itself sends a packet that is not a response, it only sets its source address after routing - routing finds the out interface and the packet gets the primary address of that interface as a source, unless a pref-src parameter of the route used indicates a different one.

Your IPsec policy matches on src-address=192.168.20.0/24, but the default route most likely goes via the WAN interface so the packet gets the WAN IP as its source address, and hence it doesn’t match your policy. So if you only need pinging from the router for testing, specify src-address as a parameter of the ping, but make sure that src-nat or masquerade won’t change it - I don’t know your nat rules so they may or may not care about this. Transit traffic from connected devices in 192.168.20.0/24 will have an address that matches the policy, but you also have to make sure that src-nat or masquerade doesnt change it.

When you ping from the Forti side, the Mikrotik responds from the same address at which it has received the request and nat rules are only used to handle the initial packet of each connection, so even the exemption from src-nat is not necessary.

5

here is my config

image
image1106×523 35.1 KB

image
image1762×997 90.8 KB

image
image1530×671 35.8 KB

image
image1758×978 95 KB

image
image1507×892 54.4 KB

6

Thank you Sindy for you informative question,
I don’t care to ping from router but also when pinging from internal network behind Mikrotik to 192.168.10.0 network it will not work

7

If so, use /export hide-sensitive file=some-nice-name, then download some-nice-name.rsc, use your favourite text editor’s “find and replace” function to systematically replace the first two bytes of any public addresses with something like psub.a. (public subnet A), psub.b. etc. (to preserve consistency between addresses in the same subnet) and also obfuscate any usernames for 3rd party services, serial numbers, MAC addresses… as hide-sensitivedoesn’t hide everything, only passwords and private keys. Then copy-paste the the result to the post between two ` signs (or use the</>button).

But the way you describe it, the srcnat rules seem to be the most likely issue.

8

2026-02-10 22:23:30 by RouterOS 7.18.2

software id = SB6M-4FCU

model = CCR2116-12G-4S+

/interface ethernet
set [ find default-name=ether6 ] comment="LAN-192.168.21.0/24 (FG port2)"
name=LAN-Club-ether6
set [ find default-name=ether10 ] comment=
"GUEST-10.10.20.0/24 (FG port3 captive)" name=LAN-Guest-ether10
set [ find default-name=ether5 ] arp=proxy-arp auto-negotiation=no comment=
"LAN-192.168.20.0/24 (FG port1)" name=LAN-ether5 speed=100M-baseT-full
set [ find default-name=ether1 ] comment=
"WAN1 MTU aligned with FortiGate (1460)" name=WAN1_Cyberia-ether1
set [ find default-name=ether2 ] comment="WAN2-Backup (FG wan2)" name=
WAN2_IDM-ether2
set [ find default-name=ether11 ] comment=
"WAN-TerraNet (FG port11) Primary WAN" name=WAN3_TerraNet-ether11
set [ find default-name=ether3 ] comment="WAN-VSAT2 (FG port10) DHCP WAN"
name=WAN4_VSAT2-ether3
set [ find default-name=ether4 ] comment="LAN-MAIN (FG hard-switch lan)"
set [ find default-name=ether7 ] comment="LAN-192.168.23.0/24 (FG port5)"
set [ find default-name=ether8 ] comment="DMZ-10.10.10.0/24 (FG dmz)"
set [ find default-name=ether9 ] comment="MGMT-192.168.1.0/24 (FG mgmt)"
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=
3des lifetime=2d name=FG_TIME_PROFILE
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=
3des name=FG_TANZANIA_PROFILE nat-traversal=no
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=
aes-256 hash-algorithm=sha512 lifetime=2d name=FG_QATAR_PROFILE
/ip ipsec peer
add address=92.242.169.146/32 local-address=xxx.112.222.212 name=TIME_GW
profile=FG_TIME_PROFILE
add address=92.242.169.146/32 disabled=yes local-address=xxx.112.222.212
name=MAK-GRE profile=FG_TIME_PROFILE
add address=41.188.172.158/32 disabled=yes local-address=xxx.112.222.212
name=TANZANIA_GW profile=FG_TANZANIA_PROFILE
add disabled=yes local-address=xxx.112.222.212 name=QATAR_DIALUP passive=yes
profile=FG_QATAR_PROFILE
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha1,md5 enc-algorithms=3des lifetime=1h name=FG_P2_TIME
pfs-group=modp1536
add enc-algorithms=3des lifetime=1h name=FG_P2_TANZANIA pfs-group=none
add enc-algorithms=3des name=FG_P2_QATAR
/ip pool
add name=pool_lan21 ranges=192.168.21.101-192.168.21.240
add name=pool_guest ranges=10.10.20.70-10.10.20.254
add name=pool_l2tp ranges=10.99.99.10-10.99.99.50
/ip dhcp-server
add address-pool=pool_lan21 interface=LAN-Club-ether6 lease-time=1d name=
dhcp_lan21
add address-pool=pool_guest interface=LAN-Guest-ether10 lease-time=4h name=
dhcp_guest
/port
set 0 name=serial0
/ppp profile
add local-address=10.99.99.1 name=l2tp-profile remote-address=pool_l2tp
use-encryption=required
add local-address=10.99.99.1 name=PPTP remote-address=pool_l2tp
use-encryption=required
/queue type
add kind=pcq name=pcq-guaranteed pcq-classifier=src-address pcq-rate=20M
add kind=pcq name=pcq-medium pcq-classifier=src-address
add kind=pcq name=pcq-low pcq-classifier=src-address
add kind=pcq name=pcq-wifi pcq-classifier=src-address
add kind=pcq name=pcq-club pcq-classifier=src-address
add kind=pcq name=pcq-guest pcq-classifier=src-address
add kind=pcq name=pcq-servers pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=Full_upload pcq-classifier=src-address pcq-rate=15M
add kind=pcq name=Full_download pcq-classifier=dst-address pcq-rate=15M
add kind=pcq name=pcq-down-20M pcq-classifier=dst-address pcq-rate=20M
add kind=pcq name=pcq-up-20M pcq-classifier=src-address pcq-rate=20M
add kind=pcq name=pcq-down-share pcq-classifier=dst-address pcq-total-limit=
4000KiB
add kind=pcq name=pcq-up-share pcq-classifier=src-address pcq-total-limit=
4000KiB
/queue simple
add disabled=yes max-limit=20M/20M name=Full packet-marks=PM_Full_BW
priority=1/1 queue=Full_upload/Full_upload target=""
add disabled=yes name=Q_GUARANTEED packet-marks=PM_GUARANTEED priority=1/1
queue=pcq-guaranteed/pcq-guaranteed target=""
add comment="High priority bandwidth for Servers" disabled=yes name=
BW-SERVERS packet-marks=PM_SERVERS priority=1/1 queue=
pcq-servers/pcq-servers target=""
add disabled=yes max-limit=10M/10M name=Q_MEDIUM packet-marks=PM_MEDIUM
priority=3/3 queue=pcq-medium/pcq-medium target=""
add disabled=yes max-limit=5M/5M name=Q_LOW packet-marks=PM_LOW priority=6/6
queue=pcq-low/pcq-low target=""
add disabled=yes max-limit=2M/2M name=Q_WIFI packet-marks=PM_WIFI queue=
pcq-wifi/pcq-wifi target=""
add disabled=yes max-limit=2M/2M name=BW-CLUB queue=pcq-club/pcq-club target=
192.168.21.0/24
add disabled=yes max-limit=2M/2M name=BW-GUEST queue=pcq-guest/pcq-guest
target=10.10.20.0/24
add disabled=yes max-limit=1M/1M name=BW-DEFAULT-FALLBACK queue=
pcq-low/pcq-low target=""
/queue tree
add max-limit=30M name=W2_HIGH packet-mark=PM_W2_HIGH parent=global queue=
pcq-up-share
add max-limit=15M name=W2_MED packet-mark=PM_W2_MED parent=global queue=
pcq-up-share
add max-limit=5M name=W2_LOW packet-mark=PM_W2_LOW parent=global queue=
pcq-up-share
add max-limit=2M name=W2_OTH packet-mark=PM_W2_OTH parent=global queue=
pcq-up-share
add max-limit=10M name=W1_NONVIP packet-mark=PM_W1_NONVIP parent=global
queue=pcq-up-share
add max-limit=38M name=W1_VIP packet-mark=PM_W1_VIP parent=global queue=
pcq-up-20M
add max-limit=40M name=W2_VIP packet-mark=PM_W2_VIP parent=global queue=
pcq-up-20M
add max-limit=5M name=W2_LOW_DN packet-mark=PM_W2_LOW_DN parent=global queue=
pcq-down-share
add max-limit=38M name=W1_VIP_DN packet-mark=PM_W1_VIP_DN parent=global
queue=pcq-down-20M
add max-limit=30M name=W2_VIP_DN packet-mark=PM_W2_VIP_DN parent=global
queue=pcq-down-20M
add max-limit=2M name=W2_OTH_DN packet-mark=PM_W2_OTH_DN parent=global queue=
pcq-down-share
add max-limit=30M name=W2_HIGH_DN packet-mark=PM_W2_HIGH_DN parent=global
queue=pcq-down-share
add max-limit=15M name=W2_MED_DN packet-mark=PM_W2_MED_DN parent=global
queue=pcq-down-share
/routing table
add disabled=no fib name=to_cyberia
add disabled=no fib name=to_terranet
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes
use-ipsec=yes
/interface list member
add interface=WAN1_Cyberia-ether1 list=WAN
add interface=WAN2_IDM-ether2 list=WAN
add interface=WAN3_TerraNet-ether11 list=WAN
add interface=WAN4_VSAT2-ether3 list=WAN
add interface=LAN-ether5 list=LAN
add interface=LAN-Club-ether6 list=LAN
add interface=ether8 list=LAN
add interface=LAN-Guest-ether10 list=LAN
/interface pptp-server server

PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

set default-profile=PPTP
/ip address
add address=xxx.112.66.171/29 comment="TerraNet WAN Primary" interface=
WAN3_TerraNet-ether11 network=xxx.112.66.168
add address=xxx.112.222.212/29 comment="WAN1 Secondary (MTU 1460)"
interface=WAN1_Cyberia-ether1 network=xxx.112.222.208
add address=xxx.125.159.138/29 comment="WAN2 Backup" disabled=yes interface=
WAN2_IDM-ether2 network=xxxx.125.159.136
add address=192.168.20.254/24 comment=LAN interface=LAN-ether5 network=
192.168.20.0
add address=192.168.21.100/24 comment="LAN Club" interface=LAN-Club-ether6
network=192.168.21.0
add address=10.10.20.100/24 comment="Guest Network" interface=
LAN-Guest-ether10 network=10.10.20.0
/ip dhcp-client

Interface not active

add add-default-route=no comment="VSAT2 DHCP (FortiGate port10)"
default-route-tables=main interface=WAN4_VSAT2-ether3 use-peer-dns=no
use-peer-ntp=no
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=8.8.8.8 gateway=10.10.20.100
add address=192.168.21.0/24 dns-server=8.8.8.8 gateway=192.168.21.100
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=xxx.242.169.146 comment="TIME GW" list=IPSEC_PEERS
add address=xxx.188.172.158 comment="TANZANIA GW" list=IPSEC_PEERS
add address=192.168.20.104 comment="NEW--Ziad PC Office" list=PREF_CYBERIA
add comment="Terranet primary, Cyberia backup" disabled=yes list=
PREF_TERRANET
add address=192.168.50.107 comment="NEW-- Ali_Hajj_PC_Wired" list=vip
add address=192.168.50.92 comment="NEW--Armand PC" list=medium
add address=192.168.21.0/24 comment=CLUB disabled=yes list=BW_LOW
add disabled=yes list=BW_FULL_EXCEPTION
add address=192.168.50.84 comment="Faysal El Khalil" list=BW_GUARANTEED
add address=192.168.20.105 comment="NEW--Claude PC" list=high
add address=192.168.20.103 comment="Ziad_new PC" disabled=yes list=
BW_GUARANTEED
add address=192.168.20.104 comment="NEW--Ziad PC Office" list=vip
add address=192.168.50.53 comment=Houssam list=BW_MEDIUM
add address=192.168.50.102 comment="NEW--Carmen PC" list=medium
add address=192.168.50.93 comment="NEW--Corinne PC" list=medium
add address=192.168.50.101 comment="NEW--Dania PC" list=medium
add address=192.168.70.120 comment="NEW--Nadine PC_Wifi" list=high
add address=192.168.50.97 comment="NEW--Salwa PC" list=medium
add address=192.168.50.100 comment="NEW--Tamara PC" list=medium
add address=192.168.50.54 comment=Techpunto_laptop list=BW_MEDIUM
add address=192.168.50.74 comment=MAK-NAS-HA list=medium
add address=172.16.200.51 comment=DC4 list=medium
add address=172.16.200.6 comment=MAK-Wizard list=medium
add address=172.16.200.50 comment=DC3 list=medium
add address=172.16.200.32 comment=VC list=medium
add address=172.16.200.40 comment=Veeam list=medium
add address=172.16.200.41 comment=Veeam2 list=medium
add address=172.16.200.43 comment=WSUS list=medium
add address=172.16.200.22 comment=Veeam365 list=medium
add address=172.16.200.15 comment=Windows-SAP list=medium
add address=192.168.50.15 comment=MAK-Qnap list=medium
add address=192.168.50.65 comment=Minister-Photos-NAS list=medium
add address=172.16.200.16 comment="Linux SAP" list=medium
add address=192.168.50.126 comment=MAK-NAS-3 list=medium
add address=192.168.70.10 comment=Ziad_iphone list=vip
add address=192.168.50.107 comment="NEW-- ALI Alhaj" list=PREF_CYBERIA
add address=10.10.20.0/24 comment=Guests list=low
add address=192.168.70.134 comment=Ayman-PC list=PREF_CYBERIA
add address=192.168.70.135 disabled=yes list=low
add address=192.168.70.10 comment=Ziad_iphone list=PREF_CYBERIA
add address=192.168.50.95 comment="NEW--Annette PC" list=medium
add address=192.168.50.103 comment="NEW--Naji PC" list=medium
add address=192.168.70.65 comment=New--Naji-phone1 list=medium
add address=192.168.70.71 comment=New--Naji-phone2 list=medium
add address=xxx.112.222.211 comment=Ayman-PC disabled=yes list=PREF_CYBERIA
add address=10.99.99.0/24 comment="VPN users as VIP" list=vip
add address=192.168.50.54 comment="NEW--TechPunto PC -- LAN" list=medium
add address=192.168.70.124 comment="NEW--TechPunto PC -- Wifi" list=medium
add address=192.168.10.0/24 comment=
"TIME VPN remote subnet - never PBR to WAN" list=NO_PBR_DST
/ip firewall filter
add action=accept chain=output comment="TEMP TEST SFTP to Synology" disabled=
yes dst-address=192.168.0.251 dst-port=22443 protocol=tcp
add action=accept chain=input comment="allow established/related"
connection-state=established,related
add action=accept chain=input comment="ALLOW IPsec and L2TP" dst-port=
500,4500,1701 protocol=udp
add action=accept chain=input comment="IPsec ESP input" protocol=ipsec-esp
add action=accept chain=input comment="ALLOW IPsec AH to router" protocol=
ipsec-ah
add action=accept chain=input comment="ALLOW Winbox" dst-port=8291 protocol=
tcp
add action=accept chain=input comment="Allow VPN users to Router access"
src-address=10.99.99.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.10.0/24
src-address=172.16.200.0/24
add action=accept chain=forward comment="VPN - Lan access" src-address=
10.99.99.0/24
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="IN: allow LAN to router services"
in-interface-list=LAN
add action=drop chain=input comment="IN: drop invalid" connection-state=
invalid
add action=drop chain=input comment=
"IN: drop Guest -> router (management plane)" in-interface=
LAN-Guest-ether10
add action=drop chain=input comment=
"IN: drop Club -> router (management plane)" in-interface=LAN-Club-ether6
add action=drop chain=input comment="IN: drop WAN to router"
in-interface-list=WAN
add action=accept chain=forward comment="FW: allow established/related"
connection-state=established,related
add action=accept chain=forward comment="ALLOW TIME VPN 10 -> 25"
dst-address=192.168.25.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="ALLOW TIME VPN 10 -> 25"
dst-address=192.168.20.230 src-address=192.168.10.0/24
add action=accept chain=forward comment="ALLOW TIME VPN 25 -> 10"
dst-address=192.168.10.0/24 src-address=192.168.25.0/24
add action=accept chain=forward comment="ALLOW TIME VPN 25 -> 10"
dst-address=192.168.10.0/24 src-address=192.168.20.230
add action=accept chain=forward comment="ALLOW IPsec traffic (all VPNs)"
ipsec-policy=in,ipsec
add action=drop chain=forward comment="FW: drop invalid" connection-state=
invalid
add action=accept chain=forward comment=
"FW: allow dstnat (port forwards if any)" connection-nat-state=dstnat
add action=drop chain=forward comment=
"FW: block Guest -> LAN 192.168.100.0/24" dst-address=192.168.100.0/24
in-interface=LAN-Guest-ether10
add action=drop chain=forward comment=
"FW: block Guest -> LAN 192.168.20.0/24" dst-address=192.168.20.0/24
in-interface=LAN-Guest-ether10
add action=drop chain=forward comment=
"FW: block Guest -> LAN 192.168.21.0/24" dst-address=192.168.21.0/24
in-interface=LAN-Guest-ether10
add action=drop chain=forward comment=
"FW: block Guest -> LAN 192.168.23.0/24" dst-address=192.168.23.0/24
in-interface=LAN-Guest-ether10
add action=drop chain=forward comment=
"FW: block Guest -> MGMT 192.168.1.0/24" dst-address=192.168.1.0/24
in-interface=LAN-Guest-ether10
add action=drop chain=forward comment="FW: block Guest -> DMZ 10.10.10.0/24"
dst-address=10.10.10.0/24 in-interface=LAN-Guest-ether10
add action=accept chain=forward comment="FW: LAN to Internet (exclude Guest)"
in-interface=!LAN-Guest-ether10 in-interface-list=LAN out-interface-list=
WAN
add action=accept chain=forward comment="FW: Guest to Internet" in-interface=
LAN-Guest-ether10 out-interface-list=WAN
add action=accept chain=forward comment="Allow IPsec in" ipsec-policy=
in,ipsec
add action=accept chain=forward comment="Allow IPsec out" ipsec-policy=
out,ipsec
add action=accept chain=forward comment="ALLOW: Club -> Internet"
in-interface=LAN-Club-ether6 out-interface-list=WAN
add action=accept chain=forward comment="ALLOW: Guest -> Internet"
in-interface=LAN-Guest-ether10 out-interface-list=WAN
add action=drop chain=forward comment="ISOLATE: Club -> Main LAN"
dst-address=192.168.20.0/24 in-interface=LAN-Club-ether6
add action=drop chain=forward comment="ISOLATE: Club -> DMZ" dst-address=
10.10.10.0/24 in-interface=LAN-Club-ether6
add action=drop chain=forward comment="ISOLATE: Club -> Guest" dst-address=
10.10.20.0/24 in-interface=LAN-Club-ether6
add action=drop chain=forward comment="ISOLATE: Guest -> Main LAN"
dst-address=192.168.20.0/24 in-interface=LAN-Guest-ether10
add action=drop chain=forward comment="ISOLATE: Guest -> Club" dst-address=
192.168.21.0/24 in-interface=LAN-Guest-ether10
add action=drop chain=forward comment="ISOLATE: Guest -> DMZ" dst-address=
10.10.10.0/24 in-interface=LAN-Guest-ether10
add action=drop chain=forward comment="FW: drop all else"
add action=drop chain=input
/ip firewall mangle
add action=accept chain=prerouting comment=
"STOP PBR - LAN to TIME(192.168.10.0/24)" dst-address=192.168.10.0/24
add action=accept chain=output comment="STOP PBR router to TIME VPN"
dst-address=192.168.10.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.10.0/24
src-address=172.16.200.0/24
add action=accept chain=prerouting comment="STOP PBR LAN20 to TIME VPN"
disabled=yes dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=prerouting comment="STOP PBR LAN25 to TIME VPN"
disabled=yes dst-address=192.168.10.0/24 src-address=192.168.25.0/24
add action=accept chain=output comment="BYPASS PBR router->TIME 25" disabled=
yes dst-address=192.168.25.0/24
add action=accept chain=prerouting comment="BYPASS PBR to TIME (LAN -> VPN)"
disabled=yes dst-address=192.168.10.0/24
add action=accept chain=prerouting comment=
"BYPASS PBR from TIME (LAN <- VPN)" disabled=yes src-address=
192.168.10.0/24
add action=accept chain=prerouting comment="BYPASS PBR to TIME (dst)"
disabled=yes dst-address=192.168.10.0/24
add action=accept chain=prerouting comment="BYPASS PBR from TIME (src)"
disabled=yes src-address=192.168.10.0/24
add action=accept chain=prerouting comment="BYPASS PBR to TIME 20" disabled=
yes dst-address=192.168.20.0/24
add action=accept chain=prerouting comment="BYPASS PBR from TIME 20"
disabled=yes src-address=192.168.20.0/24
add action=accept chain=prerouting comment="BYPASS PBR to TIME 25" disabled=
yes dst-address=192.168.25.0/24
add action=accept chain=prerouting comment="BYPASS PBR from TIME 25"
disabled=yes src-address=192.168.25.0/24
add action=accept chain=output comment="BYPASS PBR router->TIME 10" disabled=
yes dst-address=192.168.10.0/24
add action=accept chain=output comment="BYPASS PBR router->TIME 20" disabled=
yes dst-address=192.168.20.0/24
add action=accept chain=input comment=
"DO NOT connection-mark TIME VPN traffic" disabled=yes dst-address=
192.168.10.0/24
add action=mark-connection chain=input in-interface=WAN1_Cyberia-ether1
new-connection-mark=Cyberia_Conn
add action=mark-connection chain=input in-interface=WAN3_TerraNet-ether11
new-connection-mark=Terra_Conn
add action=mark-routing chain=output connection-mark=Cyberia_Conn
new-routing-mark=to_cyberia
add action=mark-routing chain=output connection-mark=Terra_Conn
new-routing-mark=to_terranet
add action=mark-routing chain=prerouting comment="IPsec IKE to WAN1"
dst-address-list=IPSEC_PEERS dst-port=500,4500 new-routing-mark=
to_cyberia passthrough=no protocol=udp
add action=mark-routing chain=prerouting comment="IPsec ESP to WAN1"
dst-address-list=IPSEC_PEERS new-routing-mark=to_cyberia passthrough=no
protocol=ipsec-esp
add action=mark-routing chain=output comment="IPsec IKE output via WAN1"
dst-address-list=IPSEC_PEERS dst-port=500,4500 new-routing-mark=
to_cyberia passthrough=no protocol=udp
add action=mark-routing chain=output comment="IPsec ESP output via WAN1"
dst-address-list=IPSEC_PEERS new-routing-mark=to_cyberia passthrough=no
protocol=ipsec-esp
add action=mark-routing chain=prerouting comment="WAN: Prefer Cyberia"
dst-address-type=!local new-routing-mark=to_cyberia passthrough=no
src-address-list=PREF_CYBERIA
add action=mark-routing chain=prerouting comment="WAN: Prefer Terranet"
dst-address-type=!local new-routing-mark=to_terranet passthrough=no
src-address-list=PREF_TERRANET
add action=mark-packet chain=forward comment=
"VIP download from WAN1 -> PM_W1_VIP_DN" dst-address-list=vip
dst-address-type=!local in-interface=WAN1_Cyberia-ether1 new-packet-mark=
PM_W1_VIP_DN passthrough=no
add action=mark-packet chain=forward new-packet-mark=PM_W1_VIP out-interface=
WAN1_Cyberia-ether1 passthrough=no src-address-list=vip
add action=mark-packet chain=forward comment="VIP download from WAN2"
dst-address-list=vip dst-address-type=!local in-interface=
WAN3_TerraNet-ether11 new-packet-mark=PM_W2_VIP_DN passthrough=no
add action=mark-packet chain=forward new-packet-mark=PM_W2_VIP out-interface=
WAN3_TerraNet-ether11 passthrough=no src-address-list=vip
add action=mark-packet chain=forward comment="HIGH download from WAN2"
dst-address-list=high dst-address-type=!local in-interface=
WAN3_TerraNet-ether11 new-packet-mark=PM_W2_HIGH_DN passthrough=no
add action=mark-packet chain=forward new-packet-mark=PM_W2_HIGH
out-interface=WAN3_TerraNet-ether11 passthrough=no src-address-list=high
add action=mark-packet chain=forward comment="MED download from WAN2"
dst-address-list=medium dst-address-type=!local in-interface=
WAN3_TerraNet-ether11 new-packet-mark=PM_W2_MED_DN passthrough=no
add action=mark-packet chain=forward new-packet-mark=PM_W2_MED out-interface=
WAN3_TerraNet-ether11 passthrough=no src-address-list=medium
add action=mark-packet chain=forward comment="LOW download from WAN2"
dst-address-list=low in-interface=WAN3_TerraNet-ether11 new-packet-mark=
PM_W2_LOW_DN passthrough=no
add action=mark-packet chain=forward new-packet-mark=PM_W2_LOW out-interface=
WAN3_TerraNet-ether11 passthrough=no src-address-list=low
add action=mark-packet chain=forward comment="WAN2 OTHERS" dst-address-type=
!local new-packet-mark=PM_W2_OTH out-interface=WAN3_TerraNet-ether11
passthrough=no
add action=mark-packet chain=forward comment="WAN2 others download"
dst-address-type=!local in-interface=WAN3_TerraNet-ether11
new-packet-mark=PM_W2_OTH_DN passthrough=no
add action=mark-packet chain=forward comment="WAN1 NONVIP (failover cap)"
dst-address-type=!local new-packet-mark=PM_W1_NONVIP out-interface=
WAN1_Cyberia-ether1 passthrough=no
add action=mark-packet chain=forward comment="WAN1 NONVIP (failover cap)"
dst-address-type=!local in-interface=WAN1_Cyberia-ether1 new-packet-mark=
PM_W1_NONVIP passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment="NO-NAT TIME 20->10" disabled=yes
dst-address=192.168.10.0/24 src-address=172.16.200.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 25->10" dst-address=
192.168.10.0/24 src-address=192.168.25.0/24
add action=accept chain=srcnat comment="NO NAT for IPsec" disabled=yes
ipsec-policy=out,ipsec
add action=accept chain=srcnat comment="NO-NAT TIME 20->12" disabled=yes
dst-address=192.168.12.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 25->12" disabled=yes
dst-address=192.168.12.0/24 src-address=192.168.25.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 20->15" disabled=yes
dst-address=192.168.15.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 20->18" disabled=yes
dst-address=192.168.18.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 25->15" disabled=yes
dst-address=192.168.15.0/24 src-address=192.168.25.0/24
add action=accept chain=srcnat comment="NO-NAT TIME 25->18" disabled=yes
dst-address=192.168.18.0/24 src-address=192.168.25.0/24
add action=accept chain=srcnat comment="VPN NO-NAT Tanzania" disabled=yes
dst-address=192.168.0.0/24 src-address=192.168.25.0/24
add action=accept chain=srcnat comment="VPN NO-NAT Qatar 50->30" disabled=yes
dst-address=192.168.30.0/24 src-address=192.168.50.0/24
add action=accept chain=srcnat comment="VPN NO-NAT Qatar 20->30" disabled=yes
dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=accept chain=srcnat comment="VPN NO-NAT generic (safe)" disabled=
yes dst-address=0.0.0.0/0 ipsec-policy=out,ipsec src-address=0.0.0.0/0
add action=accept chain=srcnat comment="NO-NAT TIME 20->10" dst-address=
192.168.10.0/24 src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="NAT TerraNet (Primary WAN)"
ipsec-policy=out,none out-interface=WAN3_TerraNet-ether11
add action=masquerade chain=srcnat comment="NAT WAN1 (Secondary)"
ipsec-policy=out,none out-interface=WAN1_Cyberia-ether1
add action=masquerade chain=srcnat comment="NAT WAN2 (Backup)" disabled=yes
out-interface=WAN2_IDM-ether2
add action=masquerade chain=srcnat comment="NAT VSAT (DHCP WAN)" disabled=yes
out-interface=WAN4_VSAT2-ether3
add action=masquerade chain=srcnat comment="NAT VPN users"
out-interface-list=WAN src-address=10.99.99.0/24
add action=accept chain=srcnat comment="NO NAT for IPsec" disabled=yes
ipsec-policy=out,ipsec
/ip firewall raw
add action=accept chain=prerouting comment="TEMP allow L2TP/IPsec UDP (RAW)"
disabled=yes dst-port=500,4500,1701 in-interface=WAN1_Cyberia-ether1
protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add peer=TIME_GW
add peer=TANZANIA_GW
add peer=QATAR_DIALUP
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=TANZANIA_GW proposal=FG_P2_TANZANIA
src-address=192.168.25.0/24 tunnel=yes
add disabled=yes dst-address=192.168.30.0/24 peer=QATAR_DIALUP proposal=
FG_P2_QATAR src-address=192.168.50.0/24 tunnel=yes
add dst-address=192.168.30.0/24 peer=QATAR_DIALUP proposal=FG_P2_QATAR
src-address=192.168.20.0/24 tunnel=yes
add comment="TIME 20 -> 10" dst-address=192.168.10.0/24 peer=TIME_GW
proposal=FG_P2_TIME src-address=192.168.20.0/24 tunnel=yes
add comment="TIME VoIP 25->10" disabled=yes dst-address=192.168.10.0/24 peer=
TIME_GW proposal=FG_P2_TIME src-address=192.168.25.0/24 tunnel=yes

/ip route
add comment="Transit VLAN 50 via core" disabled=no distance=1 dst-address=
192.168.50.0/24 gateway=192.168.20.100 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment="Transit VLAN 60 via core" disabled=yes distance=1 dst-address=
192.168.60.0/24 gateway=192.168.20.100 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment="Transit VLAN 70 via core" disabled=no distance=1 dst-address=
192.168.70.0/24 gateway=192.168.20.100 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment="Transit: 192.168.22.0/24 via core (192.168.20.100)" disabled=no
distance=1 dst-address=192.168.22.0/24 gateway=192.168.20.100
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Transit: 192.168.25.0/24 via core (192.168.20.100)" disabled=no
distance=1 dst-address=192.168.25.0/24 gateway=192.168.20.100
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Transit: 192.168.26.0/24 via core (192.168.20.100)" disabled=no
distance=1 dst-address=192.168.26.0/24 gateway=192.168.20.100
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Transit: 192.168.250.0/24 via core (192.168.20.100)" disabled=no
distance=1 dst-address=192.168.250.0/24 gateway=192.168.20.100
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Transit: 172.16.100.0/24 via core (192.168.20.100)" distance=1
dst-address=172.16.100.0/24 gateway=192.168.20.100
add comment="Transit: 172.16.200.0/24 via core (192.168.20.100)" disabled=no
distance=1 dst-address=172.16.200.0/24 gateway=192.168.20.100
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Transit: 172.16.222.0/24 via core (192.168.20.100)" distance=1
dst-address=172.16.222.0/24 gateway=192.168.20.100
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
xxx.112.222.209 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
xxx.112.222.209 routing-table=to_cyberia scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
xxx.112.66.169 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
xxx.112.66.169 routing-table=to_terranet scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
xxx.112.222.209 routing-table=to_terranet scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
xxx.112.66.169 routing-table=to_cyberia scope=30 suppress-hw-offload=no
target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=
192.168.20.100 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxx profile=l2tp-profile service=l2tp
add name=xxx-pptp profile=PPTP service=l2tp
add name=ayman profile=l2tp-profile service=l2tp
/routing rule
add action=lookup comment=
"Router traffic sourced from Cyberia IP must exit Cyberia" disabled=yes
src-address=xxx.112.222.211/32 table=to_cyberia
add action=lookup comment=
"Router traffic sourced from TerraNet IP must exit TerraNet" disabled=yes
src-address=xxx.112.66.171/32 table=to_terranet
add action=lookup-only-in-table disabled=yes dst-address=192.168.10.0/24
table=main
/system clock
set time-zone-name=Asia/Beirut
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

9

Please edit the post above and use the </>key to change the appearance of the configuration block.

The rule add action=accept chain=srcnat comment="NO-NAT TIME 20->10" dst-address=192.168.10.0/24 src-address=192.168.20.0/24 is on a correct position in chain srcnat so the issue you hit when pinging from the router itself and do not specify the source address is a different one than what you hit when pinging from a connected device - you can see that the ping from the router itself succeeds when you specify src-address=192.168.20.254. So the action=accept rule in srcnat does its job properly and the IPsec policy and SA are also working properly, and the issue must be either in the firewall (filter or raw, but I cannot see anything that would drop traffic from 192.168.20.0/24 to 192.168.10.0/24 there) or outside (a missing/wrong route to 192.168.10.0/24 via 192.168.20.254 on the external device you are pinging from). How does tracert 192.168.10.17 (Windows) or traceroute 192.168.10.17 (Linux/MacOS) look like on the external device?

10

it seems it is working from .20 subnet and i was trying from different vlan 172.16.200.0 and thats why it was not working
Thank you for your help
can you look to my firewall settings if there is anything i can enhance or it is good configured

11

You might want to clean up functional or verbatim duplicities - two rules accept everything that matches ipsec-policy=in,ipsec, another rule accepts everything that matches ipsec-policy=out,ipsec, but on top of these you also accept the same traffic using rules that match on src-address and dst-address.

You might save a tiny bit of CPU throughput by moving the rule action=accept chain=forward comment="VPN - Lan access" src-address=10.99.99.0/24 after (below) the action=accept chain=forward comment="FW: allow established/related" connection-state=established,related one in filter.

You also use a mix of “selective accept” and “selective drop” approaches in filter, which is useful in “single screen” firewalls but makes debugging of more complex ones extremely complicated. I personally prefer the selective accept one, i.e. drop everything that you haven’t explicitly accepted: your legal users let you know quickly if you forget to permit something, whereas your illegal users never let you know if you forget to block something.

Last, these two rules in mangleonly make sense if there are some IPsec peers in your LAN, as packets sent by the router itself do not pass through prerouting:

action=mark-routing chain=prerouting comment="IPsec IKE to WAN1" dst-address-list=IPSEC_PEERS dst-port=500,4500 new-routing-mark=to_cyberia passthrough=no protocol=udp
action=mark-routing chain=prerouting comment="IPsec ESP to WAN1" dst-address-list=IPSEC_PEERS new-routing-mark=to_cyberia passthrough=no protocol=ipsec-esp

And as you don’t have any public LAN subnet, handling transit of bare ESP doesn’t make sense at all - did this rule ever match a packet?