Our Fortigate to Mikrotik IPsec tunnel works great and we can access devices in the tunnel on the other side from 10.10.10.0/24. However, we loose some outbound ETH01 and a few VPN connected connections to random systems from behind 10.10.10.1 which is our CCR1009-7G-1C-1S+ router. Our internet is 400x400 fiber, router has 96 constantly connected VPN connections and the 1 IPsec tunnel.
IPsec Tunnel works and passes needed traffic, users from inside the 10.10.10.0/24 network can access all resource sitting on other-side of 10.7.6.0/24 tunnel
10.7.6.0/24 ↔ 198.73.3.x ↔ 209.173.252.x ↔ 10.10.10.0/24 works as expected
Outbound Traffic to static IP, all these connections work before adding the IPsec tunnel
10.10.10.55:10554 ↔ 10.10.10.1 ↔ 209.173.252.x ↔ 148.64.101.x ↔ 10.1.10.x:10554 breaks
10.10.10.61:10554 ↔ 10.10.10.1 ↔ 209.173.252.x ↔ 70.139.123.x ↔ 10.1.10.x:10554 breaks
10.10.10.58:10554 ↔ 10.10.10.1 ↔ 209.173.252.x ↔ 40.132.85.x ↔ 10.1.10.x:10554 works fine and so on…
To add to the confusion…
Not many but a few connected PPTP/ L2TP IPsec TCP connections break as well from inside the 10.10.10.0/24 network, you can see the traffic hit remote port but the data is less then expected and connection fails. However, a road warrior can access same remotely connected device from a L2TP IPsec or PPTP VPN connection and Winbox works through the VPN tunnel as well.
From behind router
10.10.10.56 ↔ 209.173.252.x ↔ 65.43.78.x → 10.10.10.155 fails to connect
Road Warrior from Public to same system through a PPtP or L2TP connection
10.10.10.25 ↔ 107.58.20.x ↔ 65.43.78.x ↔ 10.10.10.155 works fine
There is really no rhyme or reason which remote public IP we loose connection to. We know the remote connection works because it can be accessed from another network. We are paying for professional Mikrotik help but I am having a hard time understanding how a working IPsec Tunnel can work perfectly but break some outbound connections that have nothing to do with the tunnel other than being in the same router.
Might not be enough information in this but if someone would take a stab I would appreciate it.
Fact: Im a fairly new with Mikrotik and barely passed my certification about 2 years ago but love the routers.
We have tried: Placing the 10.10.10.0/24 ↔ 10.7.6.0/24 in RAW which allows gateway to gateway ping but our NATed ports over bridge to the 10.7.6.0/24 resources fail and we loose connection to tunnel resources.
Question: Can this anomaly be due to the working IPsec tunnel or is it a routing issue inside the 10.10.10.0/24 router?
Question 2: What would be a good starting point to troubleshoot?
This is my config.
/interface ethernet
set [ find default-name=ether1 ] name=ETH1-LightWave speed=100Mbps
set [ find default-name=ether2 ] name=ETH2-Comcast speed=100Mbps
set [ find default-name=ether3 ] comment=“VPN Server Switch” speed=100Mbps
set [ find default-name=ether4 ] comment=“innovi switch” speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=
10M-full,100M-full,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
add enc-algorithms=3des name=IPsec_Proposal pfs-group=modp1536
/system logging action
add disk-file-count=1 disk-file-name=auth.log disk-lines-per-file=5000 name=
auth target=disk
/interface bridge port
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=sfp-sfpplus1
add bridge=bridge1 hw=no interface=combo1
add bridge=bridge1 hw=no interface=ETH2-Comcast
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server <–not sure why this is here?
set ipsec-secret=**********
/interface list member
add interface=ETH1-LightWave list=WAN
add interface=bridge1 list=LAN
/interface sstp-server server <–not sure why this is here?
set default-profile=default-encryption
/ip address
add address=10.10.10.1/24 comment=defconf interface=ETH2-Comcast network=
10.10.10.0
add address=209.xxx.xxx.230/27 interface=ETH1-LightWave network=
209.xxx.xxx.224
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ETH1-LightWave
/ip dhcp-relay
add dhcp-server=10.10.10.3 disabled=no interface=bridge1 name=DHCP-WINs
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=“RFC 1122 "This host on this network"”
disabled=yes list=Bogons
add address=10.0.0.0/8 comment=“RFC 1918 (Private Use IP Space)” disabled=yes
list=Bogons
add address=100.64.0.0/10 comment=“RFC 6598 (Shared Address Space)” disabled=
yes list=Bogons
add address=127.0.0.0/8 comment=“RFC 1122 (Loopback)” disabled=yes list=
Bogons
add address=169.254.0.0/16 comment=
“RFC 3927 (Dynamic Configuration of IPv4 Link-Local Addresses)” disabled=
yes list=Bogons
add address=172.16.0.0/12 comment=“RFC 1918 (Private Use IP Space)” disabled=
yes list=Bogons
add address=192.0.0.0/24 comment=“RFC 6890 (IETF Protocol Assingments)”
disabled=yes list=Bogons
add address=192.0.2.0/24 comment=“RFC 5737 (Test-Net-1)” disabled=yes list=
Bogons
add address=192.168.0.0/16 comment=“RFC 1918 (Private Use IP Space)”
disabled=yes list=Bogons
add address=198.18.0.0/15 comment=“RFC 2544 (Benchmarking)” disabled=yes
list=Bogons
add address=198.51.100.0/24 comment=“RFC 5737 (Test-Net-2)” disabled=yes
list=Bogons
add address=203.0.113.0/24 comment=“RFC 5737 (Test-Net-3)” disabled=yes list=
Bogons
add address=224.0.0.0/4 comment=“RFC 5771 (Multicast Addresses) - Will affect
OSPF, RIP, PIM, VRRP, IS-IS, and others. Use with caution.)” disabled=yes
list=Bogons
add address=240.0.0.0/4 comment=“RFC 1112 (Reserved)” disabled=yes list=
Bogons
add address=192.31.196.0/24 comment=“RFC 7535 (AS112-v4)” disabled=yes list=
Bogons
add address=192.52.193.0/24 comment=“RFC 7450 (AMT)” disabled=yes list=Bogons
add address=192.88.99.0/24 comment=
“RFC 7526 (Deprecated (6to4 Relay Anycast))” disabled=yes list=Bogons
add address=192.175.48.0/24 comment=
“RFC 7534 (Direct Delegation AS112 Service)” disabled=yes list=Bogons
add address=255.255.255.255 comment=“RFC 919 (Limited Broadcast)” disabled=
yes list=Bogons
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked src-address-list=“Exempt Addresses”
add action=drop chain=forward comment=
“defconf: accept established,related, untracked” connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=
“Drop anyone in the Black List (Manually Added)” src-address-list=
“Black List”
add action=drop chain=forward comment=
“Drop anyone in the Black List (Manually Added)” src-address-list=
“Black List”
add action=drop chain=input comment=“Drop anyone in the Black List (SSH)”
src-address-list=“Black List (SSH)”
add action=drop chain=forward comment=“Drop anyone in the Black List (SSH)”
src-address-list=“Black List (SSH)”
add action=drop chain=input comment=“Drop anyone in the Black List (Telnet)”
src-address-list=“Black List (Telnet)”
add action=drop chain=forward comment=
“Drop anyone in the Black List (Telnet)” src-address-list=
“Black List (Telnet)”
add action=drop chain=input comment=“Drop anyone in the Black List (Winbox)”
src-address-list=“Black List (Winbox)”
add action=drop chain=forward comment=
“Drop anyone in the Black List (Winbox)” src-address-list=
“Black List (Winbox)”
add action=drop chain=input comment=
“Drop anyone in the WAN Port Scanner List” src-address-list=
“WAN Port Scanners”
add action=drop chain=forward comment=
“Drop anyone in the WAN Port Scanner List” src-address-list=
“WAN Port Scanners”
add action=drop chain=input comment=
“Drop anyone in the LAN Port Scanner List” disabled=yes src-address-list=
“LAN Port Scanners”
add action=drop chain=forward comment=
“Drop anyone in the LAN Port Scanner List” disabled=yes src-address-list=
“LAN Port Scanners”
add action=drop chain=input comment=“Drop all Bogons” src-address-list=Bogons
add action=drop chain=forward comment=“Drop all Bogons” src-address-list=
Bogons
add action=drop chain=forward comment=“Drop all P2P” disabled=yes p2p=all-p2p
add chain=output comment=“Section Break” disabled=yes
add action=add-src-to-address-list address-list=“Black List (SSH)”
address-list-timeout=none-dynamic chain=“RFC SSH Chain” comment=
“Transfer repeated attempts from SSH Stage 3 to Black-List”
connection-state=new dst-port=10022 protocol=tcp src-address-list=
“SSH Stage 3”
add action=add-src-to-address-list address-list=“SSH Stage 3”
address-list-timeout=1m chain=“RFC SSH Chain” comment=
“Add succesive attempts to SSH Stage 3” connection-state=new dst-port=
10022 protocol=tcp src-address-list=“SSH Stage 2”
add action=add-src-to-address-list address-list=“SSH Stage 2”
address-list-timeout=1m chain=“RFC SSH Chain” comment=
“Add succesive attempts to SSH Stage 2” connection-state=new dst-port=
10022 protocol=tcp src-address-list=“SSH Stage 1”
add action=add-src-to-address-list address-list=“SSH Stage 1”
address-list-timeout=1m chain=“RFC SSH Chain” comment=
“Add intial attempt to SSH Stage 1 List” connection-state=new dst-port=
10022 protocol=tcp
add action=return chain=“RFC SSH Chain” comment=“Return From RFC SSH Chain”
add chain=output comment=“Section Break” disabled=yes
add action=add-src-to-address-list address-list=“Black List (Telnet)”
address-list-timeout=none-dynamic chain=“RFC Telnet Chain” comment=
“Transfer repeated attempts from Telnet Stage 3 to Black-List”
connection-state=new dst-port=10022 protocol=tcp src-address-list=
“Telnet Stage 3”
add action=add-src-to-address-list address-list=“Telnet Stage 3”
address-list-timeout=1m chain=“RFC Telnet Chain” comment=
“Add succesive attempts to Telnet Stage 3” connection-state=new dst-port=
10023 protocol=tcp src-address-list=“Telnet Stage 2”
add action=add-src-to-address-list address-list=“Telnet Stage 2”
address-list-timeout=1m chain=“RFC Telnet Chain” comment=
“Add succesive attempts to Telnet Stage 2” connection-state=new dst-port=
10023 protocol=tcp src-address-list=“Telnet Stage 1”
add action=add-src-to-address-list address-list=“Telnet Stage 1”
address-list-timeout=1m chain=“RFC Telnet Chain” comment=
“Add Intial attempt to Telnet Stage 1” connection-state=new dst-port=
10023 protocol=tcp
add action=return chain=“RFC Telnet Chain” comment=
“Return From RFC Telnet Chain”
add chain=output comment=“Section Break” disabled=yes
add action=add-src-to-address-list address-list=“Black List (Winbox)”
address-list-timeout=none-dynamic chain=“RFC Winbox Chain” comment=
“Transfer repeated attempts from Winbox Stage 3 to Black-List”
connection-state=new dst-port=8291 protocol=tcp src-address-list=
“Winbox Stage 3”
add action=add-src-to-address-list address-list=“Winbox Stage 3”
address-list-timeout=1m chain=“RFC Winbox Chain” comment=
“Add succesive attempts to Winbox Stage 3” connection-state=new dst-port=
8291 protocol=tcp src-address-list=“Winbox Stage 2”
add action=add-src-to-address-list address-list=“Winbox Stage 2”
address-list-timeout=1m chain=“RFC Winbox Chain” comment=
“Add succesive attempts to Winbox Stage 2” connection-state=new dst-port=
8291 protocol=tcp src-address-list=“Winbox Stage 1”
add action=add-src-to-address-list address-list=“Winbox Stage 1”
address-list-timeout=1m chain=“RFC Winbox Chain” comment=
“Add Intial attempt to Winbox Stage 1” connection-state=new dst-port=8291
protocol=tcp
add action=return chain=“RFC Winbox Chain” comment=
“Return From RFC Winbox Chain”
add chain=output comment=“Section Break” disabled=yes
add action=drop chain=forward comment=
“Drop anyone in the WAN Port Scanner List” src-address-list=
“WAN Port Scanners”
add action=drop chain=forward comment=
“Drop anyone in the LAN Port Scanner List” disabled=yes src-address-list=
“LAN Port Scanners”
add action=add-src-to-address-list address-list=“LAN Port Scanners” chain=
forward comment=“Add TCP Port Scanners to Address List” protocol=tcp psd=
40,3s,2,1
add action=add-src-to-address-list address-list=“(LAN High Connection Rates)”
address-list-timeout=none-dynamic chain=forward comment=
“Add LAN High Connections to Address List” connection-limit=100,32
disabled=yes protocol=tcp
add chain=output comment=“Section Break” disabled=yes
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=135-139
protocol=tcp
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=445
protocol=tcp
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=445
protocol=udp
add action=drop chain=Virus comment=“Drop Messenger Worm” dst-port=135-139
protocol=udp
add action=drop chain=Virus comment=Conficker dst-port=593 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=yes dst-port=1024-1030
protocol=tcp
add action=drop chain=Virus comment=“ndm requester” dst-port=1363 protocol=
tcp
add action=drop chain=Virus comment=“ndm server” dst-port=1364 protocol=tcp
add action=drop chain=Virus comment=“screen cast” dst-port=1368 protocol=tcp
add action=drop chain=Virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom” dst-port=1080 protocol=tcp
add action=drop chain=Virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” dst-port=2283 protocol=
tcp
add action=drop chain=Virus comment=“Drop Beagle” dst-port=2535 protocol=tcp
add action=drop chain=Virus comment=“Drop Beagle.C-K” dst-port=2745 protocol=
tcp
add action=drop chain=Virus comment=“Drop MyDoom” dst-port=3127-3128
protocol=tcp
add action=drop chain=Virus comment=“Drop Backdoor OptixPro” dst-port=3410
protocol=tcp
add action=drop chain=Virus comment=“Drop Sasser” disabled=yes dst-port=5554
protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=Virus comment=“Drop Beagle.B” disabled=yes dst-port=
8866 protocol=tcp
add action=drop chain=Virus comment=“Drop Dabber.A-B” dst-port=9898 protocol=
tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” disabled=yes dst-port=
10000 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom.B” dst-port=10080 protocol=
tcp
add action=drop chain=Virus comment=“Drop NetBus” dst-port=12345 protocol=tcp
add action=drop chain=Virus comment=“Drop Kuang2” disabled=yes dst-port=17300
protocol=tcp
add action=drop chain=Virus comment=“Drop SubSeven” dst-port=27374 protocol=
tcp
add action=drop chain=Virus comment=“Drop PhatBot, Agobot, Gaobot” dst-port=
65506 protocol=tcp
add action=return chain=Virus comment=“Return From Virus Chain”
add chain=output comment=“Section Break” disabled=yes
add action=jump chain=forward comment=“Jump to "Manage Common Ports" Chain”
jump-target=“Manage Common Ports”
add chain=“Manage Common Ports” comment=
“"All hosts on this subnet" Broadcast” src-address=224.0.0.1
add chain=“Manage Common Ports” comment=
“"All routers on this subnet" Broadcast” src-address=224.0.0.2
add chain=“Manage Common Ports” comment=
“DVMRP (Distance Vector Multicast Routing Protocol)” src-address=
224.0.0.4
add chain=“Manage Common Ports” comment=“OSPF - All OSPF Routers Broadcast”
src-address=224.0.0.5
add chain=“Manage Common Ports” comment=“OSPF - OSPF DR Routers Broadcast”
src-address=224.0.0.6
add chain=“Manage Common Ports” comment=“RIP Broadcast” src-address=224.0.0.9
add chain=“Manage Common Ports” comment=“EIGRP Broadcast” src-address=
224.0.0.10
add chain=“Manage Common Ports” comment=“PIM Broadcast” src-address=
224.0.0.13
add chain=“Manage Common Ports” comment=“VRRP Broadcast” src-address=
224.0.0.18
add chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=
224.0.0.19
add chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=
224.0.0.20
add chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=
224.0.0.21
add chain=“Manage Common Ports” comment=“IGMP Broadcast” src-address=
224.0.0.22
add chain=“Manage Common Ports” comment=“GRE Protocol (Local Management)”
protocol=gre
add chain=“Manage Common Ports” comment=“FTPdata transfer” port=20 protocol=
tcp
add action=accept chain=“Manage Common Ports” comment=“RTSP data transfer”
port=10554 protocol=tcp
add chain=“Manage Common Ports” comment="FTPdata transfer " port=20
protocol=udp
add chain=“Manage Common Ports” comment=“FTPcontrol (command)” port=21
protocol=tcp
add chain=“Manage Common Ports” comment=“Secure Shell(SSH)” port=22 protocol=
tcp
add chain=“Manage Common Ports” comment="Secure Shell(SSH) " port=22
protocol=udp
add chain=“Manage Common Ports” comment=Telnet port=23 protocol=tcp
add chain=“Manage Common Ports” comment=Telnet port=23 protocol=udp
add chain=“Manage Common Ports” comment=“Priv-mail: any privatemailsystem.”
port=24 protocol=tcp
add chain=“Manage Common Ports” comment="Priv-mail: any privatemailsystem. "
port=24 protocol=udp
add chain=“Manage Common Ports” comment=“Simple Mail Transfer Protocol(SMTP)”
port=25 protocol=tcp
add chain=“Manage Common Ports” comment=
"Simple Mail Transfer Protocol(SMTP) " port=25 protocol=udp
add chain=“Manage Common Ports” comment=“TIME protocol” port=37 protocol=tcp
add chain=“Manage Common Ports” comment=“TIME protocol " port=37 protocol=
udp
add chain=“Manage Common Ports” comment=
“ARPA Host Name Server Protocol & WINS” port=42 protocol=tcp
add chain=“Manage Common Ports” comment=
“ARPA Host Name Server Protocol & WINS " port=42 protocol=udp
add chain=“Manage Common Ports” comment=“WHOIS protocol” port=43 protocol=tcp
add chain=“Manage Common Ports” comment=“WHOIS protocol” port=43 protocol=udp
add chain=“Manage Common Ports” comment=“Domain Name System (DNS)” port=53
protocol=tcp
add chain=“Manage Common Ports” comment=“Domain Name System (DNS)” port=53
protocol=udp
add chain=“Manage Common Ports” comment=“Mail Transfer Protocol(RFC 780)”
port=57 protocol=tcp
add chain=“Manage Common Ports” comment=”(BOOTP) Server & (DHCP) " port=67
protocol=udp
add chain=“Manage Common Ports” comment=”(BOOTP) Client & (DHCP) " port=68
protocol=udp
add chain=“Manage Common Ports” comment=
"Trivial File Transfer Protocol (TFTP) " port=69 protocol=udp
add chain=“Manage Common Ports” comment=“Gopher protocol” port=70 protocol=
tcp
add chain=“Manage Common Ports” comment=“Finger protocol” port=79 protocol=
tcp
add chain=“Manage Common Ports” comment=“Hypertext Transfer Protocol (HTTP)”
port=80 protocol=tcp
add chain=“Manage Common Ports” comment=“RemoteTELNETService protocol” port=
107 protocol=tcp
add chain=“Manage Common Ports” comment=“Post Office Protocolv2 (POP2)” port=
109 protocol=tcp
add chain=“Manage Common Ports” comment=“Post Office Protocolv3 (POP3)” port=
110 protocol=tcp
add chain=“Manage Common Ports” comment=
“IdentAuthentication Service/Identification Protocol” port=113 protocol=
tcp
add chain=“Manage Common Ports” comment="Authentication Service (auth) "
port=113 protocol=udp
add chain=“Manage Common Ports” comment=
“Simple File Transfer Protocol (SFTP)” port=115 protocol=tcp
add chain=“Manage Common Ports” comment=“Network Time Protocol(NTP)” port=123
protocol=udp
add chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Name Service” port=
137 protocol=tcp
add chain=“Manage Common Ports” comment="NetBIOSNetBIOS Name Service " port=
137 protocol=udp
add chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Datagram Service”
port=138 protocol=tcp
add chain=“Manage Common Ports” comment="NetBIOSNetBIOS Datagram Service "
port=138 protocol=udp
add chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Session Service”
port=139 protocol=tcp
add chain=“Manage Common Ports” comment="NetBIOSNetBIOS Session Service "
port=139 protocol=udp
add chain=“Manage Common Ports” comment=
“Internet Message Access Protocol (IMAP)” port=143 protocol=tcp
add chain=“Manage Common Ports” comment=
“Background File Transfer Program (BFTP)” port=152 protocol=tcp
add chain=“Manage Common Ports” comment=
"Background File Transfer Program (BFTP) " port=152 protocol=udp
add chain=“Manage Common Ports” comment=
“SGMP,Simple Gateway Monitoring Protocol” port=153 protocol=tcp
add chain=“Manage Common Ports” comment=
"SGMP,Simple Gateway Monitoring Protocol " port=153 protocol=udp
add chain=“Manage Common Ports” comment=
“DMSP, Distributed Mail Service Protocol” port=158 protocol=tcp
add chain=“Manage Common Ports” comment=
"DMSP, Distributed Mail Service Protocol " port=158 protocol=udp
add chain=“Manage Common Ports” comment=
"Simple Network Management Protocol(SNMP) " port=161 protocol=udp
add chain=“Manage Common Ports” comment=
“Simple Network Management ProtocolTrap (SNMPTRAP)” port=162 protocol=tcp
add chain=“Manage Common Ports” comment=
"Simple Network Management ProtocolTrap (SNMPTRAP) " port=162 protocol=
udp
add chain=“Manage Common Ports” comment=“BGP (Border Gateway Protocol)” port=
179 protocol=tcp
add chain=“Manage Common Ports” comment=
“Internet Message Access Protocol (IMAP), version 3” port=220 protocol=
tcp
add chain=“Manage Common Ports” comment=
“Internet Message Access Protocol (IMAP), version 3” port=220 protocol=
udp
add chain=“Manage Common Ports” comment=
“BGMP, Border Gateway Multicast Protocol” port=264 protocol=tcp
add chain=“Manage Common Ports” comment=
"BGMP, Border Gateway Multicast Protocol " port=264 protocol=udp
add chain=“Manage Common Ports” comment=
“Lightweight Directory Access Protocol (LDAP)” port=389 protocol=tcp
add chain=“Manage Common Ports” comment=
“Lightweight Directory Access Protocol (LDAP)” port=389 protocol=udp
add chain=“Manage Common Ports” comment=
“SSTP TCP Port 443 (Local Management) & HTTPS” port=443 protocol=tcp
add chain=“Manage Common Ports” comment=
“Microsoft-DSActive Directory, Windows shares” port=445 protocol=tcp
add chain=“Manage Common Ports” comment=
“L2TP/ IPSEC UDP Port 500 (Local Management)” port=500 protocol=udp
add chain=“Manage Common Ports” comment=“Modbus, Protocol” port=502 protocol=
tcp
add chain=“Manage Common Ports” comment="Modbus, Protocol " port=502
protocol=udp
add chain=“Manage Common Ports” comment=“Shell (Remote Shell, rsh, remsh)”
port=514 protocol=tcp
add chain=“Manage Common Ports” comment="Syslog - used for system logging "
port=514 protocol=udp
add chain=“Manage Common Ports” comment=
"Routing Information Protocol (RIP) " port=520 protocol=udp
add chain=“Manage Common Ports” comment=“e-mail message submission (SMTP)”
port=587 protocol=tcp
add chain=“Manage Common Ports” comment=“LDP,Label Distribution Protocol”
port=646 protocol=tcp
add chain=“Manage Common Ports” comment=“LDP,Label Distribution Protocol”
port=646 protocol=udp
add chain=“Manage Common Ports” comment=
“FTPS Protocol (data):FTP over TLS/SSL” port=989 protocol=tcp
add chain=“Manage Common Ports” comment=
“FTPS Protocol (data):FTP over TLS/SSL” port=989 protocol=udp
add chain=“Manage Common Ports” comment=
“FTPS Protocol (control):FTP over TLS/SSL” port=990 protocol=tcp
add chain=“Manage Common Ports” comment=
“FTPS Protocol (control):FTP over TLS/SSL” port=990 protocol=udp
add chain=“Manage Common Ports” comment=“TELNET protocol overTLS/SSL” port=
992 protocol=tcp
add chain=“Manage Common Ports” comment=“TELNET protocol overTLS/SSL” port=
992 protocol=udp
add chain=“Manage Common Ports” comment=
“Internet Message Access Protocol over TLS/SSL (IMAPS)” port=993
protocol=tcp
add chain=“Manage Common Ports” comment=
“Post Office Protocol3 over TLS/SSL (POP3S)” port=995 protocol=tcp
add chain=“Manage Common Ports” comment=
“OVPN TCP Port 1194 (Local Management)” port=1194 protocol=tcp
add chain=“Manage Common Ports” comment=“PPTP Port 1723 (Local Management)”
port=1723 protocol=tcp
add chain=“Manage Common Ports” comment=
“L2TP UDP Port 1701 (Local Management)” port=1701 protocol=udp
add chain=“Manage Common Ports” comment=
“L2TP UDP Port 4500 (Local Management)” port=4500 protocol=udp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add chain=forward comment=“Accept New Connections” connection-state=new
disabled=yes
add chain=forward comment=“Accept Related or Established Connections”
connection-state=established,related disabled=yes
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface=ETH1-LightWave
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“IPsec Mangle”
dst-address=10.7.6.2-10.7.6.254 new-routing-mark=IPsec_mark
passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment=“IPsec NAT Rule (DND)”
dst-address=10.7.6.0/24 src-address=10.10.10.7
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=ETH1-LightWave
add action=dst-nat chain=dstnat comment=“PPTP-01 VPN” dst-port=1723
in-interface=ETH1-LightWave protocol=tcp to-addresses=10.10.10.250
to-ports=1723
add action=dst-nat chain=dstnat in-interface=ETH1-LightWave protocol=gre
to-addresses=10.10.10.250
add action=dst-nat chain=dstnat comment=CenterB dst-port=6547 in-interface=
ETH1-LightWave protocol=tcp to-addresses=10.10.10.43 to-ports=6547
add action=dst-nat chain=dstnat dst-port=6551 in-interface=ETH1-LightWave
protocol=tcp to-addresses=10.10.10.42 to-ports=6551
add action=dst-nat chain=dstnat comment=CenterD dst-port=7547 in-interface=
ETH1-LightWave protocol=tcp to-addresses=10.10.10.43 to-ports=7547
add action=dst-nat chain=dstnat dst-port=7551 in-interface=ETH1-LightWave
protocol=tcp to-addresses=10.10.10.43 to-ports=7551
add action=dst-nat chain=dstnat comment=Auth01 dst-port=3663 in-interface=
ETH1-LightWave protocol=tcp to-addresses=10.10.10.12 to-ports=3663
add action=accept chain=dstnat comment=“L2TP VPN Server” in-interface=
ETH1-LightWave protocol=ipsec-esp
add action=accept chain=dstnat in-interface=ETH1-LightWave protocol=ipsec-ah
add action=dst-nat chain=dstnat dst-port=1701 in-interface=ETH1-LightWave
protocol=tcp to-addresses=10.10.10.250 to-ports=1701
add action=dst-nat chain=dstnat dst-port=500 in-interface=ETH1-LightWave
protocol=udp to-addresses=10.10.10.250 to-ports=500
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ETH1-LightWave
protocol=udp to-addresses=10.10.10.250 to-ports=4500
add action=dst-nat chain=dstnat comment=“EPS Core Server Ports on 10.10.10.2”
dst-port=81 in-interface=ETH1-LightWave protocol=tcp to-addresses=
10.10.10.2 to-ports=81
add action=dst-nat chain=dstnat comment=“Events Server on 10.10.10.14”
dst-port=8084 in-interface=ETH1-LightWave protocol=tcp to-addresses=
10.10.10.14 to-ports=8084
add action=dst-nat chain=dstnat dst-port=80 in-interface=ETH1-LightWave
protocol=tcp to-addresses=10.10.10.2 to-ports=80
add action=dst-nat chain=dstnat comment=
“IPsec Tunnel (DND) Start Section Break” disabled=yes dst-port=0
in-interface=bridge1 protocol=tcp to-addresses=10.7.6.0 to-ports=10554
add action=dst-nat chain=dstnat comment=“NVR 10.7.6.200” dst-port=3389
in-interface=bridge1 protocol=tcp to-addresses=10.7.6.200 to-ports=3389
add action=dst-nat chain=dstnat dst-port=60001-60010 in-interface=bridge1
protocol=tcp to-addresses=10.7.6.200 to-ports=60001-60010
add action=dst-nat chain=dstnat disabled=yes dst-port=554 in-interface=
bridge1 protocol=tcp to-addresses=10.7.6.200 to-ports=554
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.107:10554/stream2 10554->554 | 8080->80”
dst-port=10554 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.107
to-ports=554
add action=dst-nat chain=dstnat dst-port=8080 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.107 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.106:10554/stream2 10555->554 | 8081->80”
dst-port=10555 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.106
to-ports=554
add action=dst-nat chain=dstnat dst-port=8081 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.106 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.107:10556/stream2 10556->554 | 8082->80”
dst-port=10556 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.108
to-ports=554
add action=dst-nat chain=dstnat dst-port=8082 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.108 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.110:10557/stream2 10557->554 | 8083->80”
dst-port=10557 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.110
to-ports=554
add action=dst-nat chain=dstnat dst-port=8083 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.110 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.122:10558/stream2 10558->554 | 8084->80”
dst-port=10558 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.122
to-ports=554
add action=dst-nat chain=dstnat dst-port=8084 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.122 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.130:10559/stream2 10559->554 | 8085->80”
dst-port=10559 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.130
to-ports=554
add action=dst-nat chain=dstnat dst-port=8085 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.130 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.103:10560/stream2 10560->554 | 8086->80”
dst-port=10560 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.103
to-ports=554
add action=dst-nat chain=dstnat dst-port=8086 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.103 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.102:10561/stream2 10561->554 | 8087->80”
dst-port=10561 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.102
to-ports=554
add action=dst-nat chain=dstnat dst-port=8087 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.102 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.109:10562/stream2 10562->554 | 8088->80”
dst-port=10562 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.109
to-ports=554
add action=dst-nat chain=dstnat dst-port=8088 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.109 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.112:10563/stream2 10563->554 | 8089->80”
dst-port=10563 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.112
to-ports=554
add action=dst-nat chain=dstnat dst-port=8089 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.112 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.114:10564/stream2 10564->554 | 8090->80”
dst-port=10564 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.114
to-ports=554
add action=dst-nat chain=dstnat dst-port=8090 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.114 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.111:10565/stream2 10565->554 | 8091->80”
dst-port=10565 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.111
to-ports=554
add action=dst-nat chain=dstnat dst-port=8091 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.111 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.113:10566/stream2 10566->554 | 8092->80”
dst-port=10566 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.113
to-ports=554
add action=dst-nat chain=dstnat dst-port=8092 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.113 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.125:10567/stream2 10567->554 | 8093->80”
dst-port=10567 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.125
to-ports=554
add action=dst-nat chain=dstnat dst-port=8093 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.125 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.126:10568/stream2 10568->554 | 8094->80”
dst-port=10568 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.126
to-ports=554
add action=dst-nat chain=dstnat dst-port=8094 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.126 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.128:10569/stream2 10569->554 | 8095->80”
dst-port=10569 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.128
to-ports=554
add action=dst-nat chain=dstnat dst-port=8095 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.128 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.129:10570/stream2 10570->554 | 8096->80”
dst-port=10570 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.129
to-ports=554
add action=dst-nat chain=dstnat dst-port=8096 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.129 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.124:10571/stream2 10571->554 | 8097->80”
dst-port=10571 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.124
to-ports=554
add action=dst-nat chain=dstnat dst-port=8097 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.124 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.127:10572/stream2 10572->554 | 8098->80”
dst-port=10572 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.127
to-ports=554
add action=dst-nat chain=dstnat dst-port=8098 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.127 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.117:10573/stream2 10573->554 | 8099->80”
dst-port=10573 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.117
to-ports=554
add action=dst-nat chain=dstnat dst-port=8099 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.117 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.118:10574/stream2 10574->554 | 8100->80”
dst-port=10574 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.118
to-ports=554
add action=dst-nat chain=dstnat dst-port=8100 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.118 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.119:10575/stream2 10575->554 | 8101->80”
dst-port=10575 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.119
to-ports=554
add action=dst-nat chain=dstnat dst-port=8101 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.119 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.123:10576/stream2 10576->554 | 8102->80”
dst-port=10576 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.123
to-ports=554
add action=dst-nat chain=dstnat dst-port=8102 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.123 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.120:10577/stream2 10577->554 | 8103->80”
dst-port=10577 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.120
to-ports=554
add action=dst-nat chain=dstnat dst-port=8103 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.120 to-ports=554
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.115:10578/stream2 10578->554 | 8104->80”
dst-port=10578 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.115
to-ports=554
add action=dst-nat chain=dstnat dst-port=8104 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.115 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.116:10579/stream2 10579->554 | 8105->80”
dst-port=10579 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.116
to-ports=554
add action=dst-nat chain=dstnat dst-port=8105 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.116 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.132:10580/stream2 10580->554 | 8106->80”
dst-port=10580 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.132
to-ports=554
add action=dst-nat chain=dstnat dst-port=8106 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.132 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.131:10581/stream2 10581->554 | 8107->80”
dst-port=10581 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.131
to-ports=554
add action=dst-nat chain=dstnat dst-port=8107 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.131 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.105:10582/stream2 10582->554 | 8108->80”
dst-port=10582 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.105
to-ports=554
add action=dst-nat chain=dstnat dst-port=8108 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.105 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.101:10583/stream2 10583->554 | 8109->80”
dst-port=10583 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.101
to-ports=554
add action=dst-nat chain=dstnat dst-port=8109 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.101 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.104:10584/stream2 10584->554 | 8110->80”
dst-port=10584 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.104
to-ports=554
add action=dst-nat chain=dstnat dst-port=8110 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.104 to-ports=80
add action=dst-nat chain=dstnat comment=
“rtsp://admin:admin@10.7.6.121:10585/stream2 10585->554 | 8111->80”
dst-port=10585 in-interface=bridge1 protocol=tcp to-addresses=10.7.6.121
to-ports=554
add action=dst-nat chain=dstnat dst-port=8111 in-interface=bridge1 protocol=
tcp to-addresses=10.7.6.121 to-ports=80
add action=dst-nat chain=dstnat comment=
“IPsec Tunnel (DND) End Section Break” disabled=yes dst-port=0
in-interface=bridge1 protocol=tcp to-addresses=10.7.6.0 to-ports=10554
/ip ipsec peer
add address=198.xxx.xxx.220/32 secret=**********
/ip ipsec policy
add dst-address=10.7.6.0/24 proposal=IPsec_Proposal sa-dst-address=
198.xxx.xxx.220 sa-src-address=209.xxx.xxx.230 src-address=10.10.10.0/24
tunnel=yes
/ip route
add comment=“IPsec Route” distance=1 dst-address=10.7.6.0/24
gateway=bridge1 routing-mark=IPsec_mark
add distance=1 gateway=209.xxx.xxx.225
/ip service
set telnet disabled=yes port=10023
set ftp disabled=yes port=10020
set www address=10.10.10.0/24 disabled=yes port=8080
set ssh port=10022
set www-ssl address=10.10.10.0/24
set api address=10.10.10.0/24 disabled=yes
set winbox address=10.10.10.0/24
set api-ssl address=10.10.10.0/24 disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Eyecon-CCR
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=216.239.35.0
server-dns-names=time.google.com,time1.google.com
It turned out that the ports were getting sent to the wrong devices. PATTing ports in Firewall fixed issue.
Inbound tunnel IP on router bridge. Since there were 48 cameras at each location and I needed 10.7.6.x:80 and :554 routed, building 96 rules in the firewall was not fun. Has to be a faster way 
10.7.6.131: 10554->554 | 8107->80
to
10.7.6.131: 60554->554 | 8107->80
next up SonicWall IPsec tunnel to Mikrotik 