Hi,
I just started using Mikrotik routers and haven’t quite got the hang of masquerading.
I’d like to setup a IPSec tunnel into a Cisco router with only a single /32 nearside address which I masquerade my private local /24 network through.
Have a look at my config.
Pinging 172.27.1.1 from the local mikrotik receives a response from the pppoe’s destination address (farside) that says status admin prohibited.
Seems that it is going out the pppoe interface and I don’t understand exactly why…
Any help appreciated. See config below.
Thanks!
====
/interface bridge
add name=loopback1
/interface pppoe-client
add add-default-route=yes default-route-distance=1 disabled=no interface=ether2 name=pppoe-out2 password= user=
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=172.29.36.249 interface=loopback1 network=172.29.36.249
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment=“Drop Invalid Connections” connection-state=invalid log-prefix=“”
add action=accept chain=input comment=“Allow Established Connections” connection-state=established log-prefix=“”
add action=accept chain=input comment=“Allow ICMP” log-prefix=“” protocol=icmp
add action=accept chain=input comment=“Accept Local Connections Not From ISP Connection” in-interface=!pppoe-out2 log-prefix=“” src-address=
192.168.88.0/24
add action=drop chain=input comment=“Drop Everything else”
/ip firewall mangle
#mark any packets coming from my private local /24 heading for remote private /24.
add action=mark-routing chain=prerouting dst-address=172.27.1.0/24 new-routing-mark=“IPSEC PACKET” passthrough=no src-address=192.168.88.0/24
/ip firewall nat
#Internet private network masquerading (192.168.88.0/24)
add action=masquerade chain=srcnat out-interface=pppoe-out2 routing-mark=“!IPSEC PACKET”
#This is what I was hoping would masquerade marked packets as 172.29.36.249. print stats only shows 0 0 though.
add action=masquerade chain=srcnat out-interface=loopback1 routing-mark=“IPSEC PACKET”
/ip ipsec peer
add address=/32 enc-algorithm=3des hash-algorithm=md5 local-address=0.0.0.0 nat-traversal=no secret=“”
/ip ipsec policy
#policy calling for IPsec for traffic going to 172.27.1.0/24 (which is behind the remote IPsec server).
add dst-address=172.27.1.0/24 sa-dst-address= sa-src-address= src-address=172.29.36.249/32 tunnel=yes
/ip route
add distance=1 dst-address=172.27.1.0/24 gateway=loopback1 routing-mark=“IPSEC PACKET”
/system clock
set time-zone-name=Australia/Hobart
/system logging
add prefix=vpn-test topics=ipsec