Hey all,
Thanks in advance for your time. I’m very basic with networking so I hope you have some patience with me.
I currently have a IPSec tunnel established between my PaloAlto firewall (10.10.0.0/16 local side) and Mikrotik Router (192.168.5.0/24 remote side).
I am able to ping and connect to devices on the Mikrotik side from the Palo Alto but,
Traffic initiated from the Mikrotik side is not returning to the Palo at all.
I suspect this is a route issue on the Mikrotik device however am having issues getting a route set up.
I added the following route via IP > Routes (without success)
dest. address=10.10.0.0/16
Pref. Source=192.168.5.1
Gateway=ether1 (tried them all tbh)
Could someone assist me with figuring out where I’m going wrong?
We got this issue resolved.
I’m sure there are better ways to solve this issue but, here’s how I solved it for myself.
I created the following mangle rule to log the route the traffic was taking.
/ip firewall mangle add chain=output dst-address=10.10.0.0/16 action=log comment=“Show route in log”
This gave me a log entry that looked like
output: in:(unknown 0) out:ether1, proto ICMP (type 8, code 0), 192.168.5.1->10.10.6.244, NAT (192.168.5.1->some.public.ip.here)->10.10.6.244, len 56
I assumed this meant that the traffic was being NATd through our WAN interface. Which made me look at our NAT rules.
Looks like our NAT rules were set to use our WAN interface to translate the IPs.
I updated the rules as shown beneath where I excluded my specific subnet AND set ipsec-policy=out,none
I think ipsec-policy=out,none is redundant in rule 0 but I added it just in case.
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade (except my subnet)
chain=srcnat action=masquerade dst-address=!10.10.0.0/16 out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,none
Does anyone have a simpler guide on what “masquerade” does?
The documentation from Mikrotik is a dense and I’m not understanding what these rules are doing.
As always, very much appreciate your time.
Yes, you can use either dst-address=!10.10.0.0/16 or ipsec-policy=out,none alone and both will work. I’d probably use the latter, because it automatically covers all existing and future tunnels. And if you have more srcnat rules, it may be even better to use this as first rule:
to stop srcnat processing for all traffic covered by IPSec policies.
As for masquerade, it’s just special type of srcnat where instead of specifying source address manually (action=src-nat to-addresses=x.x.x.x) it takes one automatically from outgoing interface.