Hello,
I am having problem with firewall rules for GRE tunnel on mikrotik..
I configured strongSwan VPN server on my debian VM with public IP 1.1.2.2 (example, i dont want to share), I have my CCR connected to VPN server via IPsec with local address in VPN - 100.100.1.133/24 , I assigned 100.100.1.254/24 to VPN server and created GRE tunnel 100.100.1.254 == 100.100.1.133 and I want to access 10.2.0.0/26 subnet which is Mikrotik local subnet through VPN. I added route on vpn server - 10.2.0.0/26 dev gre_test0
On MT
/interface gre
add local-address=100.100.1.133 name=test remote-address=100.100.1.254
Communication is working. I see:
/tool sniff quick interface=test (gre)
INTERFACE TIME NUM DIR SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
test 0.095 1 ← 1.1.2.2:39202 10.2.0.1:33485 ip:udp 60 1
test 0.097 2 ← 1.1.2.2:42262 10.2.0.1:33486 ip:udp 60 1
test 0.097 3 ← 1.1.2.2:58925 10.2.0.1:33487 ip:udp 60 1
test 0.097 4 ← 1.1.2.2:55973 10.2.0.1:33488 ip:udp 60 1
test 0.097 5 ← 1.1.2.2:47706 10.2.0.1:33489 ip:udp 60 1
test 0.097 6 ← 1.1.2.2:54024 10.2.0.1:33490 ip:udp 60 1
test 0.097 7 ← 1.1.2.2:40638 10.2.0.1:33491 ip:udp 60 1
test 0.097 8 ← 1.1.2.2:33668 10.2.0.1:33492 ip:udp 60 1
test 0.097 9 ← 1.1.2.2:46010 10.2.0.1:33493 ip:udp 60 1
test 0.097 10 ← 1.1.2.2:40235 10.2.0.1:33494 ip:udp 60 1
test 0.097 11 ← 1.1.2.2:46092 10.2.0.1:33495 ip:udp 60 1
test 0.097 12 ← 1.1.2.2:60092 10.2.0.1:33496 ip:udp 60 1
test 0.097 13 ← 1.1.2.2:57700 10.2.0.1:33497 ip:udp 60 1
test 0.112 14 ← 1.1.2.2:32900 10.2.0.1:33498 ip:udp 60 1
test 0.112 15 ← 1.1.2.2:58020 10.2.0.1:33499 ip:udp 60 1
test 0.112 16 ← 1.1.2.2:46886 10.2.0.1:33500 ip:udp 60 1
But when I do
/tool sniff quick ip-address=10.2.0.1
[admin@gw.bellovaVes133.krcn.services] > tool sniff qu ip-address=10.2.0.1
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
vlan500 34.227 551 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 10.2.0.1 1.1.2.2 ip:icmp 98 1
PPPoE-ISP_Slovanet 34.227 552 → 10.2.0.1 1.1.2.2 ip:icmp 84 1
test 35.251 553 ← 1.1.2.2 10.2.0.1 ip:icmp 84 1
vlan500 35.251 554 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 1.1.2.2 10.2.0.1 ip:icmp 98 1
ether11 35.251 555 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 500 1.1.2.2 10.2.0.1 ip:icmp 102 1
ether11 35.251 556 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 500 10.2.0.1 1.1.2.2 ip:icmp 102 1
vlan500 35.251 557 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 10.2.0.1 1.1.2.2 ip:icmp 98 1
PPPoE-ISP_Slovanet 35.251 558 → 10.2.0.1 1.1.2.2 ip:icmp 84 1
test 36.278 559 ← 1.1.2.2 10.2.0.1 ip:icmp 84 1
vlan500 36.278 560 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 1.1.2.2 10.2.0.1 ip:icmp 98 1
ether11 36.278 561 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 500 1.1.2.2 10.2.0.1 ip:icmp 102 1
ether11 36.278 562 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 500 10.2.0.1 1.1.2.2 ip:icmp 102 1
vlan500 36.278 563 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 10.2.0.1 1.1.2.2 ip:icmp 98 1
PPPoE-ISP_Slovanet 36.278 564 → 10.2.0.1 1.1.2.2 ip:icmp 84 1
test 37.297 565 ← 1.1.2.2 10.2.0.1 ip:icmp 84 1
vlan500 37.297 566 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 1.1.2.2 10.2.0.1 ip:icmp 98 1
ether11 37.297 567 → D4:01:C3:AC:E4:8E BC:24:11:FC:D8:58 500 1.1.2.2 10.2.0.1 ip:icmp 102 1
ether11 37.297 568 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 500 10.2.0.1 1.1.2.2 ip:icmp 102 1
vlan500 36.278 563 ← BC:24:11:FC:D8:58 D4:01:C3:AC:E4:8E 10.2.0.1 1.1.2.2 ip:icmp 98 1
PPPoE-ISP_Slovanet 36.278 564 → 10.2.0.1 1.1.2.2 ip:icmp 84 1
As you can see, reply from 10.2.0.1 goes through iface PPPoE-ISP_Slovanet - uplink and not through GRE tunnel.
Can you please help me?
Firewall rules:
/ip firewall filter
add action=accept chain=forward dst-address=10.2.0.0/26 in-interface=test src-address=1.1.2.2
add action=accept chain=forward dst-address=10.2.0.0/26 out-interface=test src-address=1.1.2.2
/ip firewall nat
add action=src-nat chain=srcnat out-interface=test src-address=10.2.0.0/26 to-addresses=1.1.2.2
add action=masquerade chain=srcnat out-interface=PPPoE-ISP_Slovanet