No WAN access - VPN in play

RouterOS Beginner Basics
1

I have a RB5009PU running 7.18.1 in a data center.
There is a vpn between the data center Router and a Remote office. I’m able to remote desktop and use Putty to the devices in the data center
from the Remote office.
Problem:
I cannot access the internet from any servers in the data center while connected thru the vpn. For example, connecting to a server in the
data center from the Remote office, I cannot access the internet to do an OS update. Further I cannot ping the dns server (8.8.8.:sunglasses: from the data center server.

Can someone suggest what may prevent WAN access from the data center while connected thru the vpn?

Thank you.

2

Hi!

It could be a number of things: routing, rules or NAT, to mention but a few.

Can you share an anonymized configuration for the DC firewall?

3

Firewall Filter Rules

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=“”

2 chain=input action=accept protocol=udp in-interface=ether1 dst-port=1701,500,4500 log=no log-prefix=“”

3 chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”

4 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=“”

5 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=“”

6 chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=“”

7 ;;; allow l2tp
chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”

8 ;;; bret added
chain=forward action=accept protocol=ipsec-ah log=no log-prefix=“”

9 chain=input action=accept connection-state=established protocol=tcp src-address=‌vpn-peer-ip(hidden) connection-type=“” log=no
log-prefix=“”

10 chain=forward action=accept protocol=tcp src-address=‌vpn-peer-ip(hidden) log=no log-prefix=“”

11 13 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=“”

14 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

15 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

16 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=“”

chain=forward action=accept ipsec-policy=in,ipsec

18 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

19 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

20 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

21 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

22 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

4

Firewall NAT

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=accept log=no log-prefix=“”

1 chain=srcnat action=masquerade log=no log-prefix=“”

2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=!WAN log=no log-prefix=“” ipsec-policy=out,none

5

If anything is incorrect or can be changed to allow WAN access from the data center. Would be great

6

I think your nat is incorrect, rule 0 matches everything.

7

Can you explain?

8

The traffic from your servers to the internet is not natted because rule 0 matches everything and stops the processing.

Try adding a condition to it to match the internal networks your tunnel connects to as destination.

9

Thanks
Changes to rule 0 has allowed local lan traffic out the WAN to the internet. So it seems if no criteria
is given to the NAT rule, NAT doesn’t direct packets. This is very helpful to understand.

Modified Firewall NAT - (Is rule 0 as shown safe?), or should it be more specific?
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=accept src-address-list=(LAN Network/24 - hidden) out-interface-list=WAN log=no log-prefix=“”

1 chain=srcnat action=masquerade log=no log-prefix=“”

2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=!WAN log=no log-prefix=“” ipsec-policy=out,none

10

The following rule would not NAT your traffic out - it reads “packet with a source IP in my internal LAN and going out to the WAN, do not source nat” - which is the opposite of what you want to do, at least for the traffic going to the Internet.

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=accept src-address-list=(LAN Network/24 - hidden) out-interface-list=WAN log=no log-prefix=""

What you actually want is:

  1. Outbound packets going into the ipsec tunnel should not be source natted
  2. Outbound packets going to the internet should be source natted

Note that I don’t consider inbound packet. These two rules can be written in a variety of way, for example and starting from an empty NAT policy, the following rule will NAT everything that goes out from your internal network and is not going into IPSEC. Everything else will keep its original source IP. Of course, replace the <…> with the address-list containing your internal IP.

/ip/firewall/nat/add chain=srcnat src-address-list=<...> out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="Outbound to Internet NAT"