i’m trying to troubleshoot a spotty/choppy ipsec connection between 2 sites.
anybody know why the internal->external isn’t showing in packet capture?
pcunite
December 29, 2018, 1:29am
2
Post the output of /export compact hide-sensitive file=MyConfig.rsc . It will show up in the “Files” menu. Paste it between code tags.
here is the config, let me know if anybody find anything else concerning.
# dec/28/2018 19:44:53 by RouterOS 6.43.7
# software id = MR1X-FPQZ
#
# model = RB1100x4
# serial number = 91D8091F913A
/interface bridge
add name=external
add name=internal
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
add enc-algorithm=aes-256,aes-128,3des name=profile1
/ip pool
add name=dhcp_pool1 ranges=10.10.200.2-10.10.201.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=internal name=dhcp1
/interface bridge port
add bridge=internal interface=ether6
add bridge=internal interface=ether7
add bridge=internal interface=ether8
add bridge=internal interface=ether9
add bridge=internal interface=ether10
add bridge=external interface=ether1
add bridge=external interface=ether2
add bridge=external interface=ether3
add bridge=external interface=ether4
add bridge=external interface=ether5
/interface list member
add interface=external list=WAN
add interface=internal list=LAN
/ip address
add address=10.10.0.1/16 interface=internal network=10.10.0.0
add address=x.x.x.20/28 comment=mtik interface=external network=\
x.x.x.16
add address=10.10.198.0/24 interface=internal network=10.10.198.0
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=10.10.0.25 domain=healthcareip.com \
gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=10.10.0.25
/ip firewall address-list
add address=10.10.0.0/16 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward comment=established/related connection-state=\
established,related
add action=accept chain=input comment=established/related connection-state=\
established,related log-prefix=ok
add action=accept chain=input dst-port=67,5678 in-interface=internal \
protocol=udp src-address=10.10.0.0/16
add action=accept chain=input log=yes log-prefix=accept10 src-address=\
10.10.0.0/16
add action=accept chain=input comment="Full access to SUPPORT address list" \
dst-port=22,8291 log=yes protocol=tcp src-address-list=support
add action=accept chain=input comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=10,5:packet protocol=icmp
add action=accept chain=input comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=accept chain=forward comment=office dst-address=10.0.0.0/8 \
src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
10.0.0.0/8
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid log=yes log-prefix=fwdInv
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=external
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons log=yes log-prefix=bogonFwd
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
log=yes log-prefix=dropFwd protocol=tcp src-address-list=spammers
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log=yes \
log-prefix=dropAll
add action=drop chain=forward comment="drop all from wan" in-interface=\
external log=yes log-prefix=dropWanFwd
/ip firewall nat
add action=accept chain=srcnat comment="vpn nat for hosts w/def route 24.1" \
dst-address=10.10.0.0/24 log=yes log-prefix=vpnsrc out-interface=internal \
src-address=192.168.5.0/24 to-addresses=10.10.198.0/24
add action=accept chain=dstnat dst-address=192.168.5.0/24 src-address=\
10.10.0.0/24
add action=netmap chain=dstnat dst-address=10.10.198.0/24 log=yes log-prefix=\
vpndstnat src-address=10.10.0.0/24 to-addresses=192.168.5.0/24
add action=masquerade chain=srcnat log-prefix=masq out-interface=external
/ip firewall raw
add action=notrack chain=prerouting comment="vpn notrack" disabled=yes \
dst-address=10.0.0.0/8 src-address=192.168.5.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.5.0/24 \
src-address=10.0.0.0/8
/ip ipsec peer
add address=y.y.y.247/32 profile=profile1
/ip ipsec policy
add dst-address=192.168.5.0/24 sa-dst-address=y.y.y.247 sa-src-address=\
x.x.x.20 src-address=10.10.0.0/16 tunnel=yes
/ip route
add distance=1 gateway=x.x.x.17
add distance=1 dst-address=10.13.0.0/16 gateway=10.10.0.121
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/16,10.0.0.0/8
set api address=192.168.0.0/16,10.0.0.0/8 disabled=yes
set winbox address=\
192.168.0.0/16,10.0.0.0/8
set api-ssl address=192.168.0.0/16,10.0.0.0/8 disabled=yes
/system clock
set time-zone-name=America/Chicago
/tool bandwidth-server
set enabled=no
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-address=10.10.0.53/32,192.168.5.128/32
