I am new to the Mikrotik world. I was refered to Mikrotik by a voip technician.
I manage IT at a company that has several remote branches, all of which VPN into the HQ for their database system. At the HQ there are two internet routers, each with

a different public IP on it (66.146.xxx.242 and 66.146.xxx.243). But the internal (LAN) address is on the same subnet. Router #1’s LAN is 192.168.254.1 and Router

#2’s LAN is 192.168.254.2. The subnet mask used on all devices is 255.255.255.0. Router #1 is used to create all of the VPN’s to the branches, Router #2 is used for

people in the office to get out to the internet, so the computers in the office have a gateway of 192.168.254.2. The servers on the network use Router #1 as their

gateway. All the branches use a router to router IPSEC VPN, and all the VPN’s connect to Router #1. Right now, all the routers are Netgear.

Here is the problem:

We configured the Mikrotik at a new location to create an IPSec tunnel to Router #1 at HQ. We can successfully send traffic from the new location through the Mikrotik

to anything on the network that has 192.168.254.1 as its default gateway.

The problem is that I can’t get access to any computers that have a gateway of 192.168.254.2 and are connected to the internet through Router #2. I Can’t even ping

them.

However, if I go to another branch that has the IPSEC tunnel setup from a Netgear router to Router #1 (which is also a Netear router), then I can ping all the

computers that have a gateway of 192.168.254.2 and are connected to Router #2. I can also ping all the computers that have a gateway of 192.168.254.1 and are

connected to Router #1.
All the existing branches with IPSec tunnels from a Netgear router to Router #1 (Netgear also) CAN ping any computer on the 254 subnet, reguardless of the gateway on

the computer itself. But the computer connecting through IPSec tunnel made from the Mikrotik to Router #1 (Netgear), can only ping computers that have a gateway of

Router #1 (192.168.254.1). In addition, the branches that create an IPSec tunnel from a Netgear router to Router #1 can also ping any computer in any branch (ie.

someone in branch 1 with IP address 192.168.6.100 can ping someone else in branch 3 with IP address 192.168.8.100. All the computers at each branch connect to the LAN

ports of their Netgear router.

Why can’t the Mikrotik see any computers that have a gateway to the Router #2 (192.168.254.2) even though they are all on the same subnet (all devices are on

192.168.254.xxx and all devices use a subnet mask of 255.255.255.0, but a different gateway)? How can we configure the Mikrotik to allow the computer connecting from

the new site through the Mikrotik to Router #1 using an IPSec VPN to see all the computers that have Router #2 as their default gateway? Secondly, how can we have

that new site be able see all the computers at the different branches as well?

We have verified that from the new site any workstation that has a gateway of 192.168.254.1 is accessible and if we simply change it’s gateway to 192.168.254.2, it is

no longer accissible through the Mikrotik IPSec tunnel.



This is the setup with private info scrubbed:

\

jun/23/2016 15:43:35 by RouterOS 6.35.2

software id = 7I8G-27H0

/interface bridge
add admin-mac=qq:qq:qq:qq:qq:qq auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-0E0CE4
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
add address=96.XXX.XX.100/24 interface=ether1 network=XX.XXX.XX.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“defconf: accept ICMP” protocol=icmp
add chain=input comment=“defconf: accept established,related” connection-state=established,related
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add chain=input comment=“Remote Management” disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related disabled=yes
add chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add chain=srcnat dst-address=192.168.254.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.88.20 to-ports=3389
/ip ipsec peer
add address=66.xxx.xxx.242/32 enc-algorithm=aes-256,aes-192,aes-128,3des secret=PASSWORD
/ip ipsec policy
add dst-address=192.168.254.0/24 sa-dst-address=66.xxx.xxx.242 sa-src-address=96.XXX.XX.100 src-address=192.168.88.0/24 tunnel=yes
/ip route
add distance=1 gateway=96.XXX.XX.1
/lcd
set time-interval=daily
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes

You need to add another IPsec policy with the destination network that is the network that contains the IP
addresses used by the people connecting to the second router.
Remember with an IPsec configuration like this, you have to match all the networks involved for it to work.
Usually it is easier to setup IPsec only on a tunnel interface (with /30 network on it), with the appropriate
IPsec policy which can even be auto-generated by the MikroTik, and then route the foreign networks over
that tunnel interface. Of course that only works when you router #1 is configured to handle that.

The other network (192.168.254.0/24) is said to be common for all devices, there are just two different gateways, where some devices use one and some the other. So the tunnel should be fine, at least for the basic communication between these two networks. It would need other policies for communication with other branches.

I’d say the main problem is on the side with two routers, router #2 needs to have static route to remote subnet (192.168.88.0/24) with gateway being router #1 (192.168.254.1). I think it must already have similar routes for other branches, and it’s only missing for the new one.