Hello,
I’ve looking at the forum but with no luck during tests.
I have 2 site2site tunnels, and strange things I can see primary subnet from remote only if the primary make some traffic to the remote one.
The rule “defconf: drop all coming from WAN” was modified from !LAN to WAN interface, and strange things is I have to disable this role and the FastTrack role to permit the IPSec traffic from remote flow to the mikrotik subnet. When enabling again this role (and not the fastTrack) it works for a while and then stop working again.
Local net is 192.168.69.0/24 and all tunnels are up.
Another quesion is: by default the role “defconf: drop all coming from WAN” need to be before or after the “defconf: accept in ipsec policy” and “defconf: accept out ipsec policy” for security?
Hope someone can help me
/ip firewall address-list
add address=192.168.29.0/24 comment="Address for Tunnels VPN1" list=IPSec_VPN1
add address=192.168.1.0/24 comment="Address for Tunnel VPN2 (native)" list=IPSec_VPN2
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Permit HTTP management from WAN" dst-port=1445 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="permit my VPN1 computer" ipsec-policy=in,ipsec src-address=192.168.29.101 src-address-list=IPSec_Tunnel
add action=accept chain=forward comment="Accept from VPN2 LAN" ipsec-policy=in,ipsec src-address=192.168.1.0/24 src-address-list=IPSec_VPN2
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all coming from WAN" in-interface-list=WAN log-prefix=blocca
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPSec In" ipsec-policy=in,ipsec log=yes new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPSec Out" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="No NAT for IPSec" dst-address-list=IPSec_VPN1 src-address=192.168.69.0/24
add action=accept chain=srcnat comment="No NAT for IPSEC" dst-address-list=IPSec_VPN2 src-address=192.168.69.0/24
add action=accept chain=srcnat dst-address=192.168.69.0/24 src-address-list=IPSec_VPN2
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.29.0/24 level=unique peer=VPN1 proposal=VPN1_ph2 src-address=192.168.69.0/24 tunnel=yes
add dst-address=192.168.1.0/24 level=unique peer=VPN2 proposal=VPN2_ph2 src-address=192.168.69.0/24 tunnel=yes