Dear all,
This is my first post in this community. I've been working with Mikrotik for 5 years in various installations; they're devices I love for IoT projects.
I have a problem in an infrastructure where I have several interconnected Mikrotik HAP RB951Ui-2nD routers (imagine them as branch offices, each within a NAT of its own ISP; that is, each Mikrotik doesn't have a public IP address). These routers connect to a FortiGate 100F, which has a public IP address. These devices are interconnected using IPsec with IKEv2, where tunnels are established so that the FortiGate's 6 networks can access the Mikrotik networks and vice versa. This works, and the tunnels are stable.
My problem is this:
- If I access the Mikrotik's IP address (for example, 10.10.225.0/24 or 10.10.92.0/24) from a network within the FortiGate (e.g., 10.11.83.1), either via HTTP (simply displaying the HTML) or through Winbox, all HTTP access to devices within the 10.11.83.0/24 network stops working.
It's worth noting that devices within the 10.11.83.0/24 network can access the FortiGate's networks without issue via HTTP.
This problem persists until I restart the Mikrotik; after that, it works again.
I've attached the configuration information for a Mikrotik device (they are all the same):
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=output comment="IPSEC" dst-address=10.10.92.0/24 src-address=10.11.83.0/24
add action=accept chain=output dst-address=10.10.137.0/24 src-address=10.11.83.0/24
add action=accept chain=output dst-address=10.10.215.0/24 src-address=10.11.83.0/24
add action=accept chain=output dst-address=10.10.220.0/24 src-address=10.11.83.0/24
add action=accept chain=output dst-address=10.10.225.0/24 src-address=10.11.83.0/24
add action=accept chain=output dst-address=10.253.254.0/24 src-address=10.11.83.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.10.92.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.10.137.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.10.215.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.10.220.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.10.225.0/24
add action=accept chain=input dst-address=10.11.83.0/24 src-address=10.253.254.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="Prevent FastTrack from blocking HTTP access" connection-state=established,related ipsec-policy=in,ipsec
add action=accept chain=forward comment="Prevent FastTrack from blocking HTTP access" connection-state=established,related ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC" dst-address=10.10.92.0/24 log=yes src-address=10.11.83.0/24
add action=accept chain=srcnat dst-address=10.10.137.0/24 src-address=10.11.83.0/24
add action=accept chain=srcnat dst-address=10.10.215.0/24 src-address=10.11.83.0/24
add action=accept chain=srcnat dst-address=10.10.220.0/24 log=yes src-address=10.11.83.0/24
add action=accept chain=srcnat dst-address=10.10.225.0/24 log=yes src-address=10.11.83.0/24
add action=accept chain=srcnat dst-address=10.253.254.0/24 log=yes src-address=10.11.83.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=des hash-algorithm=sha256 name=fg-prof
/ip ipsec peer
add address=[WAN-2-OF-Fortigate] disabled=yes exchange-mode=ike2 name=fg-peer-w2 profile=fg-prof
add address=[WAN-1-OF-Fortigate] exchange-mode=ike2 name=fg-peer-w1 profile=fg-prof
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=des name=fg-prop pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict my-id=key-id:mypasswordkey peer=fg-peer-w1
add generate-policy=port-strict my-id=key-id:mypasswordkey peer=fg-peer-w2
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.10.92.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
add dst-address=10.10.137.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
add dst-address=10.10.215.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
add dst-address=10.10.220.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
add dst-address=10.10.225.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
add dst-address=10.253.254.0/24 peer=fg-peer-w1,fg-peer-w2 proposal=fg-prop src-address=10.11.83.0/24 tunnel=yes
I even added these lines, testing with two networks, based on what I read in the Mikrotik forums. I managed to get the devices on the 10.11.83.0/24 network to perform traceroute, but the problem persists.
/ip route
add disabled=no dst-address=10.10.225.0/24 gateway=ether1 pref-src=10.11.83.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.10.220.0/24 gateway=ether1 pref-src=10.11.83.1 routing-table=main suppress-hw-offload=no
I would greatly appreciate any comments or help with this.