Problems with IPSec tunnel routing when using Mangle for dual WAN

Bossybum · October 22, 2016, 4:54pm

Hi all,

I have a problem after enabling a second WAN connection on my Mikrotik.
I created Mangle rules for dedicated access from first LAN to first WAN and second LAN to Second WAN.

The problem i have, is that the traffic to all my IPsec connections , using LAN1/wan1 as before - does not get to the destination. The weird thing is, that from the remote locations, they have access to my LAN1 without hickups.

Any thoughts ???

Route consist of 4 routes :
0.0.0.0/24 gateway from WAN1 distance 1 routing mark to_wan1
0.0.0.0/24 gateway from WAN2 distance 1 routing mark to_wan2
0.0.0.0/24 gateway from WAN1 distance 1
0.0.0.0/24 gateway from WAN2 distance 2

Mangle :
0 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.200.0/24 log=no log-prefix=“”

1 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes src-address=172.16.0.0/23 log=no log-prefix=“”

Filter:
0 chain=forward action=accept src-address=192.168.200.0/24
dst-address=172.20.8.0/23 log=no log-prefix=“”

1 chain=forward action=accept src-address=192.168.200.0/24 log=no
log-prefix=“”

2 chain=forward action=accept src-address=192.168.50.0/24 log=no
log-prefix=“”

3 chain=forward action=accept src-address=172.16.0.0/23 log=no log-prefix=“”

4 chain=forward action=accept src-address=192.168.200.0/24
dst-address=192.168.50.0/24 log=no log-prefix=“”

5 chain=forward action=accept src-address=10.0.0.0/24
dst-address=192.168.50.0/24 log=no log-prefix=“”

6 chain=forward action=accept src-address=192.168.150.0/24 log=no
log-prefix=“”

7 chain=forward action=accept src-address=192.168.200.0/24
dst-address=192.168.150.0/24 log=no log-prefix=“”

8 chain=forward action=accept src-address=192.168.200.0/24
dst-address=172.16.0.0/23 log=no log-prefix=“”

9 chain=forward action=accept src-address=10.255.0.0/23
dst-address=192.168.200.0/24 log=no log-prefix=“”

Nat:
0 chain=srcnat action=masquerade out-interface=Ether 1 Public WAN log=no log-prefix=“”

1 chain=srcnat action=masquerade out-interface=ether 3 Public Wan Business log=no log-prefix=“”

2 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=172.20.20.0/23 log=no log-prefix=“”

3 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.0.0.0/24 log=no log-prefix=“”

4 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.50.0/24 log=no log-prefix=“”

5 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.150.0/24 log=no log-prefix=“”

6 chain=srcnat action=accept src-address=192.168.150.0/24 dst-address=10.255.0.0/24 log=no log-prefix=“”

7 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.255.0.0/24 log=no log-prefix=“”

8 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=172.20.8.0/23 log=no log-prefix=“”

9 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.10.92.0/24 log=no log-prefix=“”

10 chain=srcnat action=accept protocol=tcp src-address=192.168.200.0/24 dst-address=WAN1IP dst-port=80 log=no log-prefix=“”

11 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.100.0/24 log=no log-prefix=“”

12 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=172.16.0.0/23 log=no log-prefix=“”

13 chain=dstnat action=dst-nat to-addresses=192.168.200.3 to-ports=25 protocol=tcp dst-address=WAN1IP dst-port=25 log=no log-prefix=“”

14 chain=dstnat action=dst-nat to-addresses=192.168.150.207 to-ports=21 protocol=tcp dst-address=WAN1IP dst-port=65021 log=no log-prefix=“”

15 ;;; Webhost RDP
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=3389 protocol=tcp dst-address=WAN2IP1 dst-port=63389 log=no log-prefix=“”

16 chain=dstnat action=dst-nat to-addresses=172.16.0.11 to-ports=3389 protocol=tcp dst-address=WAN2IP12 dst-port=63389 log=no log-prefix=“”

17 ;;; FTP
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=21 protocol=tcp dst-address=WAN2IP1 dst-port=21 log=no log-prefix=“”

18 chain=dstnat action=dst-nat to-addresses=172.16.0.12 to-ports=21 protocol=tcp dst-address=WAN2IP3 dst-port=21 log=no log-prefix=“”

19 chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=49152-65535 protocol=tcp dst-address=WAN2IP1 dst-port=49152-65535 log=no log-prefix=“”

20 chain=dstnat action=dst-nat to-addresses=172.16.0.12 to-ports=49152-65535 protocol=tcp dst-address=WAN2IP3 dst-port=49152-65535 log=no log-prefix=“”

21 ;;; HTTP
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=80 protocol=tcp dst-address=WAN2IP1 dst-port=80 log=no log-prefix=“”

22 chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=8443 protocol=tcp dst-address=WAN2IP1 dst-port=8443 log=no log-prefix=“”

23 chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=8447 protocol=tcp dst-address=WAN2IP1 dst-port=8447 log=no log-prefix=“”

24 chain=dstnat action=dst-nat to-addresses=172.16.0.12 to-ports=80 protocol=tcp dst-address=WAN2IP3 dst-port=80 log=no log-prefix=“”

25 ;;; SMTP
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=25 protocol=tcp dst-address=WAN2IP1 dst-port=25 log=no log-prefix=“”

26 chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=587 protocol=tcp dst-address=WAN2IP1 dst-port=587 log=no log-prefix=“”

27 ;;; Imap
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=143 protocol=tcp dst-address=WAN2IP1 dst-port=143 log=no log-prefix=“”

28 ;;; ImapS
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=993 protocol=tcp dst-address=WAN2IP1 dst-port=993 log=no log-prefix=“”

29 ;;; DNS
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=53 protocol=tcp dst-address=WAN2IP1 dst-port=53 log=no log-prefix=“”

30 chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=53 protocol=udp dst-address=WAN2IP1 dst-port=53 log=no log-prefix=“”

31 chain=dstnat action=dst-nat to-addresses=172.16.0.11 to-ports=53 protocol=tcp dst-address=WAN2IP12 dst-port=53 log=no log-prefix=“”

32 chain=dstnat action=dst-nat to-addresses=172.16.0.11 to-ports=53 protocol=udp dst-address=WAN2IP12 dst-port=53 log=no log-prefix=“”

33 chain=dstnat action=dst-nat to-addresses=192.168.150.207 to-ports=10090-10100 protocol=tcp dst-address=WAN1IP dst-port=10090-10100 log=no log-prefix=“”

34 chain=dstnat action=dst-nat to-addresses=192.168.200.4 to-ports=3389 protocol=tcp dst-address=WAN1IP dst-port=3389 log=no log-prefix=“”

35 chain=dstnat action=dst-nat to-addresses=192.168.150.88 to-ports=80 protocol=tcp dst-address=WAN1IP dst-port=80 log=no log-prefix=“”

36 chain=dstnat action=dst-nat to-addresses=192.168.200.31 to-ports=8000 protocol=tcp dst-address=WAN1IP dst-port=8000 log=no log-prefix=“”

37 chain=dstnat action=dst-nat to-addresses=192.168.200.1 to-ports=8291 protocol=tcp dst-address=WAN1IP dst-port=8291 log=no log-prefix=“”

38 chain=dstnat action=dst-nat to-addresses=192.168.200.250 to-ports=3389 protocol=tcp dst-address=WAN1IP dst-port=43389 log=no log-prefix=“”

39 chain=dstnat action=dst-nat to-addresses=192.168.200.30 to-ports=8000 protocol=tcp dst-address=WAN1IP dst-port=8001 log=no log-prefix=“”

40 chain=dstnat action=dst-nat to-addresses=192.168.200.3 to-ports=443 protocol=tcp dst-address=WAN1IP dst-port=443 log=no log-prefix=“”

41 chain=dstnat action=dst-nat to-addresses=192.168.150.201 to-ports=32400 protocol=tcp dst-address=WAN1IP dst-port=32400 log=no log-prefix=“”

42 chain=dstnat action=dst-nat to-addresses=192.168.200.73 to-ports=8080 protocol=tcp dst-address=WAN1IP dst-port=6580 log=no log-prefix=“”

43 chain=dstnat action=dst-nat to-addresses=192.168.200.46 to-ports=5900 protocol=tcp src-address=185.72.36.246 dst-address=WAN1IP dst-port=5900 log=no log-prefix=“”

44 chain=dstnat action=dst-nat to-addresses=192.168.200.73 to-ports=3389 protocol=tcp dst-address=WAN1IP dst-port=3389 log=no log-prefix=“”

Bossybum · October 23, 2016, 8:26am

Seriously, does noone have any hints ?

magchiel · October 23, 2016, 1:41pm

Seriously, you start complaining about response times on a voluntary forum after 15 or so hours? Your username seems adequate then.
Secondly, use the code tags.
Thirdly, study this http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Ipsec_Encryption.2FDecryption.

Without looking at your code, probably have traffic matching IPsec policy bypassing the mangle PBR rules you’ve created either through exclusions or an accept rule on top fixes your problems.