Hi all,
I have Site 2 Site tunnel between to 2 sites. The tunnel is up and all devices on both sides can ping/access each other, except for mikrotik. I cannot ping anything on the other side of the tunnel from mikrotik. I have not problem access mikrotik from other side over the tunnel.
Is there anything specific that I need to add to mikrotik so it can also access devices from other side?
If the tunnel is plain IPSec, the usual problem is wrong source address used by router. When policy is for traffic between networks A and B, it works when devices in these networks connect to each other. But when the router tries to connect to remote network, it won’t use its local address as source, it will use its WAN address and policy won’t match. You can srcnat router’s own traffic to remote subnet and change the source for local address for which the policy exists. Or you can add another policy that includes router’s WAN address, but sometimes it can be problematic, e.g. when it’s dynamic.
I have below as without it none of the devices behind mikrotik would work.
add action=accept chain=srcnat dst-address=172.17.255.0/25 log=yes
src-address=192.168.101.0/24
Are you saying I need to add specific srcnat for router itself? I would have expected that 192.168.101.0/24 would cover it.
Your rule excludes traffic between subnets from main srcnat, it’s correct. But this is different problem. Let’s say your router’s WAN address is 1.2.3.4, then it’s exactly the address that will be used as source. Neither the posted srcnat rule nor IPSec policy will touch those packets, they will be sent to internet.
Try this (assuming that 172.17.255.0/25 is remote network and 192.168.101.1 router’s local address):
/ip firewall nat
add action=src-nat chain=srcnat dst-address=172.17.255.0/25 src-address-type=local to-addresses=192.168.101.1
Thanks this did the trick.