My network has 2 MikroTik roof mounted 4G routers as the WAN with a PFSense firewall handling the internal traffic. I’m trying to get the syslogs from the MikroTik routers back to the Splunk server inside my network. I can see how to configure Splunk and tell the MikroTiks to send the data but I cannot work out how to route the internal address on the MikroTik routers. When ever I do a traceroute the traffic is sent out of the LTE network not routed internally.
MikroTik Vodafone - 192.168.88.1 - connects to PFSense on 192.168.88.252 (MikroTik DHCP)
MikroTik Three - 192.168.2.1 - connects to PFSense on 192.168.2.252 (MikroTik DHCP)
PFSense
WANVODAFONE - 192.168.88.252
WANTHREE - 192.168.2.252
LAN - 192.168.111.1
Splunk server - 192.168.111.108 (DHCP from PFSense)
Very much a newbie question. Can someone point me at the documentation for how to route the syslog traffic from the MikroTiks back to the Splunk server? I have done extensive searching but am obviously failing at Google
Presumably you just need to set a static route on each of the MikroTiks to tell them to send traffic for 192.168.111.0/24 (I presume, seeing as you haven’t given any details of the subnet masks) to the PFSense device. At the moment the default route on them is sending out on the LTE because they have no knowledge of where else to send the traffic.
This is the correct solution, and if you want to do this simply, you could try the following:
On the Vodafone Mikrotik, and assuming your LAN subnet is a /24:
You may also have to add a firewall rule (ip/firewall/filter) on the output chain to allow traffic to that Splunk IP through whatever interface is connected to your pfsense box, and allow the traffic through the pfsense box by altering it’s firewall forwarding chain if required.