i just set up a virtual machine running RouterOS and now i try to configure it.
I have some basic questions, but also several problems with NAT and Firewall Filter Rules and i hope you have some tips and ideas for me.
I was immediately able to establish an ipsec-connection to a device of another vendor.
Wow, that never occured to me before, so easy and without any complications… I can ping
into the remote network and from the remote network to my network. But i noticed that “ip
route print” won’t show me a route for the network i am now connected to. How can i see the routing table of my routeros-router?
In my test setup the router is also an internet access router, so i created a nat rule
with action masquerade for the source and destination 0.0.0.0/0. Afterwards i was
able to ping a host in the internet. The network i access via vpn i want to access from
the network whose hosts should also be able to surf the internet (). So i
created a second nat-rule with action accept for source and destination . What i now noticed is… I have to reboot to activate this rule?? I doublechecked it several times now, also when i disable the “accept” rule and flush all SA’s, after the ipsec-connection is re-established i can still ping into the remote network. I have to reboot to really disable or enable this nat-rule. It isn’t supposed to be like that? The configuration is still very basic and i didn’t play around a lot with the device so i was not yet able to “break” my configuration internally i hope.
My next issue is with the firewall. I want hosts in to connect to hosts in , i.e. ping, but don’t want to allow connections in the other direction. I want packets to flow from the remote lan to my lan, but just for connections that were initiated from my lan. How can i accomplish that?
This is what i tried:
ip firewall filter add action drop chain forward src-address 192.168.11.0/24 dst-address 192.168.12.0/24
(11.0 is , 12.0 is )
Now i no longer receive replies to my pings from . But hosts in can still ping to . So this rule lead to the opposite of what i wanted and i don’t understand why?
A basic question i have is if there are any firewall rules/filters created automatically,
that i cannot see? Because i assumed that in the moment where i add a filter, i have to
make sure i have also filters in place to still be able to connect to the router,
via ssh or winbox. But not so, for my internal connections to the router, for other vpn-
connections i configured, i need no filters to allow them?
How can i deny all connections and then allow just what i want?
A last question i have for now is how can i speed up the establishment of ipsec-tunnels. Currently it takes about 5 seconds until a tunnel is working. Is that normal or can i improve that?
You generally don’t have to reboot for setting to take effect. Why that NAT rule isn’t being disabled right is hard to say - it’s probably not a bug, though. One idea would be that Linux (RouterOS is based on Linux) is stateful for NAT, and NAT is only applied (or not applied) to the first packet of a connection. The same action is then repeated for all other packets in that connection. If you keep a ping going and remove a NAT rule that doesn’t affect the already established connection. The same MAY be true for flushing SAs.
Some processes do install extra NAT and filter rules, such as a Hotspot. You can always check via “/ip firewall filter print all” (‘all’ being the keyword) and “/ip firewall nat print all”.
That the filter rule you added broke Internet access is normal. Unlike NAT rules filter rules are NOT stateful unless you tell them to be. You’re effectively blocking all return packets to connections your LAN hosts are establishing.
You can use a stateful rule set, an example is shown below. Just add rules above the forward drop rule to allow hosts other than those on your LAN to establish new connections (for inbound from the Internet, or the other IPsec connected network).
It assumes that ether1 is the WAN port and that hosts behind all other ports should be allowed to establish new connections. You would also want to edit the address list to list the public IP of the other side IPsec router so it can establish IPsec connections to your router. The filter rules in the input chain are for traffic destined to the router (not through the router) after destination NAT. In the set above I’m assuming you’re using ESP and might be using NAT-T (udp/4500) - adjust as required.
And lastly the other IPsec connected network wouldn’t be in the routing table because it isn’t reached by routing. It is reached by encapsulating traffic to those private IPs in a public IP packet (source your router, destination their router). That packet is then routed by the routing table.