Hello,
i have a site to site IPSEC VPN setup running.
TheIPSEC tunnel goes up and all the devices of site A can communicate with devices of the site B.
my only problem is that the router in site A cant ping any device in site B.
Here some config bits from router A: What am i missing?
/ip firewall address-list
add address=10.1.2.0/24 list=IOT
add address=10.1.1.0/24 list=CAMERA
add address=192.168.65.0/24 list=CASA
add address=MASKED_ADDRESS list=host_mikrotik-GVA
add address=192.168.61.0/24 list=MASKED_ADDRESS
add list=ddos-attackers
add list=ddos-target
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.65.41 list=SAFE_DNS_LAN
add address=192.168.65.40 list=SAFE_DNS_LAN
add address=192.168.65.1 list=SAFE_DNS_LAN
add address=192.168.65.39 list=SAFE_DNS_LAN
add address=255.255.255.255 list=BROADCAST
add comment="Black List (Port Scanner WAN)" list=\
"Black List (Port Scanner WAN)"
add comment="(Winbox) Black List" list="(Winbox) Black List"
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment=\
"(Port Scanner WAN) Block everyone in the Black List." in-interface-list=\
WAN log=yes log-prefix="KL_ (Port Scanner WAN) Black List" \
src-address-list="(Port Scanner WAN) Black List"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
comment="IP addresses that scan TCP ports Scanner WAN) Adds to Blacklist a\
nd blocks for 30 days" in-interface-list=WAN log=yes log-prefix=\
" (Port Scanner WAN) is added to Blacklist" protocol=tcp psd=21,3s,3,1
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input disabled=yes src-address=192.168.61.0/24
add action=accept chain=input disabled=yes src-address=192.168.65.0/24
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=1194 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp src-address-list=\
host_mikrotik-GVA
add action=drop chain=input dst-port=500 log=yes log-prefix=\
DROP-PORTA-500-NON-DA-MASKED_ADDRESS- protocol=udp src-address-list=\
!host_mikrotik-GVA
add action=drop chain=input dst-port=4500 log=yes log-prefix=\
DROP-PORTA-4500-NON-DA-MASKED_ADDRESS- protocol=udp src-address-list=\
!host_mikrotik-GVA
add action=accept chain=input dst-port=4500 protocol=udp src-address-list=\
host_mikrotik-GVA
add action=accept chain=input disabled=yes dst-port=13231 protocol=udp \
src-address-list=host_mikrotik-GVA
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=output comment="test 2" disabled=yes ipsec-policy=\
out,ipsec protocol=icmp
add action=accept chain=input comment=test disabled=yes ipsec-policy=in,ipsec
add action=accept chain=input comment=\
"accept connections to the box from ipsec" disabled=yes ipsec-policy=\
in,ipsec
add action=drop chain=forward comment=ISOLATION connection-state=\
invalid,related,new,untracked dst-address-list=CASA src-address-list=IOT
add action=drop chain=forward dst-address-list=CAMERA src-address-list=IOT
add action=drop chain=input dst-address-list=CASA src-address-list=IOT
add action=drop chain=input dst-address-list=CAMERA src-address-list=IOT
add action=drop chain=input dst-address-list=BROADCAST src-address-list=\
CAMERA
add action=drop chain=forward dst-address-list=BROADCAST src-address-list=\
CAMERA
add action=drop chain=forward connection-state=invalid,related,new,untracked \
dst-address-list=CASA src-address-list=CAMERA
add action=drop chain=forward dst-address-list=IOT src-address-list=CAMERA
add action=drop chain=input dst-address-list=CASA src-address-list=CAMERA
add action=drop chain=input dst-address-list=IOT src-address-list=CAMERA
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid,untracked
add action=drop chain=input connection-state=invalid,new,untracked \
in-interface-list=WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.61.0/24 new-mss=1350 \
passthrough=yes protocol=tcp src-address=192.168.65.0/24 tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
"REDIRECT DNS REQUEST FROM CAMERA IP RANGE LAN TO SAFE DNS" dst-address=\
!10.1.1.254 dst-port=53 in-interface=ether3 log-prefix=\
INTERCEPTED_DNS_ON_CAMERA_LAN protocol=udp src-address=10.1.1.0/24 \
to-addresses=10.1.1.254 to-ports=53
add action=dst-nat chain=dstnat comment=\
"REDIRECT DNS REQUEST FROM IOT IP RANGE LAN TO SAFE DNS" dst-address=\
!10.1.2.254 dst-port=53 in-interface=ether5 log-prefix=\
INTERCEPTED_DNS_ON_IOT_LAN protocol=udp src-address=10.1.2.0/24 \
to-addresses=10.1.2.254 to-ports=53
add action=dst-nat chain=dstnat comment=\
"REDIRECT DNS REQUEST FROM CASA SICURA IP RANGE LAN TO SAFE DNS" \
dst-address-list=!SAFE_DNS_LAN dst-port=53 in-interface=ether4 \
log-prefix=INTERCEPTED_DNS_ON_CASA_SICURA_LAN protocol=udp src-address=\
!192.168.65.39 to-addresses=192.168.65.41 to-ports=53
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
192.168.61.0/24
add action=notrack chain=prerouting dst-address=192.168.61.0/24 src-address=\
192.168.65.0/24
add action=notrack chain=prerouting dst-address=10.1.1.0/24 src-address=\
192.168.61.0/24
add action=notrack chain=prerouting dst-address=192.168.61.0/24 src-address=\
10.1.1.0/24
add action=drop chain=prerouting dst-address-list=ddos-target \
src-address-list=ddos-attackers
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="ACCEPT DNS QUERIES" dst-port=53 \
protocol=udp
add action=drop chain=prerouting comment="defconf: drop bogon IP's -DISATTIVAT\
A PER VRRP (A MASKED_ADDRESS \E9 ATTIVA E TUTTO FUNZIONA)" disabled=yes \
dst-address-list=bad_dst_ipv4 log=yes
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"AGGIUNTA VANNI PER CONSENTIRE TRAFFICO DI RITORNO AI CLIENT OPENVPN" \
in-interface=all-ppp
add action=drop chain=prerouting comment="SE ATTIVI NON VA WIREGUARD" \
disabled=yes src-address-list=MASKED_ADDRESS
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" dst-limit=\
10,50,dst-address/1m40s limit=10,50:packet protocol=icmp psd=21,3s,3,1 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add my-id=fqdn:firenze.loseyourip.com peer="MASKED_ADDRESS MASKED_ADDRESS" \
remote-id=fqdn:MASKED_ADDRESS
/ip ipsec policy
set 0 comment="DEFAULT DISABLED" disabled=yes dst-address=192.168.88.0/24 \
src-address=192.168.80.0/24
add dst-address=192.168.61.0/24 peer="MASKED_ADDRESS MASKED_ADDRESS" src-address=\
192.168.65.0/24 tunnel=yes
add dst-address=192.168.61.0/24 peer="MASKED_ADDRESS MASKED_ADDRESS" src-address=\
10.1.1.0/24 tunnel=yes
/ip route
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 pref-src=0.0.0.0 routing-table=main suppress-hw-offload=no
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.0.254 pref-src=0.0.0.0 routing-table=main scope=10 \
suppress-hw-offload=no
add check-gateway=arp disabled=no distance=20 dst-address=8.8.8.8/32 gateway=\
192.168.0.254 pref-src=0.0.0.0 routing-table=main scope=1 \
suppress-hw-offload=no vrf-interface=ether2
add disabled=yes distance=20 dst-address=192.168.61.0/24 gateway=172.16.16.2 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Many thanks for your help.
Best regards