Hello everyone!
I have a router serving a branch office. All the forward traffic from LAN is being encrypted with IPsec and sent to the HQ. Mikrotik’s outside interface is connected to the ISP modem and receives an IP-address via DHCP. At this moment the IPsec tunnel is working fine, LAN devices are reaching HQ devices, and vice versa.
The problem is the NTP sync. I want to sync my Mikrotik to the NTP server from the HQ network. But output traffic is not matching IPsec policy, which catches all traffic from LAN to 0.0.0.0. If I configure one more policy to catch traffic from the outside interface NTP sync works fine. But I don’t want to set up an IPces tunnel for NTP only.
My second choice was to use SRC-NAT. I have a mangle rule to mark NTP requests with a connection mark. And I have an SRC-NAT rule to substitute the source address (outside interface IP) with LAN bridge IP. Both rules have logging enabled and I see them being applied each time Mikrotik sends an NTP request. Still, the time is not correct. None of my firewall rules blocks the NTP responses. The torch tool shows me a connection from NTP to LAN bridge IP. With nothing happening elsewhere.
As I can see from the torch, output NTP traffic passes SRC-NAT, matches IPsec policy, and passes to HQ. The issue is to utilize the response.
So the NTP server is in the HQ network? Consider making a routing rule for the HQ network in mikrotik. Lets say the HQ lan is 192.168.16.0/24, so you have to make route for 192.168.16.0/24 with gateway set to LAN interface of branch Mikrotik.
Route is good idea, but the important part is to set pref-src=<router’s address covered by policy>, and gateway can be anything, because it won’t be actually used anyway (info).
It finally worked out. Thanks, everyone!
The funny thing is I haven’t added anything else. I rebooted my router, then established an IPsec tunnel. Now with just Mangle rule and SRC-NAT the router sends and receives NTP packets with the LAN bridge IP. Idk how it happened, it wasn’t the first reboot since the issue occurred.