Hello,

Could you help me with translate IP ROUTE with ROS6 to ROS7

When I use only IP Route in version 7 I have a problem with access to this network.

My configuration on ROS6 where always working, either location it connects to the same address SITE TO SITE 192.168.0.0/24 but problem perform only in ROS7
/ip route
add distance=1 gateway=11.11.11.11
add distance=1 dst-address=192.168.0.0/24 gateway=bridge1

/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 11.11.11.11 1
1 ADC 80.50.125.44/30 11.11.11.11 WAN 0
2 A S 192.168.0.0/24 bridge1 1
3 ADC 192.168.10.0/24 192.168.10.1 bridge1 0


My configuration on version ROS7:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=22.22.22.22
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add distance=1 dst-address=192.168.0.0/24 gateway=LAN pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10


Either routers have add IP ROUTE to location 192.168.0.0/24 but problem perform on ROS7, when i enable this Route i have problem with connection IPSEC to this location.

interface as a gateway on broadcast networks is not going to work properly on any version.

What should i choose on gateway in route list on external tunnel ipsec site to site connections?

gw is nexthop IP address of the device where this network can be reached.
https://help.mikrotik.com/docs/display/ROS/IP+Routing#IPRouting-HowRoutingWorks

In first location I have IP address 192.168.1.0/24 about in second location I have 192.168.2.0/24. Both sites have different IP WAN. Both routers in configuration have 2 IP ADDRESSES added (WAN and LAN).
For this routing i need to create other address in IP ADDRESS for these connections or i need type gateway or what other?

Could you help me?

NM,
Not sure what to say,
What type of ISP do you have?

Suggestion is to go to winbox and go to IP routes page,
Take a screenshot of that,

Then reproduce by typing it here, but replace any public WANIP numbers with fake number (but consistent)
so we have a sense of whats going on.

https://imgur.com/a/77Njs1V

I am sending a link to the IP routes on my devices

Can anyone help with this problem?

There are a few differences between 6 and 7.
Unless you are using routing rules or mangles not sure why you are having issues.

For that you normally do not have to add any route. Your default route will be sufficient. There only has to exist “a” route to the destination for ipsec site to site to work, it does not even have to point the correct way.

I don’t use Mangle, I use only IP Route and IP IPSec.
In you opinion, I should delete all route hwo is AS and leave only default DAC?
What do you mean talking about ,there only has to exist “a” route to the destination for ipsec site to site to work, it does not even have to point the correct way."?
Should I have only configuration IPSEC Site to Site and this should be all?

Yes, it should be enough to define a policy and peer. As long as there is “some” route to the remote network, ipsec will pickup the traffic and send it according to policy.
(not that I would do that… I would define a GRE/IPsec tunnel and assign an IP to each endpoint and route the traffic over that. less firewall/NAT trouble that way)

Yesterday, I thought this solution, but I don’t know or this is good idea.
Today, I will try make GRE Tunnel + IPsec configuration.