Hello all,
Where can I check if a configuration in my Mikrotik router running 6.49.10 is preventing IPSec connections on the WAN interface? My Android will connect to the Mikrotik when connected to the LAN, but when I disable wifi on my phone the Mikrotik does not show traffic in Torch when checking traffic coming from my phone’s WAN IP. Phone is set to use the dynamic DNS hostname available under IP → Cloud.
Inbound connections for passing through SSH and HTTP/HTTPS to a Raspberry Pi work fine so not sure if ISP is blocking inbound IPSec ports or something I did in the configuration.
I do have 2 firewall rules in place allowing UDP 500 and 4500 on the WAN interface.
# jan/29/2024 19:23:52 by RouterOS 6.49.10
# software id = KHHU-L60U
#
# model = RB750Gr3
/interface bridge
add admin-mac=DC:2C:6E:7B:1D:1B auto-mac=no comment=defconf fast-forward=no \
name=Bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment="WAN"
/interface vlan
add interface=Bridge-LAN name="VLAN 10-Trusted" vlan-id=10
add interface=Bridge-LAN name="VLAN 20-Untrusted" vlan-id=20
add interface=Bridge-LAN name="VLAN 30-Guest" vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add exchange-mode=ike2 name=default-Peer passive=yes send-initial-contact=no
/ip ipsec policy group
set [ find default=yes ] name=default-Group
/ip ipsec profile
set [ find default=yes ] dpd-interval=30s dpd-maximum-failures=2 \
enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=\
default-Profile proposal-check=claim
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp4096
/ip pool
add name="VLAN 10-Pool" ranges=172.16.1.100-172.16.1.150
add name="VLAN 20-Pool" ranges=172.16.20.2-172.16.20.50
add name="VLAN 30-Pool" ranges=172.16.30.2-172.16.30.50
add name="VPN Pool" ranges=172.16.0.2-172.16.0.10
/ip dhcp-server
add address-pool="VLAN 10-Pool" disabled=no interface="VLAN 10-Trusted" \
lease-time=1w name="VLAN 10-DHCP"
add address-pool="VLAN 20-Pool" disabled=no interface="VLAN 20-Untrusted" \
lease-time=8h name="VLAN 20-DHCP"
add address-pool="VLAN 30-Pool" disabled=no interface="VLAN 30-Guest" \
lease-time=30s name="VLAN 30-DHCP"
/ip ipsec mode-config
add address-pool="VPN Pool" name=default
/user group
add name=Dude_Group policy="local,telnet,ssh,ftp,reboot,read,write,policy,test\
,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge-LAN comment=Trusted tagged=Bridge-LAN,ether4 vlan-ids=10
add bridge=Bridge-LAN comment=Untrusted tagged=Bridge-LAN,ether4 vlan-ids=20
add bridge=Bridge-LAN comment=Guests tagged=Bridge-LAN,ether4 vlan-ids=30
/interface l2tp-server server
set use-ipsec=required
/interface list member
add comment=defconf interface=Bridge-LAN list=LAN
add interface=ether5 list=WAN
/ip address
add address=172.16.1.1/24 comment="vlan 1 - Trusted" interface=\
"VLAN 10-Trusted" network=172.16.1.0
add address=172.16.20.1/24 comment="VLAN 20 - Untrusted" interface=\
"VLAN 20-Untrusted" network=172.16.20.0
add address=172.16.30.1/24 comment="VLAN 30 - Guest" interface=\
"VLAN 30-Guest" network=172.16.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h update-time=no
/ip dhcp-client
add default-route-distance=5 disabled=no interface=ether5 use-peer-dns=no
/ip dhcp-server network
add address=172.16.1.0/24 comment="Bridge-LAN DHCP Settings" dns-server=\
172.16.1.1 domain=net.local gateway=172.16.1.1 netmask=24
add address=172.16.20.0/24 comment="Untrusted DHCP" dns-server=172.16.20.1 \
domain=net.untrusted gateway=172.16.20.1
add address=172.16.30.0/24 comment="Guest DHCP" dns-server=172.16.30.1 \
domain=net.guest gateway=172.16.30.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=\
208.67.222.222,208.67.220.220
/ip firewall filter
add action=fasttrack-connection chain=forward comment="ALLOW: FastTrack" \
connection-state=established,related
add action=accept chain=forward comment="ALLOW: Any Out" connection-state=\
established,related
add action=accept chain=input comment="Management traffic to router" \
src-address=172.16.0.0/16
add action=accept chain=input comment="ALLOW: WAN to RTR:DNS" \
connection-state=established,related in-interface-list=WAN protocol=udp \
src-port=53
add action=accept chain=output comment="Outbound from Router" \
connection-state=established,related,new,untracked out-interface=ether5
add action=accept chain=input comment="Accept ICMP" disabled=yes \
in-interface-list=LAN protocol=icmp
add action=accept chain=forward connection-state=new disabled=yes \
in-interface=Bridge-LAN out-interface=ether5
add action=accept chain=input dst-port=500 log=yes log-prefix="ipsec 500 " \
protocol=udp
add action=accept chain=input dst-port=4500 log=yes log-prefix="ipsec 4500 " \
protocol=udp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="DROP: WAN to LAN:Any" connection-state=\
invalid,new,untracked in-interface-list=WAN
add action=accept chain=input comment="Temp - WinBox" disabled=yes \
src-address=172.16.1.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Default MASQ" out-interface=\
ether5
add action=dst-nat chain=dstnat comment="DNS NAT" dst-address=!172.16.1.1 \
dst-port=53 protocol=udp src-address=!172.16.1.21 to-addresses=172.16.1.1
add action=dst-nat chain=dstnat comment="HTTPS In (443) - Raspberry Pi" \
dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=172.16.1.12 \
to-ports=443
add action=dst-nat chain=dstnat comment="HTTP In (80) - Raspberry Pi" \
dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=172.16.1.12 \
to-ports=80
add action=dst-nat chain=dstnat comment="SSH In (22) - Raspberry Pi" \
dst-port=1222 in-interface-list=WAN log=yes log-prefix="SSH IN - " \
protocol=tcp to-addresses=172.16.1.12 to-ports=22
/ip firewall service-port
set sip disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec identity
add generate-policy=port-strict mode-config=default my-id=\
fqdn:x.sn.mynetname.net notrack-chain=prerouting peer=\
default-Peer
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ipsec settings
set accounting=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.16.0.0/16
set ssh address=172.16.0.0/16
set api disabled=yes
set winbox address=172.16.0.0/16
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp profile
set *0 local-address=172.16.0.1 remote-address=*4
/radius
add address=172.16.1.4 service=hotspot,wireless,ipsec
/snmp
set contact="x" enabled=yes location=Home trap-generators=\
interfaces trap-interfaces=ether1,Bridge-LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=router.net.local
/system logging
add disabled=yes prefix="ipsec " topics=ipsec,!debug
/system ntp client
set enabled=yes server-dns-names=0.us.pool.ntp.org,1.us.pool.ntp.org
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Bridge-LAN
add interface=ether5
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-direction=rx filter-interface=ether5 filter-port=4500
/tool traffic-monitor
add interface=ether1 name=WAN traffic=received
You need to fix the sequence of firewall rules because it is not really correct. Also, the final firewall rules are not correct The rules are enforced from top to bottom. First Input, only then forward, not all in one mixed batch. https://www.google.com/imgres?imgurl=https%3A%2F%2Fpacketmasters.files.wordpress.com%2F2016%2F04%2Ftype_chain.jpg%3Fw%3D700&tbnid=-7YAIk_2msAvoM&vet=12ahUKEwis4O71-4SEAxWFJhAIHUCEBdgQMygKegQIARBf..i&imgrefurl=https%3A%2F%2Fpacketmasters.wordpress.com%2F2016%2F04%2F16%2Fmikrotik-firewall%2F&docid=RCk7OuN3COKVhM&w=515&h=163&q=mikrotik%20input%20and%20forward&ved=2ahUKEwis4O71-4SEAxWFJhAIHUCEBdgQMygKegQIARBf
In your case, the optimal could be as follows -
/interface list member
add comment=interface=bridge list=LAN
add comment=interface=ether1 list=WAN ;(your interface)
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input src-address-list=172.16.0.0/16 comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Thank you for your comment, I created a few more rules to better identify traffic passing through, and re-sorted the rules so that the input rules are first, followed by forward, then output, and my drop rules last. No difference on the VPN connection failing when not on wifi. Also made an “allow any” rule and moved it above the drop rules but the connection is not successful from phone to Mikrotik so I believe the issue may be with my ISP blocking inbound IPsec connections. Any counter thoughts/ideas?
first check if ports 500, 4500 and 1701 are open. Maybe they are really blocked by the ISP.
https://www.youtube.com/watch?v=A6MpmV2J1ME
