Hi there!
I am stuck with my MikroTik VPN lab for weeks and really need your help to figure out which solution would be the best to acchieve my goals.
Unfortunately I never had a professional training for network design/architecture, but I tried as best as I can to gather information about standards and best practices.
Hardware: 1x mAP 2n, 1x mAP lite, 2x RB2011
Software: v6.38
Goal: Connect multiple sites with multiple VLANs and do firewalling in between. Network should be easily scaleable
Proposed Setup:
All hosts on the same Network e.g. NET1 should be able to communicate among each other without limitation, even across sites.
Initially I bridged the Sites including VLANs over EoIP, but if the WAN link goes down DHCP servers etc. aren’t reachable anymore.
After this painful experience, one Subnet per VLAN on each Site seemed to be the best solution..
I setup IPsec between Site A and SIte B but ran into an issue with firewalling:
Address lists are used
Firewall filters are identical on both MTs
Stateful inspection rules (forward & input) are enabled
Allow NET1 (Site A) to access a host on NET2 (Site B)
A ping from host 10.1.1.98 (Site A) arrives host 10.2.2.99 (Site B), but then gets dropped in the “drop all” rule on Site B
Shouldn’t this be “related” traffic and therefore allowed? What am I doing wrong or is related/established traffic not possible with IPsec?
I tried several combinations and configurations of the filter rules, browsed this forum for days but couldn’t find anything in particular.
Is this problem “by design” or did I get something wrong and should stick to other tunnels like EoIP, IPIP or GRE over IPsec?
I would be really, really glad if somebody can give me a hint. Thank you in advance!!
Best regards,
mike
Config (same on both sites, except IPsec peer and policy IPs are exchanged):
/ip firewall address-list
add address=123.123.123.1 list=list_IPSEC
add address=123.123.123.2 list=list_IPSEC
add address=10.1.1.0/24 list=list_NET1
add address=10.2.1.0/24 list=list_NET1
add address=10.1.2.0/24 list=list_NET2
add address=10.2.2.0/24 list=list_NET2
add address=10.1.3.0/24 list=list_NET3
add address=10.2.3.0/24 list=list_NET3
add address=10.1.0.0/16 list=list_NETWORKS
add address=10.2.0.0/16 list=list_NETWORKS
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections input" connection-state=invalid
add action=accept chain=input comment="Stateful Inspection input" connection-state=established,related
add action=accept chain=input comment="IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="IPsec UDP" dst-port=500 protocol=udp src-port=500
add action=accept chain=input comment="Winbox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop rest input"
add action=accept chain=output comment="IPsec output" protocol=ipsec-esp
add action=drop chain=forward comment="Drop invalid connections forward" connection-state=invalid disabled=yes log=yes
add action=accept chain=forward comment="Stateful Inspection forward" connection-state=established,related
add action=accept chain=forward comment="NET1 <-> NET1" dst-address-list=list_NET1 src-address-list=list_NET1
add action=accept chain=forward comment="NET2 <-> NET2" dst-address-list=list_NET2 src-address-list=list_NET2
add action=accept chain=forward comment="NET3 <-> NET3" dst-address-list=list_NET3 src-address-list=list_NET3
add action=accept chain=forward comment="NET1 -> HOST1" dst-address=10.2.2.99 src-address-list=list_NET1
add action=drop chain=forward comment="Drop rest forward" log=yes log-prefix=drop
/ip firewall nat
add action=accept chain=srcnat comment="IPsec NAT" dst-address-list=list_NETWORKS src-address-list=list_NETWORKS
add action=masquerade chain=srcnat comment="Internet ALL" out-interface=wifi01-WAN
/ip firewall raw
add action=notrack chain=prerouting comment="IPsec SITEB no FT" dst-address=10.2.0.0/16 src-address=10.1.0.0/16
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=prop1_SITEA-SITEB pfs-group=modp1024
/ip ipsec peer
add address=123.123.123.2/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 hash-algorithm=sha512 local-address=123.123.123.1 secret=0123456789
/ip ipsec policy
add dst-address=10.2.0.0/16 proposal=prop1_SITEA-SITEB sa-dst-address=123.123.123.2 sa-src-address=123.123.123.1 src-address=10.1.0.0/16 tunnel=yes