Hello,
I closed an IPsec VPN from my RB with Oracle, the tunnel is up and the networks communicate, with the exception of one however, my RB (192.168.11.1) does not drip on the servers in Oracle, but from the servers in the cloud I can drip the RB normally, just like the other assets on my local network. Does anyone know what it could be and how to solve it? I’m going to put my nat and firewall settings here. I suspect it’s a firewall.
Oracle Network - 172.50.10.0/24
Network LAN - 198.168.0.0/16, 172.31.16.0/24, 198.20.0.0/24, 10.0.1.0/24
How to reference: https://prog.world/free-oracle-cloud-servers-mikrotik-site-to-site-vpn/
/ip ipsec policy
add dst-address=172.50.10.0/24 peer=oracle1-peer proposal=
oracle-proposal-phase2 src-address=192.168.0.0/16 tunnel=yes
add dst-address=172.50.10.0/24 peer=oracle1-peer proposal=
oracle-proposal-phase2 src-address=172.31.16.0/24 tunnel=yes
add dst-address=172.50.10.0/24 peer=oracle1-peer proposal=
oracle-proposal-phase2 src-address=10.0.1.0/24 tunnel=yes
add dst-address=172.50.10.0/24 peer=oracle1-peer proposal=
oracle-proposal-phase2 src-address=198.20.0.0/24 tunnel=yes
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=172.50.10.0/24 log=
yes src-address=192.168.11.1 to-addresses=192.168.11.200
add action=accept chain=srcnat dst-address=172.50.10.0/24 log=yes
src-address=198.20.0.0/24
add action=accept chain=srcnat dst-address=172.50.10.0/24 log=yes
src-address=192.168.0.0/16 to-addresses=172.50.10.0/24
add action=accept chain=srcnat dst-address=172.50.10.0/24 log=yes
src-address=172.31.16.0/24
add action=dst-nat chain=dstnat comment=“::: Publicacoes ::::” disabled=yes
dst-port=80 in-interface=Discador log=yes protocol=tcp to-addresses=
172.31.16.200 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=
Discador log=yes protocol=tcp to-addresses=172.31.16.200 to-ports=443
add action=dst-nat chain=dstnat dst-port=32400 in-interface=Discador log=yes
protocol=tcp to-addresses=172.31.16.200 to-ports=32400
add action=masquerade chain=srcnat comment=
“Masquerade sa\EDda de interne + Acesso sub-redes” ipsec-policy=out,none
out-interface-list=“Lista NAT”
/ip firewall filter
add action=reject chain=input dst-port=53 in-interface=Discador protocol=udp
reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface=Discador protocol=tcp
reject-with=icmp-port-unreachable
add action=accept chain=input comment=“accept Oracle Cloud input”
src-address=172.50.10.0/24
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=
“################### VPN_CASA ###########################” log=yes
protocol=ipsec-esp
add action=accept chain=input log=yes port=1701,500,4500 protocol=udp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=
“fasttrack (Para limitar internet desabilitar esta regra)”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=
“################### PORT SCANNER LIST ###################” protocol=tcp
psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners”
src-address-list=“port scanners”