Community discussions

MikroTik App
 
abi
just joined
Topic Author
Posts: 8
Joined: Mon Nov 04, 2019 4:08 pm

Traffic between 2 bridges

Mon Nov 04, 2019 4:27 pm

Hello,
I've bought Microtik heX S recently to replace my old Cisco ASA 5505 at home.
I have the following network layout:
1. 10.0.0.0/24 accessing 10.0.0.0/16 through ipsec VPN.
2. 192.168.3/24 accessing internet directly and 10.0.0.10/32 (network printer)

So, I look at Cisco config and try to implement the same on Microtik.
1. I created 2 bridges, one for 10.0.0.0/24, another is for 192.168.3.0/24 with dhcp server on both. Looks OK. HW Offloading enabled for first bridge and STP is disabled for both.
2. I created 3 ipsec policies: 10.0.0.0/24 to 10.0.0.0/24 (policy = none), 10.0.0.0/24 to 10.0.0.0/16 (policy = encrypt) and third for backplane. To my surprise it works as well.
I have a small question though: traffic is routed through ipsec without NAT exemption rule. Why ? I added srcnat rule, but it works without it.
3. And how I'm stuck. In Cisco I have 3 simple rules under Firewall -> Access Rules
- allow traffic from second bridge (interface for Cisco) to 10.0.0.10/32.
- deny all traffic from second bridge to 10.0.0.0/16
- allow traffic for any.
Where to put them here ? I have slight suspicion that Cisco Interfaces are not the same as Microtik bridges.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2271
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Traffic between 2 bridges

Mon Nov 04, 2019 6:48 pm

In your firewall place all the accept rules of forward chain first and then add the drop rules...

The logic is first we accept and then we drop...
 
abi
just joined
Topic Author
Posts: 8
Joined: Mon Nov 04, 2019 4:08 pm

Re: Traffic between 2 bridges

Mon Nov 04, 2019 7:11 pm

Looks like I found the problem. I used 0.0.0.0/0 in ipsec policy, so replies was sucked to tunnel. I added

Code: Select all

add action=none dst-address=192.168.3.0/24 src-address=10.0.0.0/24
and traffic begin to flow between bridges.

Who is online

Users browsing this forum: Google [Bot] and 31 guests