I've bought Microtik heX S recently to replace my old Cisco ASA 5505 at home.
I have the following network layout:
1. 10.0.0.0/24 accessing 10.0.0.0/16 through ipsec VPN.
2. 192.168.3/24 accessing internet directly and 10.0.0.10/32 (network printer)
So, I look at Cisco config and try to implement the same on Microtik.
1. I created 2 bridges, one for 10.0.0.0/24, another is for 192.168.3.0/24 with dhcp server on both. Looks OK. HW Offloading enabled for first bridge and STP is disabled for both.
2. I created 3 ipsec policies: 10.0.0.0/24 to 10.0.0.0/24 (policy = none), 10.0.0.0/24 to 10.0.0.0/16 (policy = encrypt) and third for backplane. To my surprise it works as well.
I have a small question though: traffic is routed through ipsec without NAT exemption rule. Why ? I added srcnat rule, but it works without it.
3. And how I'm stuck. In Cisco I have 3 simple rules under Firewall -> Access Rules
- allow traffic from second bridge (interface for Cisco) to 10.0.0.10/32.
- deny all traffic from second bridge to 10.0.0.0/16
- allow traffic for any.
Where to put them here ? I have slight suspicion that Cisco Interfaces are not the same as Microtik bridges.