Mikrotik has pppoe wan interface, so IKE is listening on this pppoe.
I can connect, have access to LAN behind mikrotik, but can not use mikrotik's internet connection, and other resources, where I should do src-nat to access.
I have pool for IKE clients 192.168.177.0/24
Have ipsec policy src=0.0.0.0/0 dst=192.168.177.0/24 act=encrypt, split-included 0.0.0.0/0
/ip route add dst-address=0.0.0.0/0 gateway=pppoe-inet
/ip route add dst-address=192.168.177.0/24 gateway=pppoe-inet
/ip route add dst-address=10.10.10.0/24 gateway=another-tunnel
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.177.0/24 out-interface=another-tunnel
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.177.0/24 out-interface=pppoe-inet, but those nat rules counters show zeroes.
I have fast-track on this pppoe-inet, tried to disable it, but situation did not change, packets are forwarded to pppoe-inet and another-tunnel without source-nating.
How to masquerade decrypted vpn-client traffic?
Ok, I found. It was because
When I remove those rules from raw table everything works."What's new in 6.40rc15 (2017-May-30 08:52):
!) ipsec - added support for dynamic "action=notrack" RAW rules for policies;"
How can I disable this behavior?