Community discussions

MikroTik App
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Aug 19, 2018 1:49 pm

Newbie Question (perhaps I will always be a newbie with Mikrotik!!).

I have two mikrotik routers connected via IPSec. I want to force all traffic from the remote site to go through the VPN and out of the Head Office WAN connection. There are lots of long posts that offer lots of ways, all of which seem very complicated and I'm not sure achieve what I want in the simplest way. Is there a simple, definitive guide someone could point me at that shows how to force all traffic through IPSec tunnel and out through Head Office?

Thanks in advance,

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Aug 19, 2018 2:21 pm

I have two mikrotik routers connected via IPSec. I want to force all traffic from the remote site to go through the VPN and out of the Head Office WAN connection.
The key is to understand how ipsec policies work. With understanding, you don't need long guides or youtube videos. And as you enjoy the luxury of having a Mikŕotik device at both ends, you can choose between defining the right policy (or often a sequence of policies) to handle the traffic in the necessary way and using a single simple policy to transport a GRE or IPIP tunnel through which you then route the traffic using the usual routing methods. The price of the latter approach is the amount of bytes wasted on the tunnel overhead in each packet. When one of the devices is not a Mikrotik one, there is usually much less choices and some scenarios are simply impossible.

A definitive guide cannot be simple because there are many real life scenarios which affect which features can be used and which cannot, so it must describe all the choices and let you select the most appropriate setup for your use case and environmental implications.

If you want a simple guide, export the current configuration of both the HQ (headquarter) and BO (branch office) following the suggestion in my automatic signature, and for each of the two devices state whether it has a public IP address and whether the address is a stable one (even if assigned using DHCP or PPPoE) or it changes over time. The only way to make a guide simple is to leave out all the information not relevant to the particular setup, which makes such guide useless for any other situation.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Aug 27, 2018 1:39 pm

Sindy,

and I thought this would be easy!! Thanks for looking.

There are two problems:
1. How to ping from one router to another - The ping says "Host Unreachable" and names the WAN address
2. How to default the Sub Office so all internet traffic goes though the main office.

The two router configs have morphed over time as I've added bits in They are:

Black - The Main Office Router
# aug/21/2018 10:30:36 by RouterOS 6.42.7
# software id = KAE3-NN91
#
# model = RouterBOARD D52G-5HacD2HnD-TC
/interface bridge
add admin-mac=CC:GG:HH:1D:7A arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface l2tp-server
add name=l2tp-in-W10_Laptop user=W10_Laptop
add name=l2tp-in-Nexus user=Nexus
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2447 mode=ap-bridge ssid=SSID wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country="united kingdom" disabled=no distance=indoors frequency=5200 mode=ap-bridge ssid=SSID-B5 wireless-protocol=802.11
add disabled=no mac-address=CE:2D:E0:EB:1D:7F master-interface=wlan1 name=wlan3 ssid=SSID-B2 wds-default-bridge=bridge wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.64.2-192.168.64.100
add name=vpn-pool ranges=192.168.99.2-192.168.99.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="Default DHCP Server"
/ppp profile
set *0 local-address=192.168.64.1 remote-address=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in-W10_Laptop list=LAN
add interface=l2tp-in-Nexus list=LAN
/ip address
add address=192.168.64.1/24 comment="defconf" interface=bridge network=192.168.64.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.64.0/24 comment=defconf gateway=192.168.64.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.64.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=172.105.193.147 comment=malc0de list=blacklist
add address=31.177.78.96 comment=malc0de list=blacklist
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="Track invalid"
add action=drop chain=input comment="Drop input from blacklist" log-prefix="Track Drop input from blacklist" src-address-list=blacklist
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix="Track !public" src-address-list=not_in_internet
add action=drop chain=forward comment="Drop from Blacklist sites" log=yes log-prefix="Track Blacklist In:" src-address-list=blacklist
add action=drop chain=forward comment="Drop to Blacklist sites" dst-address-list=blacklist log=yes log-prefix="Track Blacklist Out"
add action=drop chain=output comment="Drop from Router to blacklist sites" dst-address-list=blacklist log=yes log-prefix="Track blacklist out from router"
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=accept chain=input comment=VPN log-prefix="Track VPN" port=1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="Track input not from LAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop everything else that has got through" in-interface-list=WAN log=yes log-prefix="Last rule"
/ip firewall nat
add action=accept chain=srcnat comment=MyVPN dst-address=192.168.65.0/24 src-address=192.168.64.0/24
add action=accept chain=dstnat comment=MyVPN dst-address=192.168.64.0/24 src-address=192.168.65.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=192.168.65.0/24
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=192.168.64.0/24
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=MyVPN dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha512
/ip ipsec policy
add comment=MyVPN dst-address=192.168.65.0/24 sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.64.0/24 tunnel=yes
/ip route
add comment=MyVPN distance=1 dst-address=192.168.65.0/24 gateway=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ppp secret
add name=W10_Laptop
add name=Nexus
/system clock
set time-zone-name=Europe/London
/system identity
set name="Black MikroTik"
/system logging
set 0 disabled=yes
add topics=firewall
add disabled=yes topics=e-mail
add topics=account
add disabled=yes topics=dhcp,info
add topics=script
add topics=ipsec,info
add topics=l2tp,info
add topics=ppp,info
add topics=ssh,info
add topics=interface
/system ntp client
set enabled=yes primary-ntp=80.86.38.193 secondary-ntp=108.61.73.243
/tool netwatch
add comment=ipsec-peer-update-MyVPN down-script="/system scheduler enable ipsec-peer-update-MyVPN\n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.1 up-script="/system scheduler disable ip-cloud-forceupdate\n/system scheduler disable ipsec-peer-update-MyVPN"
Red - Sub Office
# aug/21/2018 11:21:04 by RouterOS 6.42.6
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
/interface l2tp-server
add name=l2tp-in-W10_Laptop user=W10_Laptop
add name=l2tp-in-Nexus user=Nexus
/interface bridge
add admin-mac=4C:5E:0C:B8:9D:92 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1"
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether2
set [ find default-name=ether3 ] name="ether3"
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full name="ether4"
set [ find default-name=ether6 ] name="ether6"
set [ find default-name=ether7 ] name="ether7"
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united kingdom" disabled=no distance=indoors frequency=2472 l2mtu=1598 mode=ap-bridge name=wlan1-2G ssid=SSID1 wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.65.2-192.168.65.100
add name=vpn-pool ranges=192.168.99.2-192.168.99.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name="Default DHCP Server"
/ppp profile
set *0 local-address=192.168.65.1 remote-address=dhcp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface="ether6"
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1-2G
add bridge=bridge interface=*13
add bridge=bridge interface="ether3"
add bridge=bridge interface="ether4"
add bridge=bridge interface=ether5
add bridge=bridge interface="ether7"
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1" list=WAN
add interface=l2tp-in-W10_Laptop list=LAN
add interface=l2tp-in-Nexus list=LAN
add interface=wlan1-2G list=discover
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface="ether3" list=discover
add interface="ether4" list=discover
add interface=ether5 list=discover
add interface="ether6" list=discover
add interface="ether7" list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface wireless access-list
add mac-address=94:9F:3E:18:18:5E
add mac-address=B8:E9:37:5E:50:BA
/ip address
add address=192.168.65.1/24 comment=defconf interface=bridge network=192.168.65.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface="ether1"
/ip dhcp-server network
add address=192.168.65.0/24 comment=defconf gateway=192.168.65.1 netmask=24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.65.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=62.4.10.157 comment=malc0de list=blacklist
add address=213.202.218.77 comment=malc0de list=blacklist
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment=CameraOut dst-address=!192.168.64.0/24 log=yes log-prefix=CameraOut: out-interface-list=WAN src-address-list=Camera
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked log-prefix=Previous
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Track invalid"
add action=drop chain=input comment="Drop incoming to router from my Blacklist" in-interface-list=WAN log=yes log-prefix="Track My Blacklist In:" src-address-list=blacklist
add action=drop chain=forward comment="Drop incoming from internet whiis not public IP" in-interface-list=WAN log=yes log-prefix="Track !public" src-address-list=not_in_internet
add action=drop chain=forward comment="Drop incoming from Blacklist site" in-interface-list=WAN log=yes log-prefix="Track Blacklist In:" src-address-list=blacklist
add action=drop chain=forward comment="To stop things getting out to Blacklist sites" dst-address-list=blacklist log=yes log-prefix="Track Blacklist Out" out-interface-list=WAN
add action=drop chain=output comment="Drop from Router to Blacklist sites" dst-address-list=blacklist log=yes log-prefix="Track blacklist out from router" out-interface="ether1 To VM"
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="defconf:  drop all from WAN not DSTNATed"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" log=yes log-prefix="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward comment="TCP Flag1" log=yes log-prefix="TCP Flag1" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="TCP Flag2" log=yes log-prefix="TCP Flag1" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="TCP Flag3" log=yes log-prefix="TCP Flag3" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="TCP Flag4" log=yes log-prefix="TCP Flag4" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag5" protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=accept chain=input comment=VPN log-prefix="Track VPN" port=1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN log-prefix="Track input not from LAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop everything else that has got through" in-interface-list=WAN log=yes log-prefix="Last rule"
/ip firewall nat
add action=accept chain=srcnat comment=MyVPN dst-address=192.168.64.0/24 src-address=192.168.65.0/24
add action=accept chain=dstnat comment=MyVPN dst-address=192.168.65.0/24 src-address=192.168.64.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface="ether1"
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=192.168.64.0/24
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=MyVPN dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha512
/ip ipsec policy
add comment=MyVPN dst-address=192.168.64.0/24 sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.65.0/24 tunnel=yes
/ip route
add comment=MyVPN disabled=no distance=1 dst-address=192.168.64.0/24 gateway="ether1"
/ppp secret
add name=W10_Laptop
add name=Nexus
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="Red MikroTik"
/system logging
set 0 disabled=yes
add topics=firewall
add disabled=yes topics=e-mail
add topics=account
add disabled=yes topics=dhcp,info
add topics=script
add topics=ipsec,info
add topics=l2tp,info
add topics=ppp,info
add topics=ssh,info
add topics=interface
/system ntp client
set enabled=yes primary-ntp=80.86.38.193 secondary-ntp=108.61.73.243
/system routerboard settings
set silent-boot=no
/tool netwatch
add comment=ipsec-peer-update-MyVPN down-script="/system scheduler enable ipsec-peer-update-MyVPN\n/system scheduler enable ip-cloud-forceupdate" host=192.168.64.1 up-script="/system scheduler disable ip-cloud-forceupdate\n/system scheduler disable ipsec-peer-update-MyVPN"

 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Aug 27, 2018 6:33 pm

OK. How "routing" works in plain IPsec: after all the standard routing and firewall handling has been done, and the last thing left is to send the packet out via the physical interface, the header of the packet is matched against the list of all active IPsec policies, top to bottom. If one of the policies matches the packet header and that policy's action is encrypt (which is the default one), it steals the packet and sends it out via its associated security association instead of sending it out via the initially chosen port.

1. How to ping from one router to another - The ping says "Host Unreachable" and names the WAN address
This is because the source address of locally originated packets is chosen depending on the output route. You have two routes, but both via the same connected subnet (provided by DHCP on WAN interface ether1), so the local source address of the icmp echo request (ping) towards the LAN subnet of the remote Mikrotik is the one assigned to local WAN by DHCP, hence your existing IPsec policy doesn't match it. You have added a dedicated route with dst-address matching the other Mikrotik's LAN subnet into the configuration, but haven't set the pref-src parameter of that dedicated route to the local IP address from the local LAN subnet. Once you set this parameter of this dedicated route on both machines, ping between them will start working.

2. How to default the Sub Office so all internet traffic goes though the main office.
By changing the IPsec policy at both ends accordingly. In the branch office, set the policy's dst-address to 0.0.0.0/0; in the headquarter office, set the policy's src-address to 0.0.0.0/0. But as you need to allow the devices in local LAN and the L2TP clients to talk to the Mikrotik itself and to the devices in the other one of these two groups, in the BO (red) machine you have to add two exceptional policies with action=none above this one to the list, so the whole list will look as follows:
/ip ipsec policy
add action=none comment="exception for locally terminating traffic" dst-address=192.168.65.0/24 src-address=0.0.0.0/0
add action=none comment="exception for locally terminating traffic" dst-address=192.168.99.0/25 src-address=0.0.0.0/0
add comment=MyVPN dst-address=0.0.0.0/0 sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.65.0/24 tunnel=yes
If you want the L2TP clients of the Red device to be able to talk to devices in Black's LAN (and to get to the internet via Black's WAN), you have to add a copy of the existing action=encrypt policy to both machines and replace192.168.65.0/24 by 192.168.99.0/25 in the copy.

Other than that, as you have configured /ip firewall raw to exclude packets between site LANs from connection tracking, you don't need the action=accept rules for these subnets in the /ip firewall nat table because that table is never used for packets excluded from connection tracking. But it also means that the /ip firewall filter rules in input and forward chains with action=accept and connection-state=established,related,untracked will match on all such packets, so you cannot use the firewall to restrict traffic between the two LANs - or, more precisely, you can but without the help of connection tracking which makes it a much more complex task.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sat Sep 01, 2018 9:45 pm

Sindy

Thanks for this and sorry for the delay in letting you know how I am getting on.

1. Worked. Thanks.

2. Still plucking up the courage to do this. Just don't want to cut myself off from the remote office. I'll let you know.

I'm currently battling with chatty Chinese security cameras that want to talk to IP addresses in China as well as my Head Office.

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sat Sep 01, 2018 10:42 pm

To collect courage faster, read about safe mode and how to use it. In short, if you make a change while in safe mode and that change causes the management connection using which you've done the change to break, everything you've changed since activation of the safe mode gets reverted in 30 seconds or so.

So open two command line windows, one for each end, activate safe mode for the remote one, type in the modification commands in both but don't send them, and then almost simultaneously press enter in both windows.

For the branch office, the command will be as follows:

/ip ipsec policy set [find where dst-address=the.old.subnet] dst-address=0.0.0.0/0

But of course you have to prepare the exception policies beforehand, and I'd strongly recommend to do that also with safe mode activated. For headquarters, replace dst-address by src-address at both places in the command.

To prevent the cameras from talking to anything else than the DVR, use the firewall rules - permit the cameras' IPs to establish connections only to the IP of the DVR.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Dec 09, 2018 11:52 am

Sindy,

I was about to do this but then had a further thought.

Is there a way to use address lists to say which specific machines should go via the head office VPN, rather than them all? If that is possible, then all i need to do is add or take off ip addresses from that address list.

The use case is that the remote office is actually a holiday home and we want to variously use Netflix at the holiday home via the UK or France. I would add the TV ip address to use UK and take it off to use France.

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Dec 09, 2018 1:00 pm

The IPsec policy doesn't check anything else than source & destination address & port and IP protocol, and the source & destination addresses may be only specified as subnets (prefixes) - this is because the protocol negotiating the tunnel between the endpoints only works with these items. So with plain IPsec, you can
  • use an address-list indirectly: as you'll be src-nating the packets to the UK address later on anyway, you can use a src-nat rule on the French box which will be matching on the address-list and changing the source address(es) to another one(s) which will then be matched by the IPsec policy
  • use an individual IPsec policy for each of those addresses you would otherwise put on the address list
  • use a dedicated local subnet (maybe bound to a dedicated bridge with one or more Ethernet interfaces or to an SSID) which will be matched by the src-address of the policy
The other possibility is to use the IPsec only to carry transport packets of some tunneling protocol (such as GRE) and use the usual tools of policy routing to send packets which need the UK address via the tunnel. This approach is simpler, but the price to pay is the additional overhead of the GRE to be transported (so slightly less efficient bandwidth use).

But I'd say the point to concentrate at is what you'll have to do to switch the TV between the modes, because you'll configure the Mikrotiks once, but you'll be switching the mode several times a day while in France. And here I can see the following possibilities:
  • moving the Ethernet cable from one port to another (just make sure you have a spare cable as the lock pin is going to break one day)
  • pushing the user-configurable button on your Mikrotik if you're lucky to have a model which has one
  • switching a switch loading a PoE-out port with a resistive load if you don't have a user-configurable button but do have a PoE-out port on your Mikrotik model
  • connecting the TV to another SSID in the TV set menu if connected using WiFi (or a switchover between WiFi and cable)
  • changing the TV's IP address
  • switching on an old smartphone with WiFi and track presence of this phone's MAC address in the wireless client registration table on the Mikrotik
  • and, of course, logging in to the Mikrotik and activating/deactivating something manually
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 5:29 pm

Sindy,

I'm having a go with this. I thought I'd try with just one IP address (192.168.65.79). I have put in the following Policies. The second Policy is the existing VPN.

Branch Office
/ip ipsec policy
add comment="FranceLondon-Laptop " dst-address=0.0.0.0/0 sa-dst-address=\
    x.x.x.x	sa-src-address=0.0.0.0 src-address=192.168.65.79/32 tunnel=\
    yes
add comment=FranceLondon dst-address=192.168.64.0/24 sa-dst-address=\
    x.x.x.x sa-src-address=0.0.0.0 src-address=192.168.65.0/24 tunnel=yes
I have done the opposite in Head Office.

Sadly, not all traffic is going through to the head office for the single IP (the laptop). Can you see why not?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 5:45 pm

How exactly to read
not all traffic is going through to the head office for the single IP (the laptop).
?

I mean, does part of the traffic go via the HQ and part via the local gateway, or does everything go via the local gateway?

Does /ip ipsec installed-sa print show a pair (rx+tx direction) of security associations per each policy? If yes, do the counters in the output show any transported packets and bytes?
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 5:58 pm

Sindy,

Thanks for the prompt reply.

There are two pairs. The first has a large number of packets (current-packets=148443) whilst the other has much less (current-packets=796).

I know I'm not going through the VPN because bbc.co.uk gets redirected to bbc.com (the BBC only serves .co.uk if you are in the UK.

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 6:20 pm

There are two pairs. The first has a large number of packets (current-packets=148443) whilst the other has much less (current-packets=796).
well, you need to look per direction. As you only provide two values, I suspect that one of the directions per each policy is silent. If a direction doesn't show the current-packets and current-bytes items at all, it means 0 packets, i.e. that the traffic doesn't pass in that direction at all. You'll identify the direction by the src-address and dst-address items of the SA which match the sa-src-address and sa-dst-address of the policy.
I know I'm not going through the VPN because bbc.co.uk gets redirected to bbc.com (the BBC only serves .co.uk if you are in the UK).
That may also be an issue of DNS. You have to make sure that the test laptop doesn't use the Mikrotik itself as a DNS - although the policy with dst-address=0.0.0.0/0 normally steals even local traffic, you may have some counter-measure in place (a policy with action=none and dst-address set to the LAN subnet placed before the actual policy). I mean, you can be redirected to bbc.com by the regular http servers serving the domain bbc.co.uk when you contact them from a foreign IP, but you may as well be served with an IP of a dedicated redirection server if you query for bbc.co.uk from a foreign IP.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 7:14 pm

Sindy,

Sorry, I should have put the print in my response. Here it is:
[admin@Red MikroTik] > /ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0x6F3F16 src-address=x.x.x.x:4500 dst-address=192.168.1.38:4500 state=mature auth-algorithm=sha512 
      enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="aa" 
      enc-key="bb" addtime=apr/07/2019 15:31:43 
      expires-in=6m39s add-lifetime=24m8s/30m10s current-bytes=1360850 current-packets=3636 replay=128 

 1  E spi=0x1A92739 src-address=192.168.1.38:4500 dst-address=x.x.x.x:4500 state=mature auth-algorithm=sha512 
      enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="cc" 
      enc-key="dd" addtime=apr/07/2019 15:31:43 
      expires-in=6m39s add-lifetime=24m8s/30m10s current-bytes=814413 current-packets=4452 replay=128 

 2  E spi=0xA59E1B5 src-address=x.x.x.x:4500 dst-address=192.168.1.38:4500 state=mature auth-algorithm=sha512 
      enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="ee" 
      enc-key="ff" addtime=apr/07/2019 15:44:34 
      expires-in=19m46s add-lifetime=24m20s/30m26s current-bytes=205827 current-packets=1253 replay=128 

 3  E spi=0x4256DA0 src-address=192.168.1.38:4500 dst-address=x.x.x.x:4500 state=mature auth-algorithm=sha512 
      enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="gg" 
      enc-key="hh" addtime=apr/07/2019 15:44:38 
      expires-in=19m50s add-lifetime=24m20s/30m26s current-bytes=185826 current-packets=1875 replay=128 
The second pair has less traffic.

I've just check the IP address my laptop comes out onto the internet (What is my IP) and it is in the Branch office - where I am now.

I haven't changed any firewall settings as I presume the IPSec things happen first. Ie, I still have fast track turned on. Is that a mistake?

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 7:58 pm

I haven't changed any firewall settings ad I presume the IPSec things happen first.
No, they happen as almost the last thing, just before the packet is sent out the interface chosen by the regular routing. Even the NAT handling is done before the IPsec policies inspect the traffic.

If whatsmyip shows you the local (French) address, the policy doesn't steal the traffic from the laptop's IP, so I suppose you haven't set up the necessary exception from the NAT (an action=accept chain=srcnat src-address=192.168.65.79 rule placed above the one with action=masquerade or action=src-nat).

On the other hand, some part of your traffic must escape the NAT as otherwise nothing at all would flow through the SAs.

Ie, I still have fast track turned on. Is that a mistake?
It is, but the consequences would be different than those you experience.

With the fasttracking rule in place, the initial packet of each connection is caught and diverted by the policy, and only subsequent packets are caught by the fasttracking before the policy can grab them. So the consequence is that the connection works via the VPN but very slowly - fasttracking only processes vast majority of connection's packets but not 100% of them.

So you need to add src-address=!192.168.65.79 dst-address=!192.168.65.79 to the action=fasttrack-connection rule to prevent the laptop's connection from getting fasttracked.

Also in this regard, there must be some part of traffic which escapes the fasttracking already now, otherwise the SAs would be transporting almost nothing (or the connections would be unbearably slow). So if there already are constraints on addresses in the action=fasttrack rule, such as exclusion of traffic between 192.168.64.0/24 and 192.168.65.0/24, you'll have to set the exception for 192.168.65.79 <-> 0.0.0.0/0 some other way, e.g. by adding action=accept connection-state=established,related src-address=192.168.65.79 and action=accept connection-state=established,related dst-address=192.168.65.79 rules before the action=fasttrack one for a quick test. For production deployment, I'd use connection marking so that the action=fasttrack rule would only match on packets belonging to connections bearing a specific mark, because you need the packets which are not fasttracked to pass through as few rules as possible, so they should just not match the action=fasttrack rule and match right the next one - action=accept connection-state=established,related.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 9:18 pm

The suggested NAT Rule seems to kill the connection from the laptop. I do already have exceptions for the existing 64.0 to 65.0 VPN so perhaps that's ok. However that doesn't explain my French external IP address. Any other ideas? DNS perhaps?

I added the exception to the fast-track firewall rule - that makes sense.

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 9:49 pm

The suggested NAT Rule seems to kill the connection from the laptop.
I rather assume it doesn't kill it in France but finally sends it to Britain, and it gets killed there.

Normally, a packet from the laptop's IP address to any public IP address is routed out via the French WAN and src-NATed to the French WAN's public IP, so the IPsec policy matching on the private IP as src-address misses it. When you shadow the common src-nat/masquerade rule in chain=srcnat by the action=accept one for the laptop's source IP, the packet is still routed out via the French WAN but is not src-nated. So if the policy doesn't catch and divert it, it gets out the French WAN unchanged, the remote server sees the private source IP address, and so it sends the response to that address which in the remote server's network belongs to a totally unrelated device or isn't assigned to anything at all.

As you say you can see four active SAs, I guess the phase 2 negotiation went fine for both pairs of policies and so the policy "from laptop IP to everywhere" is active, so I'd assume that the packets from the laptop do get caught by that policy and delivered to the UK box, which may or may not handle them properly, and may or may not handle properly the response. Or there is a different kind of DNS issue, see below.

I do already have exceptions for the existing 64.0 to 65.0 VPN so perhaps that's ok. However that doesn't explain my French external IP address. Any other ideas? DNS perhaps?
If you say the laptop connection is broken, whatsmyip should also not answer, so "French external IP" does not happen at the same time as "the accept rule in srcnat chain broke the laptop connection" to me. Am I wrong here?

As for DNS, it depends how the DNS on the laptop is configured. If the laptop was configured to use the French Mikrotik itself as a DNS server, the policy would be stealing the DNS queries as well and would be sending them to UK (where nothing would be answering them) as the Mikrotik's own IP is no exception from the 0.0.0.0/0 of the policy's destination IP. But this is obviously not the case because if it was, the DNS would have to fail due to this already without the accept rule in the srcnat chain and it didn't.

So at this moment I maintain my assumption that the packets from the laptop now happily make it to the UK and the Bad Thing happens there.

I have no more specific ideas until I see the configuration exports from both Mikrotik machines. Check my automatic signature for hints.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Sun Apr 07, 2019 11:05 pm

Complicated!

I've exported both sides, /ip only. Hopefully that is enough. And hopefully, nothing sensitive!

And thanks for your help!

Charles

France
# apr/07/2019 19:36:45 by RouterOS 6.44.2
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha512 name=profile_1
/ip ipsec peer
add address=yy.yy.yy.yy/32 comment=FranceBritain exchange-mode=ike2 name=peer2 \
    profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.65.2-192.168.65.100
add name=vpn-pool ranges=192.168.65.101-192.168.65.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=\
    "Default DHCP Server"
/ip address
add address=192.168.65.1/24 comment=defconf interface=bridge network=\
    192.168.65.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.65.0/24 comment=defconf gateway=192.168.65.1 netmask=24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.65.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet

/ip neighbor discovery-settings
set discover-interface-list=discover
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related dst-address=!192.168.65.79 \
    src-address=!192.168.65.79
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked log-prefix=Previous
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=input comment=\
    "Drop incoming to router from my Blacklist" in-interface-list=WAN log=yes \
    log-prefix="CH_Track Blacklist Input from:" src-address-list=blacklist
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix="CH_Track !public" src-address-list=\
    not_in_internet
add action=drop chain=forward comment="Drop incoming from Blacklist site" \
    in-interface-list=WAN log=yes log-prefix="CH_Track Blacklist fwd from:" \
    src-address-list=blacklist
add action=drop chain=forward comment=\
    "To stop things getting out to Blacklist sites" dst-address-list=\
    blacklist log=yes log-prefix="CH_Track Blacklist fwd to:" \
    out-interface-list=WAN
add action=drop chain=output comment="Drop from Router to Blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track Blacklist output to:" out-interface=ether1
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "defconf:  drop all from WAN not DSTNATed"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" log=yes \
    log-prefix="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!ack
add action=drop chain=forward comment="TCP Flag1" log=yes log-prefix=\
    "TCP Flag1" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="TCP Flag2" log=yes log-prefix=\
    "TCP Flag1" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="TCP Flag3" log=yes log-prefix=\
    "TCP Flag3" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="TCP Flag4" log=yes log-prefix=\
    "TCP Flag4" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag5" protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=forward log=yes log-prefix="TCP Flag 6:" protocol=tcp \
    tcp-flags=rst,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag 7:" protocol=tcp \
    src-port=0
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=Ping: \
    protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related,untracked log-prefix=Flag8:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log-prefix=\
    "CH_Track input not from LAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="Flag 8:"
add action=drop chain=input comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last rule"
add action=accept chain=forward
/ip firewall nat
add action=src-nat chain=srcnat comment=NTP disabled=yes dst-port=25 log=yes \
    log-prefix="scrnat SMTP" protocol=tcp src-address=192.168.65.88 to-ports=\
    465
add action=accept chain=srcnat disabled=yes src-address=192.168.65.79
add action=accept chain=srcnat comment=FranceBritain dst-address=\
    192.168.64.0/24 src-address=192.168.65.0/24
add action=accept chain=dstnat comment=FranceBritain dst-address=\
    192.168.65.0/24 src-address=192.168.64.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
    192.168.64.0/24
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
    192.168.65.0/24
/ip ipsec identity
add peer=peer2
/ip ipsec policy
add action=none comment="exception for locally terminating traffic" disabled=\
    yes dst-address=192.168.65.79/32 src-address=0.0.0.0/0
add comment="FranceBritain-Laptop " dst-address=0.0.0.0/0 sa-dst-address=\
    yy.yy.yy.yy sa-src-address=0.0.0.0 src-address=192.168.65.79/32 tunnel=\
    yes
add comment=FranceBritain dst-address=192.168.64.0/24 sa-dst-address=\
    yy.yy.yy.yy sa-src-address=0.0.0.0 src-address=192.168.65.0/24 tunnel=yes
/ip route
add comment=FranceBritain distance=1 dst-address=192.168.64.0/24 gateway=ether1 \
    pref-src=192.168.65.1
add distance=1 dst-address=192.168.64.1/32 gateway=192.168.1.254

Britain
# apr/07/2019 19:49:27 by RouterOS 6.44.2
# software id = UTIL-NR1C
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha512 name=profile_1
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=FranceBritain exchange-mode=ike2 name=\
    peerFrance profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.64.2-192.168.64.100
add name=vpn-pool ranges=192.168.64.101-192.168.64.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="Default DHCP Server"
/ip address
add address=192.168.64.1/24 comment="defconf - need to change to 64" \
    interface=ether2 network=192.168.64.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.64.0/24 comment=defconf gateway=192.168.64.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.64.1 name=router.lan
/ip firewall address-list
add address=216.218.206.0/24 comment=\
    "myList delete delete delete delete delete delete delete" list=blacklist
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="Camera Out" log=yes log-prefix=\
    "Camera out:" out-interface-list=WAN src-address-list=Camera
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=input comment="Drop input from blacklist" log-prefix=\
    "CH_Track Drop input from blacklist" src-address-list=blacklist
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix="CH_Track !public" src-address-list=\
    not_in_internet
add action=drop chain=forward comment="Drop from Blacklist sites" log=yes \
    log-prefix="CH_Track forward from Blacklist In:" src-address-list=\
    blacklist
add action=drop chain=forward comment="Drop to Blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track forward to Blacklist"
add action=drop chain=output comment="Drop from Router to blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track blacklist out from router"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="TCP flags and Port 0 attacks" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" protocol=\
    ipsec-esp
add action=accept chain=input comment="ICMP Ping" log=yes protocol=icmp
add action=accept chain=input comment=\
    "accept input established,related,untracked" connection-state=\
    established,related,untracked log-prefix=\
    "accept input established,related,untracked"
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=passthrough chain=input in-interface-list=!LAN
add action=drop chain=input comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last rule: Input"
add action=drop chain=forward comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last Rule: Forward"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=15092 log=yes \
    log-prefix="CH_Track NAT RDP" protocol=tcp to-addresses=192.168.64.11 \
    to-ports=3389
add action=accept chain=srcnat comment=FranceBritain dst-address=\
    192.168.65.0/24 src-address=192.168.64.0/24
add action=accept chain=dstnat comment=FranceBritain dst-address=\
    192.168.64.0/24 src-address=192.168.65.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
    192.168.65.0/24
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
    192.168.64.0/24
/ip ipsec identity
add peer=peerFrance
/ip ipsec policy
add comment=FranceBritain-Laptop dst-address=192.168.65.79/32 sa-dst-address=\
    xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=0.0.0.0/0 tunnel=yes
add comment=FranceBritain dst-address=192.168.65.0/24 sa-dst-address=\
    xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.64.0/24 \
    tunnel=yes
/ip route
add comment=FranceBritain distance=1 dst-address=192.168.65.0/24 gateway=ether1 \
    pref-src=192.168.64.1

 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Apr 08, 2019 2:36 pm

OK. It is always easier when you see the complete configurations. So in your case, you've prevented both NATing and fasttracking of the traffic between LAN.UK and LAN.FR by preventing connection tracking at all for this traffic, by means of the rules of the firewall table raw. So all the rules in the nat table of both boxes, which serve the same purpose (avoid NATing of the LAN.UK <-> LAN.FR traffic), are redundant and never match. Another effect of the rules in table raw is that all packets belonging to these connections are handled by the filter rule action=accept connection-state=...,untracked,.... And yet another effect is that you cannot use other connection-state values for these packets.

Regarding the chain=srcnat action=accept src-address=192.168.65.79 rule breaking the laptop connections, it is really as I've expected - upon addition of that rule, the policy's traffic selector started matching the outgoing packets from the laptop and diverting them to the security association, so they started getting to the UK, but they got dropped there.

The reason why they get dropped is that there is a filter rule dropping anything matching in-interface-list=WAN. With plain IPsec, a payload packet unpacked from a transport packet inherits the in-interface information from the transport packet, so your rule add action=drop chain=forward comment="Drop everything else that has got through" in-interface-list=WAN log-prefix="Last Rule: Forward" drops the initial packet of each outgoing connection of the laptop as it reaches the UK box using the security association. So add ipsec-policy=in,none to that rule, which will make that rule stop matching and dropping the payload packets decapsulated from the IPsec transport ones.

All subsequent packets of the laptop's outgoing connections will be let through thanks to the action=accept connection-state=related,established,... rule, so there is no need to modify any other rules.

Once we make the IPsec work the way you need, I'll have some more remarks to your firewall.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Apr 08, 2019 8:46 pm

I added ipsec-policy=in,none to the UK rule. I then enabled the chain=srcnat action=accept src-address=192.168.65.79 rule in France but the laptop still can't get to the internet (via the UK?)

Do I need to disable the Raw rules as well?

My firewall rules have built up over a number of years and may all be rubbish - I am a home user - I like the challenge of the Mikrotiks, I used to use Drayteks, but....... For example, I believe the the raw rules are needed for the IPSec vpn between the two boxes but I could be wrong.

Charles
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Apr 08, 2019 8:58 pm

You're right, the raw rules must stay in place, otherwise you'd lose the lan2lan VPN connection.

Maybe I have missed some other rule in the UK which drops the laptop's traffic, I'll have one more look later.
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Mon Apr 08, 2019 11:30 pm

I did a tracert with the NAT rule turned on. Looks like you are correct:

The tracert seems REALLY slow - not just the 51ms below.
Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     3 ms     1 ms     1 ms  192.168.65.1
  2    51 ms    49 ms    56 ms  192.168.64.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
Could it be that the UK router doesn't know what to do with the French packets? Do I need a corresponding NAT rule in the UK for the .79 packets?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

Tue Apr 09, 2019 11:42 am

You really hate what comes in via WAN :D (which is a good strategy). I've missed your other filter rules which kill the French laptop's traffic before the rule we've modified yesterday can do it. These are the two following ones:
    • action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix="CH_Track !public" src-address-list=not_in_internet (it may actually not be effective because it depends on the not_in_internet address list, I don't know whether you have edited it out or it is indeed missing in the UK configuration)
    • add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    The remedy is the same - add ipsec-policy=in,none so that they ignore the decapsulated IPsec payload and we'll finally get there. Or, another possibility, insert a rule chain=filter action=accept ipsec-policy=in,ipsec in-interface-list=WAN between the accept established,related,untracked and the drop invalid ones in filter to accept whatever comes in via an IPsec SA and has not been accepted yet by the accept untracked rule (because it has been marked as untracked by the rules in raw), but this way you'd shadow some more rules in your firewall so maybe better to stick with the former method.

    As for the firewall - in principle all the rules in chain=forward of filter which follow the drop all from WAN not DSTNATed, except the very last one, only protect the rest of the world from devices in your LANs gone evil, because the packets which would match these rules but come in via one of the WAN interfaces never reach them as they get killed already by this last rule above them. So these are the rules which would be shadowed by the action=accept ipsec-policy=in,ipsec ... one. On the other hand it would not change anything in the great scheme of things as the same rules exist on the French box so they kill such packets already there.
     
    howdey57
    Member Candidate
    Member Candidate
    Topic Author
    Posts: 122
    Joined: Wed Dec 31, 2014 2:36 pm

    Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

    Fri Apr 12, 2019 8:36 pm

    Sindy,

    Sorry for the delay in responding.

    This now works. Thanks for your help and spending so much time on this. You are very generous with your time and knowledge.

    The things I had to do were:
    • In the UK, put ipsec-policy=in,ipsec in all rules that might stop the French traffic.
    • Stop traffic from the relevant IP addresses from fasttracking in both France and teh UK
    • Ensure I turned off the Mikrotik served DNS so DHCP pointed to OpenDNS
    • I've changed the single IP address (.79) into a range so that I can control more than one machine.
    • I turn on UK based traffic by enabling the NAT for that range
    The things I need to do are:
    • Alter my script to update sa-dst-address for my new VPN when it changes
    • Figure out a way to enable my new NAT - I'll look at your suggestions


    And for my Firewall - I need to go through them carefully again and simplify where I can. I do have various blacklist address lists .

    Charles
     
    vinay05
    just joined
    Posts: 2
    Joined: Thu Sep 16, 2021 5:41 am

    Re: Is there a definitive guide showing how to force all traffic through IPSec tunnel and out through Head Office ?

    Thu Sep 16, 2021 6:17 pm

    Hello Sindy,

    I have following architecture:

    On-premise (172.17.0.0/16) MicrkroTik router <-------- IPSEC Tunnel (BGP based)-------> CISCO CSRv in a PublicCloud (192,168.0.0/16)

    In order to establish BGP session and end to end connectivity I have add ed following two policies:

    ====================
    Policy 1 for BGP peers :

    add dst-address=169.254.22.78/32 level=unique peer=peer1 proposal=Cloud-proposal \
    src-address=169.254.22.77/32 tunnel=yes


    Policy 2 for end to end connectivity:

    add dst-address=192.168.0.0/16 level=unique peer=peer1 proposal=Cloud-proposal \
    src-address=172.16.0.0/24 tunnel=yes
    ====================

    NOW THE ISSUE HERE IS :

    - On PublicCloud side it's a route based tunnel so, IPSec policy is limited to single security association so, it is causing connectivity issues. For some reason we can not modify anything on Cloud side of the tunnel.

    - When I am propose following single policy (which covers both BGP peer ranges and on-premiise & Cloud network ranges) tunnel works perfectly fine but it is causing some internal routing issues on on-premise side.

    add dst-address=0.0.0.0/0 level=unique peer=peer1 proposal=Cloud-proposal \
    src-address=0.0.0.0/0 tunnel=yes

    ASK:

    - Could you please advice me how to avoid internal routing issues without removing ipsec policy with 0.0.0.0/0 and without changing BGP peer ranges.

    Thank you
    Last edited by vinay05 on Thu Sep 16, 2021 6:22 pm, edited 1 time in total.

    Who is online

    Users browsing this forum: Bing [Bot], Dimas2810 and 35 guests