I want to replace my old ASA cluster, which acts as a VPN hub. I have two CCR1009 working in active/passive HA mode (vrrp+script+ospf). It seemed that everything worked perfectly.. Users from Branch 1 can reach all servers and HQ. Problem is with the Internet connection, because all branches have access to the Internet through our main firewall (security purposes).
Mikrotik has default route that belongs to its WAN interface, and all packets from Branch to the Internet are processing through this route. I need all the traffic from Branches (ipsec tunnels) to go through the L3 switch, and then to the main firewall. On Cisco ASA it was quite easy to do.
route outside 0.0.0.0 0.0.0.0 WAN-GW-IP
route inside 0.0.0.0 0.0.0.0 L3-SWITCH-IP tunneled
How to do it optimally and simply on Mikrotik? First thought - VRF, but Ipsec does not have an interface that can be assigned to VRF. Has anyone made such a scenario?
Thank you in advance for all the hints.