Community discussions

just joined
Topic Author
Posts: 5
Joined: Wed Apr 05, 2017 3:05 pm

2x CCR1009 as a VPN hub. Routing problem

Mon Dec 31, 2018 11:55 am

Hi everyone,
I want to replace my old ASA cluster, which acts as a VPN hub. I have two CCR1009 working in active/passive HA mode (vrrp+script+ospf). It seemed that everything worked perfectly.. Users from Branch 1 can reach all servers and HQ. Problem is with the Internet connection, because all branches have access to the Internet through our main firewall (security purposes).

Mikrotik has default route that belongs to its WAN interface, and all packets from Branch to the Internet are processing through this route. I need all the traffic from Branches (ipsec tunnels) to go through the L3 switch, and then to the main firewall. On Cisco ASA it was quite easy to do.

route outside WAN-GW-IP
route inside L3-SWITCH-IP tunneled

How to do it optimally and simply on Mikrotik? First thought - VRF, but Ipsec does not have an interface that can be assigned to VRF. Has anyone made such a scenario?

Thank you in advance for all the hints.


Who is online

Users browsing this forum: wispmikrotik and 110 guests