Community discussions

MikroTik App
 
andrius8
just joined
Topic Author
Posts: 11
Joined: Thu Jul 11, 2019 3:20 pm

S2S tunnel up, all can ping except mikrotik

Wed Aug 21, 2019 11:00 am

Hi all,
I have Site 2 Site tunnel between to 2 sites. The tunnel is up and all devices on both sides can ping/access each other, except for mikrotik. I cannot ping anything on the other side of the tunnel from mikrotik. I have not problem access mikrotik from other side over the tunnel.
Is there anything specific that I need to add to mikrotik so it can also access devices from other side?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: S2S tunnel up, all can ping except mikrotik

Wed Aug 21, 2019 5:32 pm

If the tunnel is plain IPSec, the usual problem is wrong source address used by router. When policy is for traffic between networks A and B, it works when devices in these networks connect to each other. But when the router tries to connect to remote network, it won't use its local address as source, it will use its WAN address and policy won't match. You can srcnat router's own traffic to remote subnet and change the source for local address for which the policy exists. Or you can add another policy that includes router's WAN address, but sometimes it can be problematic, e.g. when it's dynamic.
 
andrius8
just joined
Topic Author
Posts: 11
Joined: Thu Jul 11, 2019 3:20 pm

Re: S2S tunnel up, all can ping except mikrotik

Wed Aug 21, 2019 5:53 pm

I have below as without it none of the devices behind mikrotik would work.
add action=accept chain=srcnat dst-address=172.17.255.0/25 log=yes \
src-address=192.168.101.0/24

Are you saying I need to add specific srcnat for router itself? I would have expected that 192.168.101.0/24 would cover it.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: S2S tunnel up, all can ping except mikrotik  [SOLVED]

Wed Aug 21, 2019 6:04 pm

Your rule excludes traffic between subnets from main srcnat, it's correct. But this is different problem. Let's say your router's WAN address is 1.2.3.4, then it's exactly the address that will be used as source. Neither the posted srcnat rule nor IPSec policy will touch those packets, they will be sent to internet.

Try this (assuming that 172.17.255.0/25 is remote network and 192.168.101.1 router's local address):
/ip firewall nat
add action=src-nat chain=srcnat dst-address=172.17.255.0/25 src-address-type=local to-addresses=192.168.101.1
 
andrius8
just joined
Topic Author
Posts: 11
Joined: Thu Jul 11, 2019 3:20 pm

Re: S2S tunnel up, all can ping except mikrotik

Wed Aug 21, 2019 10:11 pm

Thanks this did the trick.

Who is online

Users browsing this forum: apitsos, Bolendox, Google [Bot], smirgo and 60 guests