Community discussions

MikroTik App
 
invamalaj
just joined
Topic Author
Posts: 2
Joined: Wed Oct 14, 2020 12:47 pm

Inverse Split Tunneling MikroTik

Wed Oct 14, 2020 1:32 pm

Hello,
I am interested in implementing Inverse Split Tunneling with MikroTik RouterBOARD 750 r2.
So, I have configured IPsec VPN to a VPN Concentrator, where I have tunneled the three private prefixes (10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16), each one with its own policy.
My scope is to exclude from VPN a specific private prefix of RB 750 r2, for example: 172.20.20.0/28.
Or, I don't want to include in VPN the traffic from src 172.20.23.0/28 to dst 172.20.20.1 (its gateway IP).
I have tried some prerouting and filter rules, but it hasn't worked until now.
Any suggestion would be appreciated.
Best regards,
Inva.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Inverse Split Tunneling MikroTik

Wed Oct 14, 2020 8:09 pm

Prerouting and filter rules do not affect IPsec policy matching. You can add an /ip ipsec policy row with action=none for the dst-address ranges you want to exclude from the tunneling before (above) the policies with action=encrypt; policy matching works the same way like firewall rule matching, first to last until the first match.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
invamalaj
just joined
Topic Author
Posts: 2
Joined: Wed Oct 14, 2020 12:47 pm

Re: Inverse Split Tunneling MikroTik

Thu Oct 15, 2020 5:45 pm

Hello,
Thanks a lot for you reply.
I had indeed tried before to add a policy "add src-address=172.20.23.0/28 dst-address=172.20.23.1 action=none place-before=0", but it hadn't worked.
Now I replaced that with "add src-address=172.20.23.0/28 dst-address=172.20.23.0/28 action=none place-before=0" and it results OK.
Thank you.
Best regards,
Inva.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: Inverse Split Tunneling MikroTik

Thu Oct 15, 2020 6:14 pm

I had indeed tried before to add a policy "add src-address=172.20.23.0/28 dst-address=172.20.23.1 action=none place-before=0", but it hadn't worked.
Now I replaced that with "add src-address=172.20.23.0/28 dst-address=172.20.23.0/28 action=none place-before=0" and it results OK.
Of course, because the first variant was only dealing with one direction (packets sent by the LAN host to the router), but not with the opposite one. So packets sent by the router to the LAN hosts kept being matched and redirected by the IPsec policy.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: dzany, Google [Bot], nfix, nostrax1, okriso and 156 guests