Code: Select all
/interface bridge
add name=vpn-blackhole
/ip route
add comment="Blackhole for RFC 1918" distance=5 dst-address=10.0.0.0/8 gateway=vpn-blackhole
add comment="Blackhole for RCF 1918 class B" distance=5 dst-address=172.16.0.0/12 gateway=\
vpn-blackhole
add comment="Blackhole for RCF 1918 class C" distance=5 dst-address=192.168.0.0/16 gateway=\
vpn-blackhole
Here is my test network:
https://imgur.com/a/yoAlWON
The internet is simulated with the top router. The two sites are connected to it with two more routers. All of the routers are running RouterOs CHR in VMWare.
Since this environment was created just to find the solution to this problem, I'm going to post full unaltered configs here.
Here is the config for the "office" site:
Code: Select all
/interface bridge
add name=bridge-office
add name=vpn-blackhole
/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=branch01.myserver.hu
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=myserver.hu proposal-check=strict
/ip ipsec peer
add exchange-mode=ike2 local-address=100.3.3.10 name=peer-branch01 passive=yes profile=myserver.hu
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-myserver.hu pfs-group=modp2048
/ip pool
add name=pool-office ranges=172.16.2.100-172.16.2.200
/ip dhcp-server
add address-pool=pool-office disabled=no interface=bridge-office name=dhcp-office
/interface bridge port
add bridge=bridge-office interface=ether2
add bridge=bridge-office interface=ether3
/interface list member
add interface=ether1-internet list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=172.16.2.1/24 interface=bridge-office network=172.16.2.0
add address=100.3.3.10/24 interface=ether1-internet network=100.3.3.0
/ip dhcp-server network
add address=172.16.2.0/24 dns-server=172.16.2.1 gateway=172.16.2.1
/ip dns
set allow-remote-requests=yes servers=100.3.3.3
/ip firewall filter
add action=accept chain=input comment="Allow UPD 500,4500 for IKEv2" dst-address=100.3.3.10 dst-port=500,4500 in-interface=ether1-internet protocol=udp
add action=accept chain=input comment="Allow IPSEC/ESP" dst-address=100.3.3.10 in-interface=ether1-internet protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN src-address=172.16.2.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from 172.16.1.0/24 to ANY" ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=172.16.1.0/24 \
tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=accept chain=srcnat comment="bypass nat for VPN tunnel between internal addresses" disabled=yes dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=ether1-internet
/ip ipsec identity
add auth-method=digital-signature certificate=office.myserver.hu match-by=certificate my-id=fqdn:office.myserver.hu peer=peer-branch01 policy-template-group=branch01.myserver.hu \
remote-certificate=branch01.myserver.hu remote-id=fqdn:branch01.myserver.hu
/ip ipsec policy
add dst-address=172.16.1.0/24 peer=peer-branch01 proposal=proposal-myserver.hu sa-dst-address=100.2.2.10 sa-src-address=100.3.3.10 src-address=172.16.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=100.3.3.3
add comment="Blackhole for RCF 1918 class B" distance=1 dst-address=172.16.0.0/12 gateway=vpn-blackhole
/system identity
set name=office.myserver.hu
Code: Select all
/interface bridge
add name=bridge-branch01
add name=vpn-blackhole
/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=office.myserver.hu
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=myserver.hu proposal-check=strict
/ip ipsec peer
add address=100.3.3.10/32 exchange-mode=ike2 local-address=100.2.2.10 name=peer-office profile=myserver.hu
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-myserver.hu pfs-group=modp2048
/ip pool
add name=pool-branch ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=pool-branch disabled=no interface=bridge-branch01 name=dhcp-branch01
/interface bridge port
add bridge=bridge-branch01 interface=ether2
add bridge=bridge-branch01 interface=ether3
/interface list member
add interface=ether1-internet list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=172.16.1.1/24 interface=bridge-branch01 network=172.16.1.0
add address=100.2.2.10/24 interface=ether1-internet network=100.2.2.0
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.1 gateway=172.16.1.1
/ip dns
set allow-remote-requests=yes servers=100.2.2.2
/ip firewall filter
add action=accept chain=input comment="Allow UPD 500,4500 for IKEv2" dst-address=100.2.2.10 dst-port=500,4500 in-interface=ether1-internet protocol=udp
add action=accept chain=input comment="Allow IPSEC/ESP" dst-address=100.2.2.10 in-interface=ether1-internet protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN src-address=172.16.1.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from 172.16.2.0/24 to ANY" ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=172.16.2.0/24 tcp-flags=syn tcp-mss=\
!0-1360
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=ether1-internet
/ip ipsec identity
add auth-method=digital-signature certificate=branch01.myserver.hu my-id=fqdn:branch01.myserver.hu peer=peer-office policy-template-group=office.myserver.hu remote-id=fqdn:office.myserver.hu
/ip ipsec policy
add dst-address=172.16.2.0/24 peer=peer-office proposal=proposal-myserver.hu sa-dst-address=100.3.3.10 sa-src-address=100.2.2.10 src-address=172.16.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=100.2.2.2
add comment="Blackhole for RCF 1918 class B" distance=1 dst-address=172.16.0.0/12 gateway=vpn-blackhole
/system identity
set name=branch01.myserver.hu
This is what I see on PC2:
Code: Select all
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
*100.3.3.10 tcp_seq=7142 ttl=64 time=162.140 ms (ICMP type:3, code:1, Destination host unreachable)
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
Connect 7@172.16.1.10 timeout
The same thing happens on PC1:
Code: Select all
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
*100.2.2.10 tcp_seq=6193 ttl=64 time=156.605 ms (ICMP type:3, code:1, Destination host unreachable)
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
*100.2.2.10 tcp_seq=6207 ttl=64 time=161.157 ms (ICMP type:3, code:1, Destination host unreachable)
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
Connect 7@172.16.2.10 timeout
If I enable this first NAT bypass rule under /ip firewall nat
Code: Select all
[admin@office.myserver.hu] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; bypass nat for VPN tunnel between internal addresses
chain=srcnat action=accept src-address=172.16.0.0/12 dst-address=172.16.0.0/12
1 chain=srcnat action=masquerade out-interface=ether1-internet
[admin@office.myserver.hu] /ip firewall nat> set 0 disabled=no
Here is what I don't understand. These routers already have blackhole/fake routes to all B class networks:
Code: Select all
/ip route
add distance=1 gateway=100.3.3.3
add comment="Blackhole for RCF 1918 class B" distance=1 dst-address=172.16.0.0/12 gateway=vpn-blackhole
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-internet
But if I do the same in production, then it works!
I spent two days putting together GNS3 and the whole test environment and I still don't understand what is happening here. Pulling my hair out. :-)
I apologize, it was a bit long introduction...
The basic question is this:
* On the office router, I have this static route to the portless vpn-blackhole bridge
* But the packets that should be forwarded from 172.16.2.0/24 to 172.16.1.0/24 are getting maqueraded, like if they are meant to be sent out on the ether1-internet interface. Why?
* Not that important but why does it work on other devices, and not on some others? (But I guess once I know the answer to the first one, I'll also know the answer to the second one too...)