I have a router serving a branch office. All the forward traffic from LAN is being encrypted with IPsec and sent to the HQ. Mikrotik's outside interface is connected to the ISP modem and receives an IP-address via DHCP. At this moment the IPsec tunnel is working fine, LAN devices are reaching HQ devices, and vice versa.
The problem is the NTP sync. I want to sync my Mikrotik to the NTP server from the HQ network. But output traffic is not matching IPsec policy, which catches all traffic from LAN to 0.0.0.0. If I configure one more policy to catch traffic from the outside interface NTP sync works fine. But I don't want to set up an IPces tunnel for NTP only.
My second choice was to use SRC-NAT. I have a mangle rule to mark NTP requests with a connection mark. And I have an SRC-NAT rule to substitute the source address (outside interface IP) with LAN bridge IP. Both rules have logging enabled and I see them being applied each time Mikrotik sends an NTP request. Still, the time is not correct. None of my firewall rules blocks the NTP responses. The torch tool shows me a connection from NTP to LAN bridge IP. With nothing happening elsewhere.
As I can see from the torch, output NTP traffic passes SRC-NAT, matches IPsec policy, and passes to HQ. The issue is to utilize the response.