I'm trying to setup a very particular setup using CAPsMAN. The main idea is to join a "roaming" router, for traveling purposes, to my local (HQ router) network at home. Once both are linked, using any kind of tunnel, just pull wifi configuration from CAPsMAN running at HQ router. I have successfully implemented this solution already, using different kind of L2/L3 tunnels, but I failed when trying to implement this only using IKEv2, routing by policies.
The main idea is to setup IKEv2 using a road-warrior schema, as described in the documentation for Road Warrior Client with NAT from your official documentation. Once both routers are joined by IKEv2 and we've got a policy routing all traffic to the IKEv2 RW IP (0.0.0.0/0 -> 192.168.78.3), apply a src-nat rule to communicate the roaming router with HQ to pull CAPsMAN configuration, by pointing to 192.168.77.1 in CAP configuration (main HQ address). Up to this point, all is working fine, I can see the "roaming" router pulling CAPsMAN config and applying it to its wifi interface. The problem comes with forwarding strategies. While local forwarding mode is working fine (traffic stays in roaming router and get out to internet using its WAN), manager forwarding mode (local-forwarding=no) is not working at all. I know it must be related to src-nat rule or something within the firewall/nat, but I cannot make it work, and I could even think on a bug, and that's the reason why I'm posting here. Configuration is pulled, wifi clients are connected, even with DHCP working from HQ, but when trying to go out to the internet, the traffic is not flowing out through HQ router by CAPsMAN tunnel, and clients are not reaching the internet. Funny thing is they can access local LAN in HQ (access to any device under 192.168.77.0/24 network), but cannot go out to the internet at all.
Can any of you think of what is happening here? I'm pretty sure it must be related to NAT, probably in HQ, but I cannot think on what is need it to make it work.
If I just run an EoIP tunnel on top of the IKEv2, and change CAP to discover CAPsMAN using that interface, I can successfully achieve what I'm looking for, either with local-forwarding=yes or local-forwarding=no, either way. But I would like to make it work only using IKEv2 tunnel and policy based routing.
Find below the configuration of roaming router, plus the firewall/nat from HQ. Both routers are running latest stable routerOS version 6.48.2
Roaming router
Code: Select all
/interface bridge
add admin-mac=C4:AD:34:FA:0B:F5 auto-mac=no name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(18dBm), SSID: WHATERVER, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name=ike2-template-group
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add address=router.myhomeheadquarters.com exchange-mode=ike2 name=ike2-beast-peer \
profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
es-128-gcm" lifetime=8h name=ike2-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.76.10-192.168.76.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.77.1 enabled=yes interfaces=\
wlan1
/ip address
add address=192.168.76.1/24 interface=bridge network=192.168.76.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.76.0/24 gateway=192.168.76.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.76.1 comment=defconf name=roaming.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address-list=public-ip dst-port=500,4500 \
protocol=udp
add action=accept chain=input dst-address-list=public-ip protocol=ipsec-esp
add action=accept chain=input comment="allow in-ipsec traffic" ipsec-policy=\
in,ipsec
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.77.1 to-addresses=\
192.168.78.3
add action=masquerade chain=srcnat comment="default masq." ipsec-policy=\
out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-client-roaming \
generate-policy=port-strict mode-config=request-only peer=ike2-beast-peer \
policy-template-group=ike2-template-group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-template-group proposal=ike2-proposal \
src-address=192.168.78.0/24 template=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=roaming-router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Firewall Filter / NAT / Mangle from HQ router
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" limit=\
10,5:packet protocol=icmp
add action=accept chain=input comment="allow ipsec" dst-address-list=\
public-ip dst-port=500,4500 protocol=udp
add action=accept chain=input comment="allow ipsec-esp" dst-address-list=\
public-ip protocol=ipsec-esp
add action=accept chain=input comment=allow-ipsec-rw ipsec-policy=in,ipsec \
src-address=192.168.78.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-address=\
192.168.77.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=web-admin dst-address-list=public-ip \
dst-port=443 protocol=tcp to-addresses=192.168.77.5 to-ports=12345
/ip firewall mangle
add action=change-mss chain=forward comment="ike2-rw clamp tcp mss" \
ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp \
src-address=192.168.78.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward dst-address=192.168.78.0/24 ipsec-policy=\
out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn \
tcp-mss=!0-1360
Any help will be much appreciated.
Thanks!