Community discussions

MikroTik App
 
cbka
just joined
Topic Author
Posts: 19
Joined: Fri Dec 15, 2017 12:07 pm
Location: germany
Contact:

IPsec s2s and src-nat :-/

Tue Jun 22, 2021 4:26 pm

Hello my follow tiks :-)

We have kind of a situation here...

i have
zabbix 172.30.5.190 with default gw mtik1
mtik 1:
ether2 - 172.30.5.1/24

and mtik 2:
 ether2 - 172.30.5.110/24 
 ether3 - 172.24.255.1/24 
and offsite

mtik 3:
ether2 - 172.24.60.1/24
mtik1 is default gw for zabbix and i added a route to it:
/ip route
add distance=1 dst-address=172.24.0.0/16 gateway=172.30.5.110
mtik2 connects to mtik3 with IPsec IKEv2

Policies are 172.24.255.0/24 <-> 172.24.60.0/24

now i want to monitor mtik 3 with zabbix

to accompish that i added a src-nat to mtik2
/ip firewall nat 
add action=src-nat chain=srcnat dst-address=172.24.0.0/16 src-address=172.30.5.190 to-addresses=172.24.255.1
on mtik3 i see incoming ICMP from zabbix with src-address 172.24.255.1 but i can not receive echo reply on zabbix

what am i missin ?

Cheers

Chris
 
cbka
just joined
Topic Author
Posts: 19
Joined: Fri Dec 15, 2017 12:07 pm
Location: germany
Contact:

Re: IPsec s2s and src-nat :-/

Thu Jun 24, 2021 10:28 am

anybody ?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec s2s and src-nat :-/

Sun Jun 27, 2021 8:05 pm

on mtik3 i see incoming ICMP from zabbix with src-address 172.24.255.1 but i can not receive echo reply on zabbix
How exactly do you "see" it? Using /tool sniffer or using some action=log or log=yes firewall rule?

I would suspect most a firewall rule in chain input of /ip firewall filter to drop the ICMP echo request packets. Packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones, so if you drop anything coming from WAN except connection-state=established,related, this could be the explanation.

If the above is not sufficient, post the complete configuration of mtik3, following the hint in my automatic signature below.
 
cbka
just joined
Topic Author
Posts: 19
Joined: Fri Dec 15, 2017 12:07 pm
Location: germany
Contact:

Re: IPsec s2s and src-nat :-/

Sun Jul 18, 2021 10:16 pm

on mtik3 i see incoming ICMP from zabbix with src-address 172.24.255.1 but i can not receive echo reply on zabbix
How exactly do you "see" it? Using /tool sniffer or using some action=log or log=yes firewall rule?

I would suspect most a firewall rule in chain input of /ip firewall filter to drop the ICMP echo request packets. Packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones, so if you drop anything coming from WAN except connection-state=established,related, this could be the explanation.

If the above is not sufficient, post the complete configuration of mtik3, following the hint in my automatic signature below.
Thanks for answering sindy. i was away for vaccation but am back now ;-)
I will try to analyze what u said and keep u posted. thanks anyways,

Cheers, chris

Who is online

Users browsing this forum: GoogleOther [Bot], kolopeter and 37 guests