Community discussions

MikroTik App
 
lrn23
newbie
Topic Author
Posts: 30
Joined: Mon Jan 07, 2019 10:24 am

IPsec site to site (fw rules)

Thu Jun 24, 2021 12:58 pm

Hi,
I would like to ask you for a help. I'm using RB 750Gr3 (v6.47.4) as a gateway in many locations and I'm always creating IPsec tunnel into office (fw: Kerio Control). I have many of these RBs which are working very well, but now I have one in a new location and it behaves differently. Same device, same configuration, but in this case one firewall rule is dropping communication comming to this device through IPsec tunnel, while on others not. Maybe I overlooked something, but there is only a little chance for this, because I checked everything multiple times. I'm most likely missing deeper understanding how is the traffic processed in case of IPsec.

The configuration is:
# Setup interfaces

/interface bridge add name=LANbridge
/interface bridge port add interface=ether2 bridge=LANbridge
/interface bridge port add interface=ether3 bridge=LANbridge
/interface bridge port add interface=ether4 bridge=LANbridge
/interface bridge port add interface=ether5 bridge=LANbridge

# Setup IP addresses

/ip address add address=10.9.105.26/255.255.255.252 interface=ether1 disabled=no
/ip address add address=10.99.0.253/255.255.0.0 interface=LANbridge disabled=no

# Setup routes

/ip route add dst-address=0.0.0.0/0 gateway=10.9.105.25

######################################################################
# Interface lists

/interface list
add name="WAN" comment="contains WAN interfaces"
add name="LAN" comment="contains LAN interfaces"

/interface list member
add list=WAN interface=ether1
add list=LAN interface=LANbridge

######################################################################
# Setup NAT

/ip firewall nat

# Setup srcnat
add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="masquerade"

######################################################################
# Setup firewall

/ip firewall filter 

# Input
add action=accept chain=input connection-state=established,related,untracked comment="Accept established,related,untracked"
add action=drop chain=input connection-state=invalid comment="Drop invalid"
add action=accept chain=input protocol=icmp comment="Accept ICMP"
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=9876 comment="Allow Winbox (9876/TCP) on LAN"
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN comment="Allow LAN DNS queries - UDP"
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN comment="Allow LAN DNS queries - TCP"
add action=drop chain=input comment="Drop all input"

# Forward
add action=accept chain=forward ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add action=fasttrack-connection chain=forward connection-state=established,related comment="Fasttrack"
add action=accept chain=forward connection-state=established,related,untracked comment="Accept established,related, untracked"
add action=drop chain=forward connection-state=invalid comment="Drop invalid"
add action=accept chain=forward connection-nat-state=dstnat comment="Allow port forwarding"
add action=accept chain=forward in-interface-list=LAN log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN comment="Enable LAN to WAN" 
add action=drop chain=forward comment="Drop all"

######################################################################
# IPsec

/ip ipsec peer add address=OFFICE-PUBLIC-IP/32 name=Office
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=Office_Kerio pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate=RB-CERTIFICATE.crt peer=Office remote-certificate=OfficeCertificate.crt
/ip ipsec policy add peer=Office dst-address=192.168.100.0/24 level=unique sa-dst-address=OFFICE-PUBLIC-IP sa-src-address=10.9.105.26 src-address=10.99.0.0/16 tunnel=yes proposal="Office_Kerio"
/ip ipsec policy add peer=Office dst-address=192.168.101.0/24 level=unique sa-dst-address=OFFICE-PUBLIC-IP sa-src-address=10.9.105.26 src-address=10.99.0.0/16 tunnel=yes proposal="Office_Kerio"


The problematic rule is this one:
/ip firewall filter add action=drop chain=input comment="Drop all input"
Why this rule is working well and passing communication from Office to rb in all locations except one? I can usually ping LANbridge IP and devices behind RB with this config. Configuration on the Office fw is always the same. I checked that too.

I'll appreciate every hint you can give me. Thank you!
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: IPsec site to site (fw rules)

Thu Jun 24, 2021 1:23 pm

Why running v6.47.4?

Just to be sure...this router should connect to the office router?
Is the connection established?
What communication is being dropped (from LAN to Office/from Office to LAN)?
 
lrn23
newbie
Topic Author
Posts: 30
Joined: Mon Jan 07, 2019 10:24 am

Re: IPsec site to site (fw rules)

Thu Jun 24, 2021 1:46 pm

I tested latest stable release and I had brutal latency on the router and this problem too. So I downgraded ROS to this release which I have on other RBs and everything works as expected there. I'll upgrade all RBs most likely to LTS version of ROS soon.

Yes, this router is connecting to the Office. IPsec tunnel is established and everything works well as soon as I disable mentioned rule.
Communication from Office to RB or LAN behind RB is being dropped while that rule is active.
 
lrn23
newbie
Topic Author
Posts: 30
Joined: Mon Jan 07, 2019 10:24 am

Re: IPsec site to site (fw rules)

Fri Apr 28, 2023 4:40 pm

This issue persist and now appears also on another RB. I have 20 RBs working as expected with the same configuration but two of them are behaving like this. Does anyone have any ideas please? Or how to debug this? Thank you...

Who is online

Users browsing this forum: Bing [Bot], iustin, jamesperks, marcelofares, pajapatak, patrikg, rjuho, seriquiti and 67 guests