I would like to ask you for a help. I'm using RB 750Gr3 (v6.47.4) as a gateway in many locations and I'm always creating IPsec tunnel into office (fw: Kerio Control). I have many of these RBs which are working very well, but now I have one in a new location and it behaves differently. Same device, same configuration, but in this case one firewall rule is dropping communication comming to this device through IPsec tunnel, while on others not. Maybe I overlooked something, but there is only a little chance for this, because I checked everything multiple times. I'm most likely missing deeper understanding how is the traffic processed in case of IPsec.
The configuration is:
Code: Select all
# Setup interfaces
/interface bridge add name=LANbridge
/interface bridge port add interface=ether2 bridge=LANbridge
/interface bridge port add interface=ether3 bridge=LANbridge
/interface bridge port add interface=ether4 bridge=LANbridge
/interface bridge port add interface=ether5 bridge=LANbridge
# Setup IP addresses
/ip address add address=10.9.105.26/255.255.255.252 interface=ether1 disabled=no
/ip address add address=10.99.0.253/255.255.0.0 interface=LANbridge disabled=no
# Setup routes
/ip route add dst-address=0.0.0.0/0 gateway=10.9.105.25
######################################################################
# Interface lists
/interface list
add name="WAN" comment="contains WAN interfaces"
add name="LAN" comment="contains LAN interfaces"
/interface list member
add list=WAN interface=ether1
add list=LAN interface=LANbridge
######################################################################
# Setup NAT
/ip firewall nat
# Setup srcnat
add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="masquerade"
######################################################################
# Setup firewall
/ip firewall filter
# Input
add action=accept chain=input connection-state=established,related,untracked comment="Accept established,related,untracked"
add action=drop chain=input connection-state=invalid comment="Drop invalid"
add action=accept chain=input protocol=icmp comment="Accept ICMP"
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=9876 comment="Allow Winbox (9876/TCP) on LAN"
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN comment="Allow LAN DNS queries - UDP"
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN comment="Allow LAN DNS queries - TCP"
add action=drop chain=input comment="Drop all input"
# Forward
add action=accept chain=forward ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add action=fasttrack-connection chain=forward connection-state=established,related comment="Fasttrack"
add action=accept chain=forward connection-state=established,related,untracked comment="Accept established,related, untracked"
add action=drop chain=forward connection-state=invalid comment="Drop invalid"
add action=accept chain=forward connection-nat-state=dstnat comment="Allow port forwarding"
add action=accept chain=forward in-interface-list=LAN log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN comment="Enable LAN to WAN"
add action=drop chain=forward comment="Drop all"
######################################################################
# IPsec
/ip ipsec peer add address=OFFICE-PUBLIC-IP/32 name=Office
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=Office_Kerio pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate=RB-CERTIFICATE.crt peer=Office remote-certificate=OfficeCertificate.crt
/ip ipsec policy add peer=Office dst-address=192.168.100.0/24 level=unique sa-dst-address=OFFICE-PUBLIC-IP sa-src-address=10.9.105.26 src-address=10.99.0.0/16 tunnel=yes proposal="Office_Kerio"
/ip ipsec policy add peer=Office dst-address=192.168.101.0/24 level=unique sa-dst-address=OFFICE-PUBLIC-IP sa-src-address=10.9.105.26 src-address=10.99.0.0/16 tunnel=yes proposal="Office_Kerio"
Code: Select all
/ip firewall filter add action=drop chain=input comment="Drop all input"
I'll appreciate every hint you can give me. Thank you!