Hey Guys,

i have an Site-to-Site IPSEC VPN from a Router (HomeOffice) to the Main Location.
At the Main Location i have an Microsoft DNS Server, so i thought i could use this DNS Server as DNS (IP-->DNS-->Servers) for the Home Office Clients, but they cant reach it. In fact the Clients behind the HomeOffice Router can reach it but the HomeOffice Route it self cant.

I think traffic will go directly and not via VPN.
How can i tell the HomeOffice Router itself to route traffic for der MainLocation Network through VPN.

The IPSEC Tunnel doesnt shows Up as interface.

I tried SSTP Server-Client but i couldnt get it to work.
Main Location Log is emtpy.

Routes and forwarding

Routes and forwarding

where?

IP->Routes just helps me if i had an Gateway Interface but with just IPSEC i have only Policys where i cant route into

Hello,

2 Questions;

1. is there a policy to allow the PCs to connect to the DNS-server?
   (IP or network of your DNS-server to netzwork local PCs)
   (network loclalPCs to IP or netzwork of your DNS-Server)
2. is it possible to set the local router as DNS-server for the local PCs and let the Router use your DNS in the main site as primary DNS withe some other DNS-server, e.g. 8.8.8.8, as fallback, when the VPN is down?

And the bonus question: Is there any firewall rule, that drops your traffic?

Hello,

2 Questions;

1. is there a policy to allow the PCs to connect to the DNS-server?
   (IP or network of your DNS-server to netzwork local PCs)
   (network loclalPCs to IP or netzwork of your DNS-Server)
2. is it possible to set the local router as DNS-server for the local PCs and let the Router use your DNS in the main site as primary DNS withe some other DNS-server, e.g. 8.8.8.8, as fallback, when the VPN is down?

And the bonus question: Is there any firewall rule, that drops your traffic?

Question1: Yes Policy works, Clients can connect through VPN to the Main Office and also to the DNS Server in the Main Office
Question2: Thats where my Problem, i want to set the local Router as DNS with Main Office DNS as First an 1.1.1.1 and 1.0.0.1 as Fallback. But The Route himself can't reach the Main Office DNS Server.

Bonus: No Firewall has Rules for VPN Networks to accept.

When DNS resolver (on your router) makes a request it uses one of the IP addresses assigned to interfaces of your router. Which one depends on what you have in the routing tables. In most cases that will just be your external address. I am confident that address is not covered by your IPsec policy. Try NAT-ing your locally originated DNS requests to whatever is covered by the policy.

When DNS resolver (on your router) makes a request it uses one of the IP addresses assigned to interfaces of your router. Which one depends on what you have in the routing tables. In most cases that will just be your external address. I am confident that address is not covered by your IPsec policy. Try NAT-ing your locally originated DNS requests to whatever is covered by the policy.

I tried dstnat everything From Source Address List (Home Office Network) UDP src Port 53 to AD DNS Server Port 53

i tried

/ip firewall nat add chain=srcnat action=accept place-before=0 src-address=10.10.10.0/24 dst-address=1.1.1.0/24

with no effect, clients behind the routers can ping each other through tunnel gateways cant ping each other

"action=accept" in NAT means "do nothing". No wander nothing changed. :)

"action=accept" in NAT means "do nothing". No wander nothing changed. :)

For DNS i did Action dst-nat

It should be "src-nat". The "dst-nat" thing only works for incoming connections destined to your router.

P.S. IPsec is rather "advanced" topic, but the NAT is pretty basic, really. And your NAT-ing mistakes look so naive...

I've got it, i cant Route into the IPSEC Connection because theres no Interface, but if i Route into the Bridge interface the Router itself can reach the other site

It should be "src-nat". The "dst-nat" thing only works for incoming connections destined to your router.

P.S. IPsec is rather "advanced" topic, but the NAT is pretty basic, really. And your NAT-ing mistakes look so naive...

So NATing was not my Problem, and also not mistkaes, just trys to get out the Problem.

Thanks for your help

NAT was just another way to solve your problem. And it was easy. And "universal", meaning you can implement it no matter what else you have configured and how. Your "route to bridge" solution works because you happen to have an interface (bridge) with an IP address that is covered by your IPsec policy. That is not a requirement and is not always the case. Anyways, I am glad you've found a solution that works for you. Good luck!