Community discussions

MikroTik App
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

MikroTik to pfSense IPSEC

Mon Aug 23, 2021 4:27 pm

I'm trying to follow the directions at https://www.zerodispersion.com/ipsec-tu ... o-pfsense/ to connect my RB4011 at home to the pfSense box at my brother-in-law's business so I can apply updates there. The problem is, after following all the steps I am not able to ping from either side. The connection is up, just not passing any traffic. Does anyone have any ideas on where to look?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: MikroTik to pfSense IPSEC

Mon Aug 23, 2021 7:27 pm

First, what does /ip ipsec active-peers print show on the Mikrotik (obfuscate any public IPs shown there unless you don't care).

Second, post the anonymized config export from the Mikrotik as per my automatic signature here below.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: MikroTik to pfSense IPSEC

Mon Aug 23, 2021 9:31 pm

Here is the output of /ip ipsec active-peers print
peers.png
# aug/23/2021 14:27:20 by RouterOS 6.48.3
# software id = NO-NO
#
# model = RB4011iGS+
# serial number = F0270EAC96D5
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
    mccloud1@windstream.net
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 10 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=42 name=NTPVMs value="'172.16.20.1'"
add code=42 name=NTPLAN value="'172.16.6.1'"
add code=42 name=NTPIoT value="'172.16.10.1'"
add code=42 name=NTPWifi value="'172.16.7.1'"
add code=42 name="NTPGuest Wifi" value="'172.16.200.1'"
/ip dhcp-server option sets
add name=Wifi options=NTPWifi
add name=LAN options=NTPLAN
add name=VMs options=NTPVMs
add name="Guest Wifi" options="NTPGuest Wifi"
add name=IoT options=NTPIoT
/ip ipsec peer
add address=remote.public.ip/32 exchange-mode=ike2 name=LSR
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
    aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-gcm lifetime=0s pfs-group=\
    modp2048
/ip pool
add name=IoT_pool ranges=172.16.10.100-172.16.10.254
add name=LAN_pool ranges=172.16.6.100-172.16.6.254
add name="Guest Wifi_pool" ranges=172.16.200.2-172.16.200.254
add name=VMs_pool ranges=172.16.20.100-172.16.20.254
add name=Wifi_pool ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=IoT_pool dhcp-option-set=IoT disabled=no interface=IoT \
    lease-time=1w name=IoT
add address-pool=LAN_pool dhcp-option-set=LAN disabled=no interface=\
    sfp-sfpplus1 lease-time=1w name=LAN
add address-pool="Guest Wifi_pool" dhcp-option-set="Guest Wifi" disabled=no \
    interface="Guest Wifi" lease-time=1w name="Guest Wifi"
add address-pool=VMs_pool dhcp-option-set=VMs disabled=no interface=VMs \
    lease-time=1w name=VMs
add address-pool=Wifi_pool dhcp-option-set=Wifi disabled=no interface=Wifi \
    lease-time=1w name=Wifi
/queue simple
add burst-limit=2M/2M burst-threshold=2M/2M burst-time=10s/10s comment=\
    "Guest Wifi" limit-at=1M/1M max-limit=1M/1M name="Guest Wifi" priority=\
    6/6 queue=default/default target="Guest Wifi"
/system logging action
set 3 remote=172.16.6.2
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
add interface=pppoe-out list=WAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
add address=192.168.254.253/24 interface=ether1 network=192.168.254.0
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 domain=mccloud.lan gateway=\
    172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 domain=mccloud.lan gateway=\
    172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 domain=mccloud.lan gateway=\
    172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 domain=mccloud.lan gateway=\
    172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 domain=mccloud.lan \
    gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface="Guest Wifi" out-interface=IoT
add action=drop chain=forward in-interface="Guest Wifi" out-interface=VMs
add action=drop chain=forward in-interface="Guest Wifi" out-interface=Wifi
add action=drop chain=forward in-interface="Guest Wifi" out-interface=\
    sfp-sfpplus1
add action=drop chain=forward in-interface=IoT out-interface="Guest Wifi"
add action=drop chain=forward in-interface=VMs out-interface="Guest Wifi"
add action=drop chain=forward in-interface=Wifi out-interface="Guest Wifi"
add action=drop chain=forward in-interface=sfp-sfpplus1 out-interface=\
    "Guest Wifi"
/ip firewall nat
add action=dst-nat chain=dstnat comment=SSH in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=HTTP in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=HTTPS in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=RDP in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.20.3 to-ports=no
add action=dst-nat chain=dstnat comment=RDP in-interface=pppoe-out port=no \
    protocol=udp to-addresses=172.16.20.3 to-ports=no
add action=dst-nat chain=dstnat comment=Plex in-interface=pppoe-out port=\
    no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Syncthing in-interface=pppoe-out \
    port=no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Syncthing port=no protocol=udp \
    to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Transmission dst-address=172.16.6.2 \
    in-interface=pppoe-out port=no protocol=tcp to-addresses=172.16.6.2 \
    to-ports=no
add action=dst-nat chain=dstnat comment=Transmission dst-address=172.16.6.2 \
    in-interface=pppoe-out port=no protocol=udp to-addresses=172.16.6.2 \
    to-ports=no
add action=masquerade chain=srcnat comment="nat to modem" dst-address=\
    192.168.254.254 out-interface=ether1
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    172.16.6.0/24
/ip ipsec identity
add peer=LSR
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=LSR src-address=172.16.6.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer=LSR src-address=172.16.20.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer=LSR src-address=172.16.7.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/snmp
set contact=no@no.com enabled=yes location="Mechanical  Room"
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011iGS+RM
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes mode=multicast primary-ntp=128.101.101.101 secondary-ntp=\
    134.84.84.84
/system ntp server
set enabled=yes multicast=yes
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: MikroTik to pfSense IPSEC

Tue Aug 24, 2021 12:17 pm

The
action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.6.0/24
rule in /ip firewall nat must be placed before (above) the
action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
one. The matching to the traffic selectors of IPsec policies is done as the last step before sending the packet out the interface chosen by regular routing, which is the WAN (ether1) one in your case since the only route you've got in your system is the default one obtained using DHCP. So the packet gets NATed first, and once it gets NATed, it cannot match the traffic selector any more.

On a GUI, the rules can be dragged and dropped using a mouse; on CLI, /ip firewall nat move N destination=M is used to change the rule order. It moves rule N just before rule M. You can use /ip firewall nat print first to get row numbers to be referred to as N and M, or you can use [find] in more complex situations - not your case.

Another possibility would be to add a static route to 172.16.6.0/24 via some other interface; this way, you wouldn't need to shadow the
action=masquerade ... out-interface-list=WAN
rule.

And of course, you have to treat also the two other destination subnets, 172.16.7.0/24 and 172.16.20.0/24, the same way. You may simplify the srcnat rules or routes (probably not the policies) to a single one if you don't use anything from 172.16.0.0/19 anywhere else in your network.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: MikroTik to pfSense IPSEC

Wed Aug 25, 2021 12:08 am

The
action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.6.0/24
rule in /ip firewall nat must be placed before (above) the
action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
one. The matching to the traffic selectors of IPsec policies is done as the last step before sending the packet out the interface chosen by regular routing, which is the WAN (ether1) one in your case since the only route you've got in your system is the default one obtained using DHCP. So the packet gets NATed first, and once it gets NATed, it cannot match the traffic selector any more.

On a GUI, the rules can be dragged and dropped using a mouse; on CLI, /ip firewall nat move N destination=M is used to change the rule order. It moves rule N just before rule M. You can use /ip firewall nat print first to get row numbers to be referred to as N and M, or you can use [find] in more complex situations - not your case.

Another possibility would be to add a static route to 172.16.6.0/24 via some other interface; this way, you wouldn't need to shadow the
action=masquerade ... out-interface-list=WAN
rule.

And of course, you have to treat also the two other destination subnets, 172.16.7.0/24 and 172.16.20.0/24, the same way. You may simplify the srcnat rules or routes (probably not the policies) to a single one if you don't use anything from 172.16.0.0/19 anywhere else in your network.
I have 172.16.10.0/24 in use for IoT devices. I'm fine with having more rules ;)
 
User avatar
Aquo
just joined
Posts: 2
Joined: Sat Mar 20, 2021 7:24 pm

Re: MikroTik to pfSense IPSEC

Mon Aug 30, 2021 8:16 pm

Hello!
I faced a similar problem. First of all you should exclude IPSec traffic from the FastTrack chain, according to the https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass.
In my case, i have roadwarrior scenario, so i marked connections with "ipsec" label into mangle table, then modified default fasttrack forward rule.
Screenshot at 2021-08-30 22-15-08.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Ahrefs [Bot], kub1x, smirgo, sybadi and 81 guests