There is an ipsec tunnel running between mikrotik and palo alto. In this topology Mikrotik sends all traffic to the tunnel. Everything as i want, Now, i want to route some ip traffic Palo Alto to Mikrotik.. I did it with Policy Based Forwarding.
Source: 192.168.101.34 -> Destination: 35.206.xxx.xxx -> Forwarding : tunnel.80
I can see in the logs that the traffic is going to tunnel.80. But I can't reach the address. What am I doing wrong or missing in Mikrotik?
Code: Select all
/interface bridge
add name=bridge
/interface list
add name=LAN
add name=WAN
/ip ipsec policy group
add name=group5
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name=ike_crypto
/ip ipsec peer
add address=82.222.xxx.xxx/32 exchange-mode=ike2 local-address=5.25.xxx.xxx \
name=test profile=ike_crypto
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ipsec_crypto pfs-group=\
modp2048
/ip pool
add name=5 ranges=10.10.5.20-10.10.5.200
/ip dhcp-server
add address-pool=5 interface=bridge name=DHCP
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=5.25.xxx.xxx comment=pubaddr interface=ether1 network=\
5.25.xxx.xxx
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=10.10.5.0/24 dns-server=192.168.200.5,192.168.200.6 gateway=\
10.10.5.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec Out" \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec In" \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=10.10.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer=test
/ip ipsec policy
add action=none dst-address=10.10.5.0/24 src-address=10.10.5.0/24
add comment=ipsec dst-address=0.0.0.0/0 peer=test proposal=ipsec_crypto \
src-address=10.10.5.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Istanbul