Here's a detailed breakdown of what's going on:
RoadWarrior pool is 10.0.80.0/24
Site A (MikroTik) LAN is 10.10.20.0/24
Site B LAN is 192.168.2.0/24
Site C LAN is 192.168.3.0/24
I have a masquerade rule to change 10.0.80.0/24 into 10.10.20.0/24 before heading to Site B
Code: Select all
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 log=yes \
out-interface=bridge src-address=10.0.80.0/24 to-addresses=10.10.20.0/24
and added Site B to the routes list
Code: Select all
add disabled=no dst-address=192.168.2.0/24 gateway=bridge routing-table=main \
suppress-hw-offload=no
After some packet sniffing with Wireshark, I could see that ping from the Road Warrior reaches the destination computer at Site B. The ping reply makes it back to the Tik at Site A but does not make it to the Road Warrior client.
Looking at the firewall log, I can see that the ping gets srcnat'ed and heads to the destination
Code: Select all
forward: in:ether1 out:bridge, connection-state:new,snat , proto ICMP (type 8, code 0), 10.0.80.254->192.168.2.61, NAT (10.0.80.254->10.10.20.1)->192.168.2.61, len 60
and ping reply from the destination comes back
Code: Select all
forward: in:ether1 out:ether1, connection-state:established,snat , proto ICMP (type 0, code 0), 192.168.2.61->10.0.80.254, NAT 192.168.2.61->(10.10.20.1->10.0.80.254), len 60
The only thing that looks odd to me is that the out interface is ether1 instead of bridge.
Am I missing something obvious here?