Community discussions

MikroTik App
 
hapoo
newbie
Topic Author
Posts: 45
Joined: Wed Apr 24, 2019 1:35 am

trouble resolving domains using remote dns server over ipsec

Mon May 04, 2020 9:17 am

I'm sure I'm doing something stupid, but no matter what I do I can't fix this issue.

I have two networks connected via ipsec vpn with the following setup:
/ip ipsec policy add disabled=yes dst-address=10.39.26.0/24 peer=VPN-peer proposal=VPN-proposal src-address=192.168.88.0/24 tunnel=yes
/ip ipsec proposal add enc-algorithms=aes-256-cbc lifetime=1d name=VPN-proposal pfs-group=modp2048
/ip ipsec peer add address=1.2.3.4 disabled=yes exchange-mode=aggressive name=VPN-peer profile=VPN-profile send-initial-contact=no
/ip ipsec identity add peer=VPN-peer secret=blahblah
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 name=VPN-profile
Currently Running on 6.47beta60 in the hopes of being able to use the new dns features.
I don't have any non standard Firewall entries or custom routes. I've tried every combination I can but none worked.


Network 1:
Mikrotik 1 LAN: 192.168.88.0/24
Mikrotik 1 WAN: 5.6.7.8/24
Network 2:
Mikrotik 2 LAN: 10.39.26.0/24
Mikrotik 2 WAN: 1.2.3.4/24


On any client connected to Mikrotik 1 I can ping and access Mikrotik 2 itself and its clients. However, from Mikrotik 1 itself I can't ping Mikrotik 2 or any of its clients unless I specify the src Address in the ping. Now normally this wouldn't be a big deal, but the problem is that on Network 2 connected to Mikrotik 2 I have a DNS server that's being used to lookup local machines and try as I may I can't get Mikrotik 1 to use that DNS server.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: trouble resolving domains using remote dns server over ipsec  [SOLVED]

Mon May 04, 2020 12:05 pm

Multiple reasons are possible but the following one is most common:

When forwarding packets, the router doesn't change their source address unless NAT behaviour has been intentionally configured.

But when sending packets on its own, the router chooses the source address depending on the out-interface chosen by routing to send them. So if you only have a default route and you use plain IPsec with policy matching, the router itself uses its WAN address as source of the pings and DNS requests, hence the policy ignores them.

If this is the reason, you can either add a route to the destination subnet and set its pref-src to the LAN address of your Mikrotik which matches the policy's src-address, or you can insert an exceptional action=src-nat rule with to-addresses set to the LAN address of your Mikrotik before the generic src-nat/masquearde one with dst-address matching the destination subnet.
 
hapoo
newbie
Topic Author
Posts: 45
Joined: Wed Apr 24, 2019 1:35 am

Re: trouble resolving domains using remote dns server over ipsec

Mon May 04, 2020 6:12 pm

Once again you’ve fixed it Sindy. Thank you so much!
 
Retral
newbie
Posts: 33
Joined: Wed Jul 25, 2018 9:10 pm

Re: trouble resolving domains using remote dns server over ipsec

Mon Dec 07, 2020 6:06 pm

Multiple reasons are possible but the following one is most common:

When forwarding packets, the router doesn't change their source address unless NAT behaviour has been intentionally configured.

But when sending packets on its own, the router chooses the source address depending on the out-interface chosen by routing to send them. So if you only have a default route and you use plain IPsec with policy matching, the router itself uses its WAN address as source of the pings and DNS requests, hence the policy ignores them.

If this is the reason, you can either add a route to the destination subnet and set its pref-src to the LAN address of your Mikrotik which matches the policy's src-address, or you can insert an exceptional action=src-nat rule with to-addresses set to the LAN address of your Mikrotik before the generic src-nat/masquearde one with dst-address matching the destination subnet.
Thank you very much for this insight. It helped me solve a long on-going DNS issue that I just could not pinpoint a clean way to resolve it.
I do however wish that MikroTik would auto add the appropriate items to make this work when the connection is established, but I can appreciate the learning curve :)
Also MikroTik please note if you're reading this that DNS does not appear to work over IPSec unless you manually DST-NAT the traffic, or take out all other DNS servers or set the mode config DNS to exclusive.
 
SaS
just joined
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: trouble resolving domains using remote dns server over ipsec

Sat Sep 03, 2022 10:38 am

I have the same problem that my router cannot reach a DNS-server through IPsec-tunnel.
For the machines behind the router, it's working - so there's a chance that your proposal could solve my issue.
I'd like to set-up the route-solution (@sindy) - but unfortunately it does not work.
The two networks are 10.8.0.0/16 ane 10.21.0.0/16 (MTs are on 10.8.210.250 and 10.21.210.250)
So I created a route with 10.8.0.0/16 as Dst. Address and 10.21.210.250 as Pref. Source (no value for Gateway).
Sadly, it's considered as invalid - maybe I have to specify a value for gateway?
Thanks for any help - not being able to use the MT-DNS over IPsec is really a bad thing.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: trouble resolving domains using remote dns server over ipsec

Sat Sep 03, 2022 11:14 am

Yes, a route must have some gateway set. But for your purpose, you may set it to a name of any interface that stays up (such as the local bridge), because it is enough that the system would see the route as active; the IPsec policy will intercept the packets and send them down its Security Association.
 
SaS
just joined
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: trouble resolving domains using remote dns server over ipsec

Sat Sep 03, 2022 1:21 pm

Yes, a route must have some gateway set. But for your purpose, you may set it to a name of any interface that stays up (such as the local bridge), because it is enough that the system would see the route as active; the IPsec policy will intercept the packets and send them down its Security Association.
I used "%bridge" (my bridge is named "bridge") as gateway and it works immediately! GREAT!!
Your answer should be included in the official RouterOS docs.
Thanks again!
 
TomosRider
Member Candidate
Member Candidate
Posts: 209
Joined: Thu Nov 20, 2014 1:51 pm

Re: trouble resolving domains using remote dns server over ipsec

Thu Oct 20, 2022 3:36 pm

I must add, i have this working by adding DNS for clients that is Domain DNS on other side of a tunnel.

Who is online

Users browsing this forum: 4l4R1, gaspo and 64 guests