Router 1 (local subnet 192.168.0.0/24):
Code: Select all
/ip ipsec profile
add enc-algorithm=aes-256 name=profile_1 nat-traversal=no
/ip ipsec peer
add address=xxxxxx name=xxxxxx profile=profile_1
/ip ipsec identity
add peer=xxxxxx secret=mysecret
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=xxxxxx src-address=192.168.3.0/24 tunnel=yes
Code: Select all
/ip ipsec profile
add enc-algorithm=aes-256 name=profile_2 nat-traversal=no
/ip ipsec peer
add address=yyyyyy name=yyyyyy profile=profile_2
/ip ipsec identity
add peer=yyyyyy secret=mysecret
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=yyyyyy src-address=192.168.0.0/24 tunnel=yes
Here's the firewall configs.
Router 1:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Router access" src-address=192.168.0.0/24
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input dst-port=443 protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward in-interface=all-vlan out-interface=ether1
add action=reject chain=forward in-interface=all-vlan reject-with=icmp-host-unreachable
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=\
ether1
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.3.0/24 new-mss=1350 passthrough=yes protocol=tcp src-address=192.168.0.0/24 tcp-flags=syn \
tcp-mss=!0-1350
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=10.11.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.3.0/24
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow to router from LAN" src-address=192.168.3.0/24
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input dst-port=443 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="Exclude marked connections to non-default WAN" connection-mark=!unid2cm connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward in-interface=all-vlan out-interface-list=WAN
add action=drop chain=forward in-interface=all-vlan
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.0.0/24 new-mss=1350 passthrough=yes protocol=tcp src-address=192.168.3.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.3.0/24
In "active peers", Router 1 seems to have both incoming & outgoing traffic:
Code: Select all
/ip ipsec active-peers> print detail
Flags: R - responder, N - natt-peer
0 R local-address=xxxxxx remote-address=yyyyyy state=established side=responder uptime=41m38s last-seen=1m29s ph2-total=4
spii="37e611e3dc0a7e8b" spir="734a5991018f3b0f"
/ip ipsec active-peers> print stats
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS RX-BYTES TX-BYTES
0 R established 44m24s 4 yyyyyy 94 428 934 357
Code: Select all
/ip ipsec active-peers> print detail
Flags: R - responder, N - natt-peer
0 local-address=yyyyyy remote-address=xxxxxx state=established side=initiator uptime=43m40s last-seen=1m30s ph2-total=4 spii="37e611e3dc0a7e8b"
spir="734a5991018f3b0f"
/ip ipsec active-peers> print stats
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS RX-BYTES TX-BYTES
0 established 43m43s 4 xxxxxx 0 94 024