Community discussions

MikroTik App
 
mikrotak
just joined
Topic Author
Posts: 19
Joined: Wed May 27, 2020 1:06 am

ipsec-policy question

Tue Jun 02, 2020 8:44 pm

I am at the last piece of my first firewall and I'm wondering which direction I should go with the ip firewall NAT.

I notice that the default config adds an ipsec-policy=out,none
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

but the recommended firewall at https://help.mikrotik.com/docs/display/ ... t+Firewall
does not
add chain=srcnat out-interface=ether1 action=masquerade

I looked at the ipsec doc at https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
and it is too advanced for me at this early stage.
Is this another case of something was put in the default config that might be useful later but isn't a drag on processing?
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: ipsec-policy question  [SOLVED]

Wed Jun 03, 2020 4:19 am

It's for later. When you have policy-based IPSec tunnel, it's usually between local subnet and remote subnet. Router sees packets from local subnet leaving via WAN interface. If you have unconditional srcnat/masquerade on WAN, everything will have its source changed to router's WAN address. And it will break the tunnel, because packets will no longer match the policy. This extra option automatically exludes all tunnelled traffic from NAT.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
mikrotak
just joined
Topic Author
Posts: 19
Joined: Wed May 27, 2020 1:06 am

Re: ipsec-policy question

Thu Jun 04, 2020 1:20 am

ok thanks ... then I probably don't need these either right now correct?

add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: ipsec-policy question

Thu Jun 04, 2020 2:07 am

If you don't have any policy-based IPSec tunnels, then no, you don't need these. And even when you do have some, you don't necessarily want to allow everything.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.

Who is online

Users browsing this forum: floydthebarber and 7 guests