I have 2 sets of LtAP and trying to setup a remote monitoring system between 2 locations. Both modems are connected through a public telco via prepaid LTE SIM.
I have set both IP addresses with 192.168.88.1 and the other 192.168.66.1
These modems would be connected individually to a laptop by LAN port.
I had tried using the IPSec suggestion found at the Wiki Manual https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel but I still could not ping to each other remote IP addresses. Is there anything I have missed out? Note that I am not a network or professional with these modems.
Re: Setting up 2 LtAP for remote monitoring using IPSec
At WinBox you can go to IP > Cloud and read IP who is visible at internet at Public Address field.
This should be a Public IP who provide to your LtAP... probably that IP Address what you receive from ISP not do that.
Try ping that IP from your mobile phone and check in Tools > Tourch if you see your mobile icmp package.
If both not have a proper Public IP then you must buy some Public IP Address via VPN service or ask your ISP or use 3rd site with Public IP to be your "data center"
This should be a Public IP who provide to your LtAP... probably that IP Address what you receive from ISP not do that.
Try ping that IP from your mobile phone and check in Tools > Tourch if you see your mobile icmp package.
If both not have a proper Public IP then you must buy some Public IP Address via VPN service or ask your ISP or use 3rd site with Public IP to be your "data center"
Re: Setting up 2 LtAP for remote monitoring using IPSec
I have attempted to setup both routers with the IP Sec Site to Site and the Firewall rules but it is still unable to ping to each other.
Attached are the two configuration rsc files for the routers, is there anything amiss or additional settings that is missed out?
At the moment both Telco SIMs are of Dynamic IPs and unable to use a static IP at the moment, is it necessary to have a script to perform a DDNS update?
Router 1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address=10.135.82.222/32 exchange-mode=ike2 name=Router1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 1 baud-rate=115200 name=gps
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="defconf: masquerade" dst-address=\
192.168.66.0/24 ipsec-policy=out,none out-interface-list=all src-address=\
192.168.88.0/24
/ip ipsec identity
add peer=Router1 secret=12345678
/ip ipsec policy
add dst-address=192.168.66.0/24 peer=Router1 sa-dst-address=10.135.82.222 \
sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes
Router 2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=sunsurf
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address=10.143.106.120/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.66.10-192.168.66.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 1 baud-rate=115200 name=gps
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether1 network=\
192.168.66.0
/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.66.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="defconf: masquerade" dst-address=\
192.168.88.1 ipsec-policy=out,none out-interface-list=all src-address=\
192.168.66.1
/ip ipsec identity
# Peer does not exist
add secret=12345678
/ip ipsec policy
add dst-address=192.168.88.1/32 src-address=192.168.66.1/32 tunnel=yes
Attached are the two configuration rsc files for the routers, is there anything amiss or additional settings that is missed out?
At the moment both Telco SIMs are of Dynamic IPs and unable to use a static IP at the moment, is it necessary to have a script to perform a DDNS update?
Router 1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address=10.135.82.222/32 exchange-mode=ike2 name=Router1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 1 baud-rate=115200 name=gps
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="defconf: masquerade" dst-address=\
192.168.66.0/24 ipsec-policy=out,none out-interface-list=all src-address=\
192.168.88.0/24
/ip ipsec identity
add peer=Router1 secret=12345678
/ip ipsec policy
add dst-address=192.168.66.0/24 peer=Router1 sa-dst-address=10.135.82.222 \
sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes
Router 2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=sunsurf
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address=10.143.106.120/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.66.10-192.168.66.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 1 baud-rate=115200 name=gps
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether1 network=\
192.168.66.0
/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.66.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="defconf: masquerade" dst-address=\
192.168.88.1 ipsec-policy=out,none out-interface-list=all src-address=\
192.168.66.1
/ip ipsec identity
# Peer does not exist
add secret=12345678
/ip ipsec policy
add dst-address=192.168.88.1/32 src-address=192.168.66.1/32 tunnel=yes
Re: Setting up 2 LtAP for remote monitoring using IPSec
both peer are in private IP, this is not a Public IP !
10.135.82.222/32 is not Public
10.x.x.x
172.16-31.x.x
192.168.x.x
are internal, private - means they are not possible to see each other via internet.
Yes, IP > Cloud is free from MikroTik DDNS service.
10.135.82.222/32 is not Public
10.x.x.x
172.16-31.x.x
192.168.x.x
are internal, private - means they are not possible to see each other via internet.
Yes, IP > Cloud is free from MikroTik DDNS service.
Re: Setting up 2 LtAP for remote monitoring using IPSec
This is very common on LTE/3G services, and the worst notice is that some GPON FTTH services also are giving private IP's to users (NAT behind NAT).
Regards.
Regards.
Who is online
Users browsing this forum: No registered users and 93 guests