I was wondering if there is a way to use fast track on certain connections via IPSec - Mikrotik - Cisco Firewall?
Here is what I want to accomplish.
Establish a VPN IPsec between Cisco Firewall and Mikrotik. The tunnel IP is different from the networks on both sides.
The role of the Mikrotik is to represent PC from the local network to the VPN - its one-way communication. ( PC from the Cisco side will access the PC on the Mikrotik side only )
The router shouldn't be accessible from WAN on the local network but should be accessible from the VPN, or a certain LAN port with a specific IP address.
The Mikrotik router is behind nat, so it gets an IP address from the local network - it has internet, and the necessary ports are allowed.
Everything mentioned above is working as expected. The VPN is established. The PC from the cisco side can access the Mikrotik and the PC from the local network.
The problem is that when I start using traffic the CPU of the Mikrotik goes to 100%, to reduce that CPU I've marked the IPsec traffic and used the fast track to reduce the CPU.
When I download a file, the fast track works as I wanted - no CPU is used and the transfer is with a maximum speed of 100mbps, however, when I use the MSSQL query via SSMS the CPU of the router goes to 100% because it uses the Firewall rules.
The question is, how can make MSSQL traffic bypass the firewall rules as it happens with the file transfer?
Code: Select all
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=99.88.77.66/32 local-address=192.168.1.2 name=Cisco profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=proposal1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether5 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 interface=ether5 network=192.168.100.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="IPsec allow access to router" dst-address=10.10.10.1 in-interface-list=WAN ipsec-policy=in,ipsec src-address=10.0.0.1
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" connection-nat-state=!dstnat in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-address=10.10.10.1 in-interface=ether1 src-address=10.0.0.1 to-addresses=192.168.1.2
add action=netmap chain=dstnat dst-address=10.10.10.2 in-interface=ether1 src-address=10.0.0.1 to-addresses=192.168.1.50
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=Cisco secret=IPSecPassword
/ip ipsec policy
add dst-address=10.0.0.1/32 peer=Cisco proposal=proposal1 src-address=10.10.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.100.55/32,10.10.10.0/24,10.0.0.1/32
set ssh disabled=yes
set api disabled=yes
set winbox address=10.10.10.0/24,192.168.100.55/32
set api-ssl disabled=yes
/system clock
set time-zone-name=Etc/GMT+0
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
