Community discussions

MikroTik App
  4. RouterOS
  5. General

Pinging local MT network "stolen" by IPSEC policy?  [SOLVED]

Post Reply
 
User avatar
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:
Contact pekr

Pinging local MT network "stolen" by IPSEC policy?

Sat Nov 13, 2021 5:49 pm

Hi,

we are setting up our remote locations and would like to use MT against FG (Fortigate). The IPSEC tunnels already work, but we can't ping devices on the particular MT itself on its own wire - it always seems to go to the tunnel. When we disable the corresponding IPSEC Policy, ping starts to work.

I have already tried many things - SRC-NAT rule accepting the local traffic before the masquarade rule, was reading some older discussions about utilising some RAW settings, but to no avail.

Here's the config on my hAP-ac2:
Code: Select all
/ip address
add address=10.110.112.1/24 interface=bridge-LOCAL network=10.110.112.0

/ip ipsec policy
add dst-address=10.110.0.0/16 peer=company src-address=10.110.112.0/24 tunnel=yes

I thought, that I will be always able to ping devices on the local wire :-) How can I make exception and prevent ping from the local MT to its local interface network, to go into tunnel?

PS: we are able to ping devices between the tunnels. Not just locally directly on the given MTs.

The other problem is the missing keep-alive. The tunnel goes into sleep, unless the communication is initiated from the remote location. Hopefully some scheduled ping would do it.

Thanks a lot,
/Petr
Top
 
User avatar
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:
Contact pekr

Re: Pinging local MT network "stolen" by IPSEC policy?

Tue Nov 16, 2021 11:05 am

Btw - I can't even see local wire devices being in the ARP table.

Solved it temporarily by assigning a 10.0.0.1/24 (which is not being caught by the IPSEC Policy rules) to the bridge interface and instructing PING to use that address as a source. Finally can ping devices on the local network.

Also interesting thing is, that in a Bridge / Hosts, I can see the printer device as DE (Dynamic, External), no DL (Dynamic, Local). Maybe some further bridge Filter / NAT rules would help here, but that's beyond my knowledge so far ....
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11582
Joined: Thu Mar 03, 2016 10:23 pm

Re: Pinging local MT network "stolen" by IPSEC policy?

Tue Nov 16, 2021 11:18 am

IPsec policy is more "greedy" than routing / NAT / whatever. So if IPsec policy matches, packet goes into tunnel. Which makes clear that IPsec policy should never overlap local networks as it does in your case. The remote end likely has more specific IPsec policies on its tunnels and you shouldn't cut the corners on this end. So you really should add a few IPsec policies which will skip the local network - sort of "punch-out" local network:
Code: Select all
/ip ipsec policy
add dst-address=10.110.0.0/18 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.0 to 10.110.63
add dst-address=10.110.64.0/19 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.64 to 10.110.95
add dst-address=10.110.96.0/20 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.96 to 10.110.111
# 10.110.112 is local
add dst-address=10.110.113.0/24 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.113
add dst-address=10.110.114.0/23 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.114 to 10.110.115
add dst-address=10.110.116.0/22 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.116 to 10.110.119
add dst-address=10.110.120.0/21 peer=company src-address=10.110.112.0/24 tunnel=yes  #10.110.120 to 10.110.127
Top
 
User avatar
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:
Contact pekr

Re: Pinging local MT network "stolen" by IPSEC policy?

Tue Nov 16, 2021 2:22 pm

Thanks, I kind of thought so. So basically it might be the wrong networking layout on our side. We've got it like that on more locations. We can ping from network to network, even to the MT itself. The only thing which does not work, is pinging from MT its local network devices, but I have found the workaround. Maybe a pity, IPSEC Policy rules don't allow simple exclusion of particular IP / networks ....
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11582
Joined: Thu Mar 03, 2016 10:23 pm

Re: Pinging local MT network "stolen" by IPSEC policy?  [SOLVED]

Tue Nov 16, 2021 4:15 pm

Actually you might get away using these two policy rules:

Code: Select all
/ip ipsec policy
add dst-address=10.110.112.0/24 action=none comment="skip the local IP address space from IPsec policy enforcement"
add dst-address=10.110.0.0/16 peer=company src-address=10.110.112.0/24 tunnel=yes


Manual states that policies are evaluated from top to bottom, first match executes.
Top
 
User avatar
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 169
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:
Contact pekr

Re: Pinging local MT network "stolen" by IPSEC policy?

Wed Nov 17, 2021 7:28 pm

Thanks, added the following rule to the IPSEC Policies section and it seems to work:
Code: Select all
/ip ipsec policy
add action=none comment="Don't send local MT initiated communication into tunnel" dst-address=10.110.112.0/24 src-address=10.110.112.1/32
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], CGGXANNX and 22 guests
  4. RouterOS
  5. General