Community discussions

MikroTik App
 
metik237
just joined
Topic Author
Posts: 16
Joined: Wed Jan 26, 2022 10:30 pm

Routing traffic to S2S tunnel

Sat Apr 09, 2022 2:28 pm

Hi,

I recently established a S2S IPsec VPN tunnel between 2 Mikrotik routers.
On main site Mikrotik is a primary router with a Public inet, and on other site Mikrotik is behind a TP-Link Archer (SIM card inet).
I will add basic sheme of a network bellow.

I would like to know 2 things, because I am still considering which one to choose:
- What are the steps to to route all traffic from remote site to main site?
- How to route only few devices to a remote site?
For instance, I have a TV on a remote site, and I would like to route its traffic via main site.
To go into details, I want one program to be visible as it is located on a main site although it is actually on a remote site (different country).

A remark: A S2S is working fine and I can normally access devices on a remote site.
Now the tracert from a remote site is:
1. 192.168.77.1 (MK Remote site)
2. 192.168.1.0 (TP-Link Archer)
3. "Internet"

I would like to have:
1. 192.168.77.1 (MK Remote site)
1. 192.168.88.1 (MK Main site)
3. "Internet"

Thank you in advance for your help!
mikrotik.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing traffic to S2S tunnel

Sat Apr 09, 2022 7:42 pm

If you have plain IPSec, then what goes in tunnel is controlled by policies and it's not very flexible. Let's say you want to tunnel traffic to internet from 192.168.77.100, for that you'd need policy for 192.168.77.100/32 <-> 0.0.0.0/0 (use level=unique for all), but it's just like that, static with no easy exceptions. If that's ok, good.

If not and you'd rather have something more dynamic, then instead of plain IPSec you can use IPIP tunnel, use IPSec to encrypt only that, and the tunnel itself is then regular interface and you can do whatever you want with it.
 
metik237
just joined
Topic Author
Posts: 16
Joined: Wed Jan 26, 2022 10:30 pm

Re: Routing traffic to S2S tunnel

Sat Apr 09, 2022 10:40 pm

If you have plain IPSec, then what goes in tunnel is controlled by policies and it's not very flexible. Let's say you want to tunnel traffic to internet from 192.168.77.100, for that you'd need policy for 192.168.77.100/32 <-> 0.0.0.0/0 (use level=unique for all), but it's just like that, static with no easy exceptions. If that's ok, good.

If not and you'd rather have something more dynamic, then instead of plain IPSec you can use IPIP tunnel, use IPSec to encrypt only that, and the tunnel itself is then regular interface and you can do whatever you want with it.
Are you talking about Policy based Routing (Firewall >Mangle) or IPsec Policy?
If you talked about IPsec Policy, is that how you suggest should be configured?
mikrotik-1.jpg
mikrotik-2.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing traffic to S2S tunnel

Sat Apr 09, 2022 11:45 pm

You're in right place. But Dst. Address 192.168.88.0/24 allows only this subnet as destinatination. If you want access to whole internet, you need 0.0.0.0/0 as destination.
 
metik237
just joined
Topic Author
Posts: 16
Joined: Wed Jan 26, 2022 10:30 pm

Re: Routing traffic to S2S tunnel

Sun Apr 10, 2022 3:09 pm

Hey,

Thank you for a help. I did as you suggested. Source is only 192.168.77.100/32 , Destination 0.0.0.0/0 and on the main site Source 0.0.0.0/0 and Destination 192.168.77.100/32.
Unfortunatelly I cannot test if this setting is now properly routing all traffic from 192.168.77.100 via 192.168.88.1 GW as device on a remote site is offline.
Perhaps there is other way to test it?

Just on more thing. Is this really all you have to do in order to route all traffic from that device via 192.168.88.1 GW?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing traffic to S2S tunnel

Sun Apr 10, 2022 7:49 pm

IPSec policies are reliable, you can trust them. To test it without the device, you could either use another (if there's any), or you could temporarily assign 192.168.77.100 to router and do e.g.:
/tool/traceroute src-address=192.168.77.100 address=8.8.8.8
It would be good enough to test config on local side (with 192.168.88.x). But on remote side it wouldn't be exactly same, because processing of packets from real 192.168.77.100 (when it's another connected device) is slightly different than when it's on router.

Other than this, if it's not blocked by firewall on either device, or it's no broken by too much or too little NAT, it should work.
 
metik237
just joined
Topic Author
Posts: 16
Joined: Wed Jan 26, 2022 10:30 pm

Re: Routing traffic to S2S tunnel

Thu Apr 28, 2022 10:59 pm

IPSec policies are reliable, you can trust them. To test it without the device, you could either use another (if there's any), or you could temporarily assign 192.168.77.100 to router and do e.g.:
/tool/traceroute src-address=192.168.77.100 address=8.8.8.8
It would be good enough to test config on local side (with 192.168.88.x). But on remote side it wouldn't be exactly same, because processing of packets from real 192.168.77.100 (when it's another connected device) is slightly different than when it's on router.

Other than this, if it's not blocked by firewall on either device, or it's no broken by too much or too little NAT, it should work.
Now I just have a chance to test it and it is not working.
If I add static ip address of 192.168.77.100 i dont have access to internet.
Traceroute goes to 192.168.77.1 and after that unresolvable.

If I choose any other address from that network, I am able to access internet, but of course from that network.

Is there missing route entry for that particullar IP?
xxx.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing traffic to S2S tunnel

Sun May 01, 2022 4:50 pm

No, IPSec doesn't care much about routes, it just takes all packets that match policy. You'll have to check what exactly happens, if packets pass through tunnel and reach the other router. E.g. with logging rule there:
/ip firewall mangle
add chain=prerouting src-address=192.168.77.100 action=log
If they do, then it's probably something with firewall on that router.

Who is online

Users browsing this forum: No registered users and 33 guests