Community discussions

MikroTik App
 
acrophobic
newbie
Topic Author
Posts: 31
Joined: Fri Jan 04, 2013 3:56 pm

Route traffic from router itself over IPsec tunnel to host

Sat May 28, 2022 1:58 pm

Hi!

I have an IPsec site-to-site VPN between two MikroTik routers. It works and hosts on either end can communicate with each other (to the extent allowed by firewall rules). The problem is that it seems that traffic originating from the router itself (for example pinging from one router to a computer at the other end of the tunnel) is not sent via the IPsec tunnel. I found this thread: viewtopic.php?t=147819
I have tried some things suggested in this thread (an accept NAT rule for example), but to no avail and most things discussed in this thread is beyond my skill set or comprehension.
What I really want to accomplish here is to make the remote MikroTik router use a local NTP server and maybe also a local DNS server (Pi-Hole).
Can anyone shed some light on this in a non-expert friendly manner (i.e. using WinBox, not commands)?
Thanks a lot!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route traffic from router itself over IPsec tunnel to host

Sat May 28, 2022 5:36 pm

Try if these are easier to understand:

viewtopic.php?t=182923
viewtopic.php?t=164534
viewtopic.php?t=185419

And it's not about WinBox vs commands, there's in most cases direct 1:1 mapping between them, it's just that few lines of commands can give same info as several screenshots.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route traffic from router itself over IPsec tunnel to host

Sat May 28, 2022 8:18 pm

The commands are just another form of expressing the very same information you get/set using Winbox, but providing much more information per square inch of the screen. The hierarchy of the command line is (well, in 90 % of cases) the same like the hierarchy of the Winbox/WebFig menus.

Even if the command line is not yet comprehensible to you, exporting the configuration in the text form is the only way to get any useful help. As you have seen in the thread you've referred to, there are multiple possible reasons why it doesn't work in your case, and to export the configuration of both routers is the best way to describe your particular setup.
 
acrophobic
newbie
Topic Author
Posts: 31
Joined: Fri Jan 04, 2013 3:56 pm

Re: Route traffic from router itself over IPsec tunnel to host

Sat Jun 04, 2022 2:08 am

The first of Sob's links worked perfectly! Thank you so much! Turned out there was also an issue with the firewall, but once I'd set up the bridge and static route, that problem was visible in the logs and easily fixed.
I can read and understand the command lines posted in the forum and "translate" them how to do it with WinBox, but isn't it the case that some configurations and options are only available via the command line? So my point wasn't that I wanted screenshots, but rather I wanted to be able to do it with WinBox.
The link I posted almost seems to be about something completely different, compared to the easy solution in Sob's first link. But it wasn't an easy topic to search for, because most of the results that popped up was along the lines of "the tunnel is up, but host on local network can't reach host on the remote network", instead of specifically that the router itself can't reach hosts on the remote network. But now it works and I thank you so much!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route traffic from router itself over IPsec tunnel to host

Sat Jun 04, 2022 10:25 am

isn't it the case that some configurations and options are only available via the command line?
New features are sometimes only configurable using the command line and it takes one or two ROS releases for them to make it to Winbox and WebFig. But there is still the [Terminal] button in Winbox and WebFig that allows you to use command line.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route traffic from router itself over IPsec tunnel to host

Sat Jun 04, 2022 5:42 pm

For the record, the bridge as gateway is sort of wrong, because packets don't actually go there. Correct way would be to use the same gateway as used by default route. But that can be dynamic and you don't want to deal with that. Especially because unless MikroTik makes some major changes in how IPSec works in RouterOS, it doesn't matter what the gateway is.

Who is online

Users browsing this forum: GoogleOther [Bot] and 48 guests