Community discussions

MikroTik App
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Cannot ping LAN devices over IPSEC tunnel

Thu Dec 08, 2022 5:14 pm

Hello,

I encounter a weird issue that I can't manage to resolve.
I have a IKEv2 tunnel which was working fine until yesterday.
I can still ping devices on the other side, but the other side can't ping devices on the LAN side of the Mikrotik.
He's still able to ping the router tho.

What is weird, is that if I make a packet capture, I only see packets going in and out on the WAN interface, but none on the LAN interface, but the source and destination IP are always the same (source, the other party, destination, the device on my LAN).
This is more obvious with a logged firewall rule (the other party IP address is dumb, but it's what he's using on it's LAN) :
forward: in:FTTO-ether1 out:FTTO-ether1, src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.63.63.48->192.168.6.1, len 60
Since my bridge interface has an IP adress 192.168.6.252/24, I believe that there should be more like this :
forward: in:FTTO-ether1 out:bridge, src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.63.63.48->192.168.6.1, len 60
If someone have an idea about what happens, I would be very grateful :)

Here's my config :
/interface bridge
add admin-mac=2C:C8:1B:C5:FD:2F arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec profile
add dh-group=ecp256 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=1h name=mistral
/ip ipsec peer
add address=XX.XX.XX.XX/32 exchange-mode=ike2 local-address=YY.YY.YY.YY \
    name=MISTRAL profile=mistral send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm \
    lifetime=15m name=mistral pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.149
add name=vpn-pool ranges=192.168.0.180-192.168.0.189
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes name=PPPoE only-one=yes use-compression=no \
    use-encryption=no use-mpls=no use-upnp=yes
add change-tcp-mss=yes interface-list=LAN local-address=192.168.0.254 name=\
    vpn only-one=yes remote-address=vpn-pool use-encryption=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap comment=Ftto-sfr disabled=no \
    interface=ether1 name=FTTO-ether1 profile=PPPoE user=\
    xxxxxxx@yyyyyyhjjjj
/snmp community
set [ find default=yes ] name=Monitoring write-access=yes
/system logging action
set 1 disk-file-count=5
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes max-mru=1360 max-mtu=1360 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="RTE 4G" interface=ether2 list=WAN
add interface=FTTO-ether1 list=WAN
add interface=gre-tunnel1 list=LAN
add interface=gre-tunnel2 list=LAN
/interface sstp-server server
set certificate=WebFig
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.2.2/24 comment="RTE 4G" interface=ether2 network=10.0.2.0
add address=172.16.0.1/30 interface=gre-tunnel1 network=172.16.0.0
add address=172.16.0.5/30 interface=gre-tunnel2 network=172.16.0.4
add address=192.168.0.254/24 interface=bridge network=192.168.0.0
add address=192.168.0.253/24 interface=bridge network=192.168.0.0
add address=192.168.0.252/24 interface=bridge network=192.168.0.0
add address=192.168.6.252/24 interface=bridge network=192.168.6.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=85.14.167.193 list=Unyc
add address=85.14.167.234 list=Unyc
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=IPSEC dst-port=500,4500 in-interface=\
    FTTO-ether1 protocol=udp
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=\
    FTTO-ether1 protocol=udp
add action=accept chain=input comment=GRE in-interface-list=WAN protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Accept Webfig https connections from WAN" dst-port=8443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept SNMP conections from Unyc" \
    dst-port=161,162 in-interface-list=WAN protocol=udp src-address-list=Unyc
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=lan_cnx passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=FTTO-ether1 new-connection-mark=wan1_cnx passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=wan2_cnx passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan1_cnx \
    dst-address-type=!local new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_cnx \
    new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_cnx \
    dst-address-type=!local new-routing-mark=WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_cnx \
    new-routing-mark=WAN2 passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.63.63.0/24 src-address=\
    192.168.6.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=\
    192.63.63.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NASILS dst-port=32443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.50 to-ports=\
    8080
add action=dst-nat chain=dstnat comment=ATA dst-port=8181 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.0.106 to-ports=443
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.63.63.0/24 src-address=\
    192.168.6.0/24
add action=notrack chain=prerouting dst-address=192.168.6.0/24 src-address=\
    192.63.63.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=MISTRAL
/ip ipsec policy
add dst-address=192.63.63.0/24 peer=MISTRAL proposal=mistral src-address=\
    192.168.6.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=FTTO-ether1 routing-mark=WAN1
add distance=2 routing-mark=WAN1 type=blackhole
add check-gateway=ping distance=1 gateway=10.0.2.1 routing-mark=WAN2
add distance=2 routing-mark=WAN2 type=blackhole
add check-gateway=ping distance=2 gateway=10.0.2.1
add check-gateway=ping distance=1 dst-address=192.168.2.0/24 gateway=\
    172.16.0.2
add check-gateway=ping distance=1 dst-address=192.168.4.0/24 gateway=\
    172.16.0.6
/ip service
set www-ssl certificate=WebFig disabled=no port=8443
/ppp secret
add name=sacchi profile=vpn service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=ILS-Pegomas-MikroTik
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system ntp client
set enabled=yes server-dns-names=fr.pool.ntp.org
/system package update
set channel=long-term
Joris
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cannot ping LAN devices over IPSEC tunnel

Thu Dec 08, 2022 9:29 pm

Mangle rules, connection gets wan1_cnx mark and then WAN1 routing mark, but there's no route to 192.168.6.1 in WAN1 table, so it goes to internet. Don't mark it when it's from IPSec tunnel.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Cannot ping LAN devices over IPSEC tunnel

Fri Dec 09, 2022 11:20 am

Thanks a lot !!!

Who is online

Users browsing this forum: Amazon [Bot], astelsrl, CGGXANNX, en1gm4, eworm, h3x00r, Kanzler, Semrush [Bot] and 84 guests