Community discussions

MikroTik App
  4. RouterOS
  5. General

Allow IPSEC remote site to use Mikrotik Router's internet

Post Reply
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Mon Jan 17, 2022 2:55 am

Allow IPSEC remote site to use Mikrotik Router's internet

Sat Jun 07, 2025 10:39 pm

Hi
i've got a site to site IPSEC VPN connection between Site A (Fortigate) and Site B (Mikrotik CHR).
Site A should break out to the internet through Site B, instead of using the local connection for web surfing.
I got it working, but I want to make sure there are no errors in the config, which for example, might enable exploitation by third parties.

Mikrotik config looks like this:
Code: Select all
/ip firewall address-list
add address=10.25.128.0/24 list=net_SiteA-Clients
/ip ipsec policy
add dst-address=10.25.128.0/24 peer=SiteA proposal=SiteA src-address=0.0.0.0/0 tunnel=yes
/ip firewall filter
add action=accept chain=forward connection-state=new dst-address-list=!net_PrivateRanges in-interface-list=WAN ipsec-policy=in,ipsec log=yes log-prefix=inet out-interface-list=WAN src-address-list=\
    net_SiteA-Clients
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!net_PrivateRanges in-interface-list=WAN ipsec-policy=out,none out-interface-list=WAN src-address-list=net_SiteA-Clients to-addresses=<SiteB-PublicIP>
Specifically, I'm unsure about the ipsec-policy filter, whether I chose the optimal setting to secure everything as good as possible and also src and dst interface having WAN concerns me a bit in that context. The ipsec policy with src-address 0.0.0.0/0 also makes me wonder whether that might get me into problems later.

Thanks for any advice!
Top
 
johnson73
Member Candidate
Member Candidate
Posts: 260
Joined: Wed Feb 05, 2020 10:07 am

Re: Allow IPSEC remote site to use Mikrotik Router's internet

Sun Jun 08, 2025 10:56 am

Try comparing your configuration with this manual - https://www.youtube.com/watch?v=RNpdrHpp2j4
About Mikrotik Secure - https://www.senki.org/operators-securit ... k-devices/
Top
 
User avatar
TheCat12
Long time Member
Long time Member
Posts: 569
Joined: Fri Dec 31, 2021 9:13 pm

Re: Allow IPSEC remote site to use Mikrotik Router's internet

Sun Jun 08, 2025 7:42 pm

A snippet does not suffice to judge whether there are errors in the config:

/export file=anynameyouwish (minus sensitive info like serial numbers, passwords, etc.)
Top
Post Reply
  4. RouterOS
  5. General