How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
We have a /29 IP block (6 public IPs). We’ve used a.b.c.18 to establish an IPsec site-to-site VPN connection with site B (on x.x.x.y and x.x.x.z). We also have a local network that's natted through a.b.c.18. Now, we want a.b.c.19 assigned to a dedicated private server to reach site B through the established VPN tunnel all configured on our Mikrotik 951 router.
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
Could you post a diagram with this?
X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?
X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
Yes... currently It has a private ip and behind NAT but we want it to have the a.b.c.19 public ip and should be able to access site B via the VPN tunnel.Could you post a diagram with this?
X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
Sure, add the /32 to the tunnel domain on both sides and a nat rule on the server side.
Send the anonymity configs if you want.
Send the anonymity configs if you want.
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
Sure, add the /32 to the tunnel domain on both sides and a nat rule on the server side.
Send the anonymity configs if you want.
The a.b.c.19 is directly configured on the server's LAN already connected to eth2 which is in bridge mode with eth1
Below is my edited router config...
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_ISW
set [ find default-name=ether5 ] name=ether5_LAN
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 lifetime=1h name=\
"ISW"
/ip ipsec peer
add address=x.x.x.225/32 comment="ISW Peer" local-address=\
a.b.c.18 name="HQ_Peer" profile="ISW"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ISW \
pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether5_LAN lease-time=2d10m \
name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1_WAN
add bridge=bridge1 interface=ether2_ISW
/interface list member
add interface=ether1_Internet list=WAN
add comment=ISW_Server interface=ether2_ISW list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add comment=LAN_Server interface=ether5_LAN list=LAN
add interface=wlan1 list=LAN
/ip address
add address=a.b.c.18/29 interface=ether1_WAN network=\
a.b.c.16
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip firewall filter
add action=accept chain=input connection-state=established
add action=reject chain=forward comment="Block Face Book" content=facebook \
protocol=tcp reject-with=icmp-host-unreachable
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward layer7-protocol="Block Facebook "
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.11 protocol=tcp src-address=a.b.c.19
add action=masquerade chain=srcnat out-interface=bridge1
/ip ipsec identity
add comment=DR_Interswitch_Peer peer="DR_Peer" secret=\
"XXXXXXXXXX"
add comment=Interswitch_VPN peer="HQ_Peer" secret=\
XXXXXXXXXXX
/ip ipsec policy
add comment=ISW_ServerCore1 dst-address=172.X.X.11/32 level=\
unique peer="HQ_Peer" proposal=Interswitch_Proposal \
src-address=a.b.c.19/32 tunnel=yes
add comment=ISW_ServerCore1 dst-address=172.X.X.9/32 level=\
unique peer="HQ_Peer" proposal=Interswitch_Proposal \
src-address=a.b.c.19/32 tunnel=yes
/ip route
add distance=1 gateway=a.b.c.17
add check-gateway=ping distance=1 dst-address=x.x.x.y/32 gateway=\
ether2_ISW
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
For the formatting, please enclose the configuration or config statements between code tags.
Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of where ISW should stand. While this specific issue doesn't prevent what you are trying, this is going to come back and bite you hard.
Now, you removed a bit too much: I can't figure out the internal IP addresses (RFC1918 are not going to reveal a lot, so don't remove them).
From your configuration, your servers are directly on the internet. Not exposed, directly: you have a bridge between your ISP router and the servers. I don't know what you plan on doing with that but I sure hope you have something on the server itself to protect it.
The main problem I see is that your server may not have a.b.c.18 as its default gateway: so while it may get the IP packets coming from the tunnel through the firewall, the return path may not be known.
You may try the following to hide the connection from the VPN to the server. I suspect you tried it but messed up the action.
Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of where ISW should stand. While this specific issue doesn't prevent what you are trying, this is going to come back and bite you hard.
Code: Select all
/interface bridge
add name=bridge1
...
/interface bridge port
add bridge=bridge1 interface=ether1_WAN
add bridge=bridge1 interface=ether2_ISW
...
/interface list member
add interface=ether1_Internet list=WAN
add comment=ISW_Server interface=ether2_ISW list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add comment=LAN_Server interface=ether5_LAN list=LAN
add interface=wlan1 list=LAN
From your configuration, your servers are directly on the internet. Not exposed, directly: you have a bridge between your ISP router and the servers. I don't know what you plan on doing with that but I sure hope you have something on the server itself to protect it.
The main problem I see is that your server may not have a.b.c.18 as its default gateway: so while it may get the IP packets coming from the tunnel through the firewall, the return path may not be known.
You may try the following to hide the connection from the VPN to the server. I suspect you tried it but messed up the action.
Code: Select all
/ip firewall nat
set [find comment="ISW_Endpoints"] action=masquerade
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
For the formatting, please enclose the configuration or config statements between code tags.
Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of where ISW should stand. While this specific issue doesn't prevent what you are trying, this is going to come back and bite you hard.
Now, you removed a bit too much: I can't figure out the internal IP addresses (RFC1918 are not going to reveal a lot, so don't remove them).Code: Select all/interface bridge add name=bridge1 ... /interface bridge port add bridge=bridge1 interface=ether1_WAN add bridge=bridge1 interface=ether2_ISW ... /interface list member add interface=ether1_Internet list=WAN add comment=ISW_Server interface=ether2_ISW list=LAN add interface=ether3 list=LAN add interface=ether4 list=LAN add comment=LAN_Server interface=ether5_LAN list=LAN add interface=wlan1 list=LAN
From your configuration, your servers are directly on the internet. Not exposed, directly: you have a bridge between your ISP router and the servers. I don't know what you plan on doing with that but I sure hope you have something on the server itself to protect it.
The main problem I see is that your server may not have a.b.c.18 as its default gateway: so while it may get the IP packets coming from the tunnel through the firewall, the return path may not be known.
You may try the following to hide the connection from the VPN to the server. I suspect you tried it but messed up the action.
Code: Select all/ip firewall nat set [find comment="ISW_Endpoints"] action=masquerade
Hi Vingjfg, below is the detailed config... Thanks for your support
Code: Select all
# model = 951Ui-2HnD
# serial number = F5BF0F5B6BFC
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_ISW
set [ find default-name=ether4 ] name=ether4_Hotspot
set [ find default-name=ether5 ] name=ether5_LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
disabled=no frequency=auto frequency-mode=superchannel mode=ap-bridge \
ssid=MAMFB
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name=NIBSS_Prof
add dh-group=modp1536 enc-algorithm=aes-256 lifetime=1h name=\
"ISW HQ-DR"
add dh-group=modp1536 enc-algorithm=aes-256 lifetime=1h name=DR-ISW
/ip ipsec peer
add address=154.x.x.225/32 comment="DR_ISW Peer" disabled=yes \
local-address=105.x.x.18 name="DR_ISW Peer" profile=DR-ISW
add address=41.223.145.225/32 comment="HQ_ISW Peer" local-address=\
105.x.x.18 name="HQ_ISW Peer" profile="ISW HQ-DR"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ISW_Proposal \
pfs-group=none
add enc-algorithms=aes-256-cbc lifetime=1h name=DR_ISW pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether5_LAN lease-time=2d10m \
name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1_WAN
add bridge=bridge1 interface=ether2_ISW
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1_WAN list=WAN
add comment=Core_Server interface=ether2_ISW list=LAN
add interface=ether3 list=LAN
add comment=Interswich_Server interface=ether5_LAN list=LAN
add interface=wlan1 list=LAN
/ip address
add address=105.x.x.18/29 interface=ether1_WAN network=105.x.x.16
add address=192.168.1.1/24 interface=ether5_LAN network=192.168.1.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input connection-state=established
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward layer7-protocol="Block Facebook "
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=reject chain=forward comment="Block Face Book" content=facebook \
protocol=tcp reject-with=icmp-host-unreachable
/ip firewall mangle
add action=mark-routing chain=prerouting connection-state=established \
disabled=yes dst-address=105.x.x.19 log=yes log-prefix=ISW-MANG \
new-routing-mark=ISW passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.11 log=yes log-prefix=ISW src-address=105.x.x.19
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.80 protocol=tcp src-address=105.x.x.19
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.9 protocol=tcp src-address=105.x.x.19 to-addresses=\
105.x.x.19 to-ports=39600
add action=accept chain=srcnat dst-address=105.x.x.18 dst-port=8291 \
protocol=tcp
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.213 protocol=tcp src-address=105.x.x.18
add action=dst-nat chain=dstnat dst-address=105.x.x.18 dst-port=5000 \
protocol=tcp to-addresses=192.168.1.10 to-ports=5000
add action=dst-nat chain=dstnat comment=VasWebService_port dst-address=\
105.x.x.18 dst-port=5002 protocol=tcp to-addresses=192.168.1.10 \
to-ports=5002
add action=dst-nat chain=dstnat comment=NipService_port dst-address=\
105.x.x.18 dst-port=24000 protocol=tcp to-addresses=192.168.1.10 \
to-ports=24000
add action=dst-nat chain=dstnat comment=Http_port dst-address=105.x.x.18 \
dst-port=80 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment=Https_port dst-address=105.x.x.18 \
dst-port=443 protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat comment=Opened_for_ISW dst-address=\
105.x.x.19 dst-port=39600 log=yes log-prefix=port39600 protocol=tcp \
to-addresses=105.x.x.19 to-ports=39600
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.1.0/24
/ip ipsec identity
add comment=DR_ISW_Peer peer="DR_ISW Peer"
add comment=ISW_VPN peer="HQ_ISW Peer"
/ip ipsec policy
add comment=NIP_Test dst-address=196.x.x..10/32 level=unique peer=NIBSS_Site \
proposal=NIBSS_Prop src-address=105.x.x.18/32 tunnel=yes
add comment=NIP_Live dst-address=41.x.x.134/32 level=unique peer=\
NIBSS_Site proposal=NIBSS_Prop src-address=105.x.x.18/32 tunnel=yes
add comment=NIP_TSQ dst-address=196.x.x..233/32 level=unique peer=NIBSS_Site \
proposal=NIBSS_Prop src-address=105.x.x.18/32 tunnel=yes
add comment=NIP_Report dst-address=196.x.x..206/32 level=unique peer=\
NIBSS_Site proposal=NIBSS_Prop src-address=105.x.x.18/32 tunnel=yes
add comment=ISW_TestServerCore1 dst-address=172.24.2.80/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_TestServerCore2 dst-address=172.x.x.179/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_LiveServerCore1 dst-address=172.x.x.213/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.18/32 tunnel=yes
add comment=ISW_LiveServerCore2 dst-address=172.x.x.214/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.18/32 tunnel=yes
add comment=ISW_LiveServerCore2 dst-address=172.x.x.99/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_DR_LiveServerCore1 dst-address=172.x.x.11/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_DR_LiveServerCore2 dst-address=172.25.30.9/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_LiveServerCore1 dst-address=172.x.x.75.213/32 level=\
unique peer="HQ_ISW Peer" proposal=ISW_Proposal \
src-address=105.x.x.19/32 tunnel=yes
add comment=ISW_LiveServerCore2 disabled=yes dst-address=\
172.x.x.214/32 level=unique peer="DR_ISW Peer" proposal=\
ISW_Proposal src-address=105.x.x.18/32 tunnel=yes
/ip route
add distance=1 gateway=105.x.x.17
add disabled=yes distance=1 dst-address=172.x.x.11/32 gateway=bridge1 \
pref-src=105.x.x.19
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
To vingjfg ...
Please note, i briddged eth1 and 2 of the mikrotik. then assigned the 2nd public ip 105.x.x.19 to the dedicated server.
the vpn is already configured with 105.x.x.18 and the local network 192.168.1.0/24 is natted through the bridge interface.
Note: i want the 105.x.x.19 to pass through the ipsec vpn of 105.x.x.18 on eth1 in order to access 172.x.x.11 of the other site with vpn peer of 41.x.x.225
I must confess am still learning sir.
Thanks
Please note, i briddged eth1 and 2 of the mikrotik. then assigned the 2nd public ip 105.x.x.19 to the dedicated server.
the vpn is already configured with 105.x.x.18 and the local network 192.168.1.0/24 is natted through the bridge interface.
Note: i want the 105.x.x.19 to pass through the ipsec vpn of 105.x.x.18 on eth1 in order to access 172.x.x.11 of the other site with vpn peer of 41.x.x.225
I must confess am still learning sir.
Thanks
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
No worries.
Regarding your NAT rule, taking one at random:
This means "For connections coming from a.b.c.19 and going to 172.x.x.11, do not change the source IP (accept)"
I cannot find a source translation for traffic going from 172.x.x.11 to a.b.c.19: the packets going through the VPN to your server are not src-natted.
Question: does your server have a route back for 172.x.x.11 via a.b.c.18?
If not, you have two options:
Regarding your NAT rule, taking one at random:
Code: Select all
/ip firewall nat
...
add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\
172.x.x.11 log=yes log-prefix=ISW src-address=105.x.x.19
...
I cannot find a source translation for traffic going from 172.x.x.11 to a.b.c.19: the packets going through the VPN to your server are not src-natted.
Question: does your server have a route back for 172.x.x.11 via a.b.c.18?
If not, you have two options:
- Masquerade the VPN addresses behind the MT's interface (preferred)
- Add the routes in the server
Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne
Hi vingjfg .... Just thought of sharing the images of the config.
This is the current config in which there is the flow of packets via the tunnel but still can't reach the other endpoint.
should in case you still need more config I would gladly provide it.
Thanks sir
This is the current config in which there is the flow of packets via the tunnel but still can't reach the other endpoint.
should in case you still need more config I would gladly provide it.
Thanks sir
You do not have the required permissions to view the files attached to this post.