Community discussions

MikroTik App
  4. RouterOS
  5. General

FILTER/NAT RULES FOR IPSEC VPN

Post Reply
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

FILTER/NAT RULES FOR IPSEC VPN

Wed Jul 27, 2016 10:05 am

Hi Forum 
I've setting up a system - and can not get the rules for accessing the different network 
Headquarter: 192.168.201.0/24
BO1: 192.168.202.0/24
BO2: 192.168.203.0/24

Actually I'm getting the VPN up and running with the IPSEC - following this guide Ipsec Guide
And the VPN are created and talking to each other. I've added a route on each Router : 
Code: Select all
FLAGS  DST_ADDRESS         PREF_SRC        GATEWAY    DISTANCE
2 A S  192.168.200.0/21   192.168.201.1   WAN            1           1
Where the preffered source are changing on each router - depending on their local 
The Firewall rules I've tried without any luck:
Code: Select all
From Headquarter
FILTER
 0    chain=forward action=accept src-address=192.168.201.0/24 dst-address=192.168.200.0/21 log=no log-prefix="" 
 1    chain=forward action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 log=no log-prefix="" 

NAT
 1    chain=srcnat action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 log=no log-prefix=""
Both enabled and disbled NAT rules - does not do any thing 

As it is now - I cannot ping between the 2 Routers - neither has I access tp the LAN on the other side of the VPN. 
So how should I create these rules for getting access LAN2LAN on this setup 

I've tried with only Filter rules - and only NAT Rules - both with enabled and disabled different rules. 
I reset the system several times - but ending up with the VPON tunnel created - But no access from Router1 to Router2 and visa verse. 
So actually I think my problems would lie in the access rules for the setup - But then I'm not sure on howto do it coreectly Som I'm getting access  LAN2LAN both ways 
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10542
Joined: Mon Jun 08, 2015 12:09 pm

Re: FILTER/NAT RULES FOR IPSEC VPN

Wed Jul 27, 2016 10:34 am

Your subnets are overlapping.  That will only work when you know exactly what you are doing!
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: FILTER/NAT RULES FOR IPSEC VPN

Wed Jul 27, 2016 10:43 am

I know my subnets are overlapping. 
I've allso tried with the same  none overlapping networks. 
The single subnet arent overlapping : 
HQ : 192.168.201.0/24
BO1 192.168.202.0/24
BO2 192.168.203.0/24

I've tried both using 192.168.200.0/21 as the main subnet - but allso only with the /24 network 

HQ: 
Code: Select all
Filter
 0    chain=forward action=accept src-address=192.168.202.0/24
      dst-address=192.168.201.0/24 log=no log-prefix="" 
 1    chain=forward action=accept src-address=192.168.201.0/24 
      dst-address=192.168.202.0/24 log=no log-prefix=""
NAT
 chain=srcnat action=accept src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=no log-prefix=""
BO1
Code: Select all
Filter 
0    chain=forward action=accept src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=no log-prefix="" 

 1    chain=forward action=accept src-address=192.168.202.0/24 dst-address=192.168.201.0/24 log=no log-prefix=""
NAT
chain=srcnat action=accept src-address=192.168.202.0/24 dst-address=192.168.201.0/24 log=no log-prefix="" 
But stille the same result! 
I caanot get access to the LAN 2 LAN. 
Can someone help setting either the right filter rul og Nat rule (or both if needed)
Top
Post Reply
  4. RouterOS
  5. General