Dear all,
I have the following problem:
MTHOME - (WAN: x.x.x.10)
LAN (192.168.93.0/24)
server <----------(smtp-only)------> (through x.x.x.1) <----> CHR (WAN: x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4)
I have a CHR with 4 IP and a home router with a dynamic IP.
I have a mail server on the LAN. I need the mail server to communicate on the CHR's IP (x.x.x.1), but only the traffic on port 25 should go that way. The rest of the traffic should use the MTHOME route.
I have set up an IPSEC tunnel with dst-nat and src-nat rules that works, but that case all network traffic goes through the tunnel, and that's not what I want. I only need port 25 to use the IPSEC tunnel.
Thanks in advance! :)
Re: IPSEC - NAT question
How did you add your ipsec policies? Can you please post your config?
Re: IPSEC - NAT question
Thist is my policies config. This are different servers on the lan side and all configured as tunnels.How did you add your ipsec policies? Can you please post your config?
Thanks for your help! :)
Code: Select all
[# jan/06/2021 15:39:55 by RouterOS 6.47.3
# software id =
#
#
#
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.150/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.94.2/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.5/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.225/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.152/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.151/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.7/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.248/32 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2 sa-dst-address=x.x.x.94 sa-src-address=y.y.y.94 src-address=192.168.93.235/32 tunnel=yes
Re: IPSEC - NAT question
Okay, so these policies have a dst-port and an src-port attribute. You can add dst-port=25 to limit the packets that needs to be encapsulated and encrypted.
Don't forget to update your NAT rules as well. You need to have a NAT rule that will masquerade all packets that were not encapsulated.
For example:
Don't forget to update your NAT rules as well. You need to have a NAT rule that will masquerade all packets that were not encapsulated.
For example:
Code: Select all
/ip firewall nat
add chain=srcnat action=accept dst-port=25 dst-address=your.smtp.over.tunnel.address comment="bypass nat for packets that will be tunneled"
add chain=srcnat action=masquerade out-interface=your_wan_interface
Re: IPSEC - NAT question
Wow! Thanks for the help!
Works great! The only thing I have changed, that I had to change the src-port insted of dst-port for the policies. But that's all!
Thanks again, you saved my night! :)
Zsolt
Works great! The only thing I have changed, that I had to change the src-port insted of dst-port for the policies. But that's all!
Thanks again, you saved my night! :)
Zsolt