MikroTik

Community discussions
https://forum.mikrotik.com/

IPsec Routing

https://forum.mikrotik.com/viewtopic.php?t=138189

Page 1 of 1

IPsec Routing

Posted: Sun Aug 19, 2018 3:47 am
by luddite
Have a good stable ipsec tunnel between two sites. Head office is a windows domain and a branch office with domain client computers.

Want branch office domain clients to resolve domain dns queries over tunnel, found this real nice bit of code below but it doesn't work as the branch office router itself cant contact hosts over the tunnel. For example if I try to ping from the branch office router to a host at head office I cant - unless I specify a source ip address in ping command. This stops the code below working.

How can traffic destined for head office subnet from the branch office router itself be routed through the tunnel or is there another way to achieve what I am trying to do?
Code: Select all
/ip firewall layer7-protocol add name=yourworkplace.com regexp=yourworkplace.com
/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=tcp dst-port=53
/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=udp dst-port=53
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=yourworkplace.com-forward to-addresses=10.0.0.4
/ip firewall nat add action=masquerade chain=srcnat connection-mark=yourworkplace.com-forward

Re: IPsec Routing

Posted: Sun Aug 19, 2018 12:56 pm
by sindy
this real nice bit of code below but it doesn't work as the branch office router itself cant contact hosts over the tunnel.
It is not (at least not only) that the office router itself cannot contact hosts over the tunnel what makes that "code" not to work; it is mainly that packets generated by the router itself are not handled by chain prerouting of firewall table mangle. Instead, they are handled by chain output. So to let the layer7-protocol condition be evaluated also for router's own DNS queries, you have to add an otherwise identical rule also to chain output of table mangle.

I intentionally mention only one rule - the one with protocol=udp. Using layer7-protocol to redirect tcp connections makes no sense because by the time the condition matches, a tcp session has already been established, so the maximum you can do is to break it.

How can traffic destined for head office subnet from the branch office router itself be routed through the tunnel or is there another way to achieve what I am trying to do?
Due to the specific way how IPsec routing works, I assume that adding the mangle rule to chain=output should do the trick alone, as your /ip ipsec policy seems to match on src-address=10.0.0.4. So packets matched by the layer7-protocol matching mangle rule are connection-marked, and the NAT rule matching the connection-mark changes the source address to the one which the ipsec policy matches.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/