We have a multi-site network with a "Central" facility and multiple "Sites".
On each site, we installed a router with capabilities for VPN but always connect to internet through an ISP router. Also, we have an embbeded PC with SSH enabled and multiple embedded devices for TCP-to-Serial conversion. We want to access all equipment from Central
On the "Central" side we have a Mikrotik Router behind an ISP router with a DMZ pointing to the Mikrotik.
My networks are like this:
Central - Network 192.168.11.0/24
Site 1 - Networks 192.168.20.0/24
Site 2 - Networks 192.168.21.0/24
and so....
We created IPSec VPNs from Central to all of our Sites with no problems, all tunnels get connected and established. Apparently the configuration is correct, but not all traffic flows as we expected.
Ping works from Central to all devices of Sites and also in reverse direction.
The problem is that when we attempt to access from Central to any equipment of Site x only embeedded devices works as expected. SSH Server gets waiting until a timeout appears, the same with site VPN router, cannot access to his web page.
But what we discovered is that only the Site that establishes the first tunnel works 100%. We can connect to HTTP devices, SSH server on both direcctions.
Only in the rest of tunnels, the simple HTTP web page of TCP-to-Serial devices works.
My impression is that simple HTTP devices send the page in a single TCP request, and Mikrotik Firewall rules, treat as a "new" connection state and routes correctly but other devices must break into smaller pieces and firewall rules not working. Maybe related to MTU or else. I'm not and network expert, and this fine adjustments escapes to my knowledge.
These are my Mikrotik firewall rules.
/ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 SiteLANs 192.168.20.0/24 sep/04/2019 01:59:01
1 SiteLANs 192.168.21.0/24 sep/04/2019 02:00:38
2 SiteLANs 192.168.22.0/24 sep/04/2019 02:01:30
Firewall filter Table:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
1 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
2 chain=forward action=accept dst-address=192.168.11.0/24 src-address-list=SiteLANs log=no log-prefix=""
3 chain=forward action=accept src-address=192.168.11.0/24 dst-address-list=SiteLANs log=no log-prefix=""
4 chain=forward action=accept connection-state=established,related log=no log-prefix=""
5. chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
6 ;;; Aceptar ICMP
chain=input action=accept protocol=icmp log=no
7 ;;; IPSec
chain=input action=accept protocol=ipsec-esp log=no
8 chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""
9 ;;; Acceso Router LAN
chain=input action=accept in-interface=Switch log=no
12 ;;; Por defecto hacer DROP
chain=input action=drop log=yes log-prefix="drop"
NAT Table:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; IPsec: Sites
chain=srcnat action=accept src-address=192.168.11.0/24 dst-address-list=SiteLANs log=no log-prefix=""
1 chain=dstnat action=accept dst-address=192.168.11.0/24 src-address-list=SiteLANs log=no log-prefix=""
7 ;;; Aceeso externo VNC
chain=dstnat action=dst-nat to-addresses=192.168.11.100 protocol=tcp dst-port=5900 log=no
8 chain=dstnat action=dst-nat to-addresses=192.168.11.101 to-ports=5900 protocol=tcp dst-port=5901 log=no
9 chain=dstnat action=dst-nat to-addresses=192.168.11.203 to-ports=5900 protocol=tcp dst-port=5902 log=no
10 ;;; SSH
chain=dstnat action=dst-nat to-addresses=192.168.11.201 to-ports=22 protocol=tcp in-interface=ether1 dst-port=10022 log=no log-prefix=""
14 ;;; NAT por defecto
chain=srcnat action=masquerade log=no log-prefix=""
Thanks
