The solution worked perfectly, but it had one drawback - if the public interface was raised, the backup interface did not respond to ping.
Since this exact problem was described in this thread: viewtopic.php?t=166417, I used the entries provided there - but only for the backup interface.
In the listing below, these additional lines have been marked with the comment "added".
After this, both interfaces started pinging correctly from outside, even when both were active. However, a new problem appeared - when I turned off the public interface (i.e. when working only on the backup connection), the ipsec tunnel to our office stopped being established.
I am asking for help or at least a hint on what I should modify in my configuration to achieve:
- both public links should respond to ping,
- the ipsec tunnel must work properly on each of these two links.
Below is my configuration (omitting irrelevant lines):
Code: Select all
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
add chain=input action=accept log-prefix="winbox - administration" port=4000,4443,8291 protocol=tcp src-address-list=Trusted comment="remote administration https 4443 WinBox 4000,8291"
add chain=input action=accept ipsec-policy=in,ipsec log-prefix="incoming ipsec:" comment="accept in ipsec policy to router"
add chain=input action=accept in-interface-list=WAN protocol=icmp comment="accept ICMP"
add chain=input action=drop in-interface-list=WAN log-prefix="dropped in WAN:" comment="drop all from WAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec"
add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
add chain=forward action=drop connection-state=invalid log=no log-prefix="invalid fw:" comment="drop invalid forward"
add chain=forward action=accept connection-nat-state=dstnat log-prefix="port_forwards:" comment="accept port forwards"
add chain=forward action=drop in-interface-list=WAN ipsec-policy=in,none src-address-list=NotPublic log-prefix="!public from WAN:" comment="drop all packets from internet which should not exist in public network and not ipsec"
add chain=forward action=drop connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix="!NAT from WAN:" comment="drop new from WAN not DSTNATed"
/ip ipsec profile
add dh-group=modp2048 dpd-interval=30s enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=sophos
/ip ipsec peer
add address=headoffice_ip exchange-mode=ike2 name=ITSA profile=sophos
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=sophos pfs-group=modp2048
/ip ipsec identity
add my-id=fqdn:sko217 peer=ITSA remote-id=fqdn:centrala
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/32 src-address=0.0.0.0/32
add action=none comment=LAN dst-address=10.0.25.0/24 src-address=10.0.25.0/24
add comment=ITSA dst-address=10.0.0.0/8 level=unique peer=ITSA proposal=sophos src-address=10.0.25.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment=";;; defconf masquerade"
#NETWATCH
/tool netwatch
add comment=public disabled=no host=9.9.9.9 interval=30s packet-count=20 packet-interval=1s startup-delay=30s type=icmp
add comment=public disabled=no host=208.67.220.220 interval=30s packet-count=20 packet-interval=1s startup-delay=30s type=icmp
add comment=backup disabled=no host=9.9.9.10 interval=30s packet-count=20 packet-interval=1s startup-delay=30s type=icmp
add comment=backup disabled=no host=208.67.220.222 interval=2m packet-count=20 packet-interval=5s startup-delay=30s type=icmp
# ROUTING LOGIC
/routing table
add disabled=no fib name=to_public
add disabled=no fib name=to_backup
# added whole line
add disabled=no fib name=to_isp2
/routing rule
add action=lookup-only-in-table disabled=no dst-address=9.9.9.9/32 table=to_public
add action=lookup-only-in-table disabled=no dst-address=9.9.9.10/32 table=to_backup
add action=lookup-only-in-table disabled=no dst-address=208.67.220.220/32 table=to_public
add action=lookup-only-in-table disabled=no dst-address=208.67.220.222/32 table=to_backup
# added whole line
add action=lookup-only-in-table disabled=no src-address=ip_of_backup_interface table=to_isp2
/ip route
add comment=public disabled=no distance=1 dst-address=0.0.0.0/0 gateway="$PublicGateway"
# added routing-table to existing line
add comment=backup disabled=no distance=2 dst-address=0.0.0.0/0 gateway="$BackupGateway" routing-table=to_isp2
add comment="test_public" disabled=no distance=1 dst-address=0.0.0.0/0 gateway="$PublicGateway" routing-table=to_public
add comment="test_backup" disabled=no distance=2 dst-address=0.0.0.0/0 gateway="$BackupGateway" routing-table=to_backup
