Transferring device ip via vpn mikrotik?

P

Pontius712019-09-11 15:48:37

Mikrotik

Pontius71, 2019-09-11 15:48:37

There are 3 mikrotik routers connected via vpn
m1 - Local subnet 192.168.0.0/24. client ip l2tp 192.168.7.2/32
m2 - Local subnet 192.168.1.0/24. client ip l2tp 192.168.7.3/32
m3 - Local subnet 192.168.2.0/24. ip l2tp server 192.168.7.1/32
on m1 there is a route to 192.1168.1.0/24 and 192.168.2.0/24 through the l2tp
interface 192.168.1.150
What am I doing. On the l2tp server 192.168.2.1 (192.168.7.1) I create the rule forward src adress 192.168.0.150 dst 192.168.1.150 action drop
But the rule does not work. I suspect the reason is that m2 recognizes the entire subnet 0.0/24 as host 192.168.7.2
Tell me how to make it "substitute" the sender's address of the node behind the Mikrotik?
I suspect that I screwed up with masquerading. At the moment, masquerading is enabled on all micros without specifying interfaces.
I described the scheme as an exemplary one, because. in fact, there are an order of magnitude more microtics and subnets.
If you need logs, I will provide everything, just specify which ones, thanks.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2019-09-11
@Pontius71

I suspect that I screwed up with masquerading. At the moment, masquerading is enabled on all micros without specifying interfaces.

This is the problem - by the time the packet gets to forward, the source address has already been replaced by masquerading. Remove the masquerade on l2tp and make normal routing.

A

Andrey Barbolin, 2019-09-11
@dronmaxman

A good practice is to configure the rules on the nearest firewall so as not to drive blocked traffic through the Internet and not to utilize the channel in vain.
That is, to deny access from 0.150 to 1.150, the rule must be written on m1 and the rule must be higher than the other allowing rule 0.0/24 in 1.0/24.
Also, if you have an established related rule, then you need to reset the already established session between clients.