I had similar issue with my Mikrotik and was able to solve it just by re-creating NAT Rules (deleted all and recreated one by one).
Strange was that ping across LAN and VPN Subnets was working, ping to public websites, RDP, FTP from VPN Subnet was working but only HTTP/HTTPS traffic wasn't working.
Mangle Rule doesn't solve the issue. Changed also the MTU on physical interface didn't work.
My setup is like this: PPPoE on ether1 [WAN].
Ether1 is connected to PON modem / PON configured as Bridge --> Forwarding blindly all traffic to ether1)
As a solution, I just created a general NAT rule and placed it in the top of all other NAT Rules:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
Please find below my config which worked for me:
Note: It's for IKEv2 - PSK Authentication (used for Android devices). But you can add both or change the authentication to digital signature (for Windows), just do the Certificate config part.
Strange was that ping across LAN and VPN Subnets was working, ping to public websites, RDP, FTP from VPN Subnet was working but only HTTP/HTTPS traffic wasn't working.
Mangle Rule doesn't solve the issue. Changed also the MTU on physical interface didn't work.
My setup is like this: PPPoE on ether1 [WAN].
Ether1 is connected to PON modem / PON configured as Bridge --> Forwarding blindly all traffic to ether1)
As a solution, I just created a general NAT rule and placed it in the top of all other NAT Rules:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
Please find below my config which worked for me:
Note: It's for IKEv2 - PSK Authentication (used for Android devices). But you can add both or change the authentication to digital signature (for Windows), just do the Certificate config part.
Code:
Tested on RouterOS 6.49 & 7.13VPN Subnet: 192.168.200.0/24========= Pool =========/ip pooladd name=IKEv2-POOL ranges=192.168.200.50-192.168.200.200========= IPSEC Config =========/ip ipsec mode-configadd address-pool=IKEv2-POOL address-prefix-length=32 name=IKEv2-MODE-CFG \ static-dns=8.8.8.8,8.8.4.4 system-dns=no/ip ipsec proposaladd auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc lifetime=12h name=\ IKEv2-PROPOSAL pfs-group=none/ip ipsec profileadd enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2-PROFILE/ip ipsec policy groupadd name=IKEv2-GROUP/ip ipsec peeradd exchange-mode=ike2 name=IKEv2-PEER passive=yes profile=IKEv2-PROFILE/ip ipsec policyadd dst-address=192.168.200.0/24 group=IKEv2-GROUP proposal=IKEv2-PROPOSAL \ src-address=0.0.0.0/0 template=yes/ip ipsec identityadd generate-policy=port-strict mode-config=IKEv2-MODE-CFG peer=IKEv2-PEER \ policy-template-group=IKEv2-GROUP remote-id=key-id:CLIENT_ID_1 auth-method=pre-shared-key secret="PASSWORD_HERE"========= Firewall Filters =========/ip firewall filteradd action=accept chain=input comment="Allow IPSEC/IKE2 connections" \ dst-port=500,4500 in-interface=WAN protocol=udpadd action=accept chain=forward comment="Accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="Accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=accept chain=input comment="Allow ESP Proto 50" in-interface=\ WAN protocol=ipsec-espadd action=accept chain=forward comment="Allow ESP Proto 50" in-interface=\ WAN protocol=ipsec-espadd action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes========= NAT =========/ip firewall natadd action=masquerade chain=srcnat out-interface=WANStatistics: Posted by frankovl — Tue Jan 23, 2024 10:29 pm