traffic policies with two vlan

[lexyus]

if I have two sites, one of them have 2 vlan. What additional setting should I needed?

I have tried to set this traffic policies.

Site A (192.168.1.XXX & 192.168.2.XXX):

rule          source                       destination
10            192.168.1.0/24          192.168.20.0/24
11            192.168.2.0/24          192.168.20.0/24
99            0.0.0.0/24                  0.0.0.0/24                  bypass checked



Site B (192.168.20.XXX):

rule          source                       destination
10            192.168.20.0/24          192.168.1.0/24
11            192.168.20.0/24          192.168.2.0/24
99            0.0.0.0/24                  0.0.0.0/24                  bypass checked

is this traffic policies correct?

[ahenning]

Yes, policies are correct. No additional settings required.

[lexyus]

Hi ahenning,

do i need bypass policies from 192.168.1.0/24  to 192.168.2.0/24  and vice versa?

[ahenning]

Hi,
No, its not required, because the policies are only matching traffic from 192.168.1-2.0/24 going to the remote side .20, so this extra rule is not required.

[lexyus]

Oke then. thanks for the info. I'm going to try it tomorrow, will update to you later.


I'm still curios of one thing. On my last thread about Mikrotik pptp vpn, you post about this :

"
If you have only one subnet at each site then it ok. Nothing else needed.

If there are more than one subnet at each site and the mikrotik is responsible for the routing between these subnets, then a bypass rule is needed e.g. user-subnet > server-subnet bypass and the other way round as well.

For example, let say at one site there are users and servers. Users are on 192.168.1.0/24 and servers 192.168.2.0/24. When users communicate with the servers the traffic might be routed by the WAN/VPN Router. In this case traffic from the User goes through the Wanos device, to the router, then back through the same Wanos device to the Servers. In this case the example bypass rule above is needed.


Or better yet:
1) Create a default any any bypass rule at the end (#99)
2) Create a specific rule (#10) for the two site subnets that needs to be optimized. E.g. if site-1 is 10.1.1.0/24 and site-2 is 10.1.2.0/24. Then optimize only these subnets e.g. Site-1 #10 has src 10.1.1.0/24 to dst 10.1.2.0/24. And site-2 #10 has src 10.1.2.0/24 dst 10.1.1.0/24.
"


on what circumstances will bypass policies from 192.168.1.0/24 to 192.168.2.0/24 will be needed?

[ahenning]

Yes, that was right because we initially started with the default rules. Since then we created specific rules e.g. from .1 to .20 and from .2 to .20, and hence actually implemented the second suggestion:

"2) Create a specific rule (#10) for the two site subnets that needs to be optimized...."

The bypass between the two would have been needed if we didn't have these specific rules 10 and 11 in the config. Specific is always better and preferred over the default.

[lexyus]

ohh.. that's why. OK then. thanks for your specific explanation. Cheers