Community discussions

MikroTik App
 
toedwyday
just joined
Topic Author
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

how to limit VPN user access to one server?

Wed May 18, 2011 8:55 pm

Hi all, i would like to create a VPN account under "PPP", for this VPN account, i name it "user1", this account is only allowed to access one server (IP: 1.1.1.1 ftp port 21) in my internal network. user1 will be dialing VPN from internet.

my idea is do a 2 firewall rules. the first will allow user1 to access to my server 1.1.1.1 ftp port 21, the second firewall rules will drop any other connection to other server or protocol.

i created a "profiles" under "PPP" and name it "profile1", then i change the remote address at profile1 to 9.9.9.9, then at "Secrets" under "PPP", i created a account name "user1" and the profile i change to "profile1"

At "firewall" >> "Address Lists" I created a list name "ftp_list" and address=9.9.9.9

at the "Firewall" under "Filter Rules", i added rule1, chain=input, dst address = 1.1.1.1, protocol = tcp, dst port= 21, under "Advanced" tab, i put Src.address list = ftp_list, Action=accept
(assume user1 dial in, he/she will be assigned ip 9.9.9.9 (ftp_list), so he/she is allowed to ftp to 1.1.1.1 port 21)

at the same place, i added rule2, chain=input, protocol=tcp, action=drop (supposed it will drop everything after rule1)

But, i tested it, and it won't work. When user1 dialed into the MK router, it can ping/telnet/ftp to any servers.

the reason i want to limit user1 to access only to 1.1.1.1 from internet is because security concern.

can anyone give me some advise?

Thanks!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

Wed May 18, 2011 9:04 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
There are three predefined chains, which cannot be deleted:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
The 'input' chain is for traffic directly TO the router. You're trying to firewall traffic between a VPN client and a server, which is traffic THROUGH the router. Use for 'forward' chain for your rules.
You also want to change your drop rule to not drop everything, as that would drop all traffic through the router. Drop traffic to/from that address list after permitting FTP traffic. It would also make sense to go stateful to easily allow return traffic from the FTP server to the client.
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward dst-address=1.1.1.1 protocol=tcp dst-port=21 src-address-address-list=ftp_list action=accept
add chain=forward dst-address-list=ftp_list action=drop
add chain=forward src-address-list=ftp_list action=drop
Generally speaking the above should work. The connection-state rules should be above any other rules you have. If you need more specific help with fitting things into existing rule sets you'll have to post them here.
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: how to limit VPN user access to one server?

Wed May 18, 2011 10:17 pm

You could use dynamic PPP filters to achieve this.
/ip firewall filter
add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21
add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop

add chain=forward action=jump jump-target=ppp

/ppp profile
add name=filtered-users copy-from=default-encryption incoming-filter=pptp-filter-in outgoing-filter=pptp-filter-out

/ppp secret
set user1 profile=filtered-users
Connect to the VPN, and then you'll have a dynamic rules added to the PPP chain which directs traffic from that user1 into the specified chains.
[blake@test] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=ppp action=jump jump-target=pptp-filter-in in-interface=<pptp-user1> 

 1 D chain=ppp action=jump jump-target=pptp-filter-out out-interface=<pptp-user1> 
[blake@test] /ip firewall filter>
I edited this post to add the jump into the ppp chain as I forgot it in the original post. I also removed the connection-state rules because they're not needed in the 'pptp-filter*' chains if they're already in the main forward chain.
Last edited by blake on Wed May 18, 2011 10:28 pm, edited 2 times in total.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

Wed May 18, 2011 10:24 pm

That's considerably nicer.
 
toedwyday
just joined
Topic Author
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

Re: how to limit VPN user access to one server?

Thu May 19, 2011 5:45 am

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
There are three predefined chains, which cannot be deleted:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
The 'input' chain is for traffic directly TO the router. You're trying to firewall traffic between a VPN client and a server, which is traffic THROUGH the router. Use for 'forward' chain for your rules.
You also want to change your drop rule to not drop everything, as that would drop all traffic through the router. Drop traffic to/from that address list after permitting FTP traffic. It would also make sense to go stateful to easily allow return traffic from the FTP server to the client.
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward dst-address=1.1.1.1 protocol=tcp dst-port=21 src-address-address-list=ftp_list action=accept
add chain=forward dst-address-list=ftp_list action=drop
add chain=forward src-address-list=ftp_list action=drop
Generally speaking the above should work. The connection-state rules should be above any other rules you have. If you need more specific help with fitting things into existing rule sets you'll have to post them here.
hi, thanks for the reply, for your 3rd rule "add chain=forward connection-state=invalid action=drop", will this drop other packets? because this MK served as our main router and it has many other firewall rules.

I don't dare to try out just in case it will drop others connection.

usually i uses GUI to do the config, so I not used to GLI, so for above commands, i will go to terminal and go into /ip firewall, then type in line by line follow by "enter" at each line right?

thanks for the help!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: how to limit VPN user access to one server?

Thu May 19, 2011 7:16 am

You should go with what blake posted.
 
toedwyday
just joined
Topic Author
Posts: 4
Joined: Wed May 18, 2011 1:22 pm

Re: how to limit VPN user access to one server?

Thu May 19, 2011 10:14 am

You could use dynamic PPP filters to achieve this.
/ip firewall filter
add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21
add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop

add chain=forward action=jump jump-target=ppp

/ppp profile
add name=filtered-users copy-from=default-encryption incoming-filter=pptp-filter-in outgoing-filter=pptp-filter-out

/ppp secret
set user1 profile=filtered-users
Connect to the VPN, and then you'll have a dynamic rules added to the PPP chain which directs traffic from that user1 into the specified chains.
[blake@test] /ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=ppp action=jump jump-target=pptp-filter-in in-interface=<pptp-user1> 

 1 D chain=ppp action=jump jump-target=pptp-filter-out out-interface=<pptp-user1> 
[blake@test] /ip firewall filter>
I edited this post to add the jump into the ppp chain as I forgot it in the original post. I also removed the connection-state rules because they're not needed in the 'pptp-filter*' chains if they're already in the main forward chain.
hi blake, thanks for the reply..
for this "add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21", how do i add chain=pptp-filter-in? because i only can find "forward, input, output"

for your second and third rules, "add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop"

will this drop all other traffic?

Thanks!
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: how to limit VPN user access to one server?

Thu May 19, 2011 10:59 am

hi blake, thanks for the reply..
for this "add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21", how do i add chain=pptp-filter-in? because i only can find "forward, input, output"
When you run that command it will create the chain 'pptp-filter-in' since it does not already exist.
for your second and third rules, "add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop"

will this drop all other traffic?
Yes. The first 'drop' will drop all inbound (client to network) traffic not permitted by the FTP rule. The second drop will effectively stop anything on the network from initiating a connection to the client. It will not drop the FTP server's reply data to the client as that will be permitted by the 'established' and 'related' rules in the FORWARD chain, assuming you already have those in place.
 
User avatar
matiaszon
Member
Member
Posts: 320
Joined: Mon Jul 09, 2012 9:26 am

Re: how to limit VPN user access to one server?

Sat Mar 25, 2017 10:36 pm

I was looking for the same solution for my L2TP VPN users, and found this post. I added the lines
/ip firewall filter
add chain=pptp-filter-in action=accept dst-address=1.1.1.1 protocol=tcp dst-port=21
add chain=pptp-filter-in action=drop
add chain=pptp-filter-out action=drop
add chain=forward action=jump jump-target=ppp
but it didn't work.

After I moved the jump rule on top, it started to work. Now it looks like this.
16    ;;; L2TP
      chain=forward action=jump jump-target=ppp connection-state="" log=no 
      log-prefix="" 

17    chain=l2tp-filter-in action=accept connection-state="" 
      dst-address=192.168.88.100 log=no log-prefix="" 

18    chain=l2tp-filter-in action=drop log=no log-prefix="" 

19    chain=l2tp-filter-out action=drop log=no log-prefix=""
As a result, peers can access only 1 server with address 192.168.88.100, and have no access to the Internet. However, there are two strange things.
1. No matter, if the rule No. 19 is enabled or disabled, there is no difference in working.
2. When rule No. 18 is enabled, then peer can't do anything except accessing 192.168.88.100. It can't access Internet too. I thought that rule No. 19 should allow or deny access to the Internet...

What am I doing wrong?
 
User avatar
matiaszon
Member
Member
Posts: 320
Joined: Mon Jul 09, 2012 9:26 am

Re: how to limit VPN user access to one server?

Mon Mar 27, 2017 5:15 pm

anybody?
 
User avatar
matiaszon
Member
Member
Posts: 320
Joined: Mon Jul 09, 2012 9:26 am

Re: how to limit VPN user access to one server?

Tue Mar 28, 2017 3:15 am

So finally I achieved what I wanted! Lot's of tries, but it works.

First of all, if you have any rules in the top allowing access to other networks, and you don't want VPN users to access them, you have to put this jump rule BEFORE them.
add chain=forward action=jump jump-target=ppp
Then, I had problems to give some users access to the Internet but restrict from accessing other than described IP. I was alble only to allow to access 1 server and no Internet, or 1 server, Internet and actually any device in LAN. So, generally, my filter rules for VPN users look like:
/ip firewall filter
add action=accept chain=l2tp-filter-in comment="VPN Rules" connection-state="" dst-address=192.168.88.100
add action=drop chain=l2tp-filter-in connection-nat-state=!srcnat
add action=drop chain=l2tp-filter-out connection-nat-state=srcnat
Assuming, that first rule is to give access to only one server, if I disable the third rule, I cut the access to the Internet and when I disable second rule, I give the acceess to the whole LAN. So now this is what I wanted to have.
 
steinbergs
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Fri Sep 09, 2016 4:20 pm
Location: Riga, Latvija

Re: how to limit VPN user access to one server?

Thu Jul 13, 2017 4:28 pm

My setup for a OVPN server:
/ppp profile add address-list=VPN_USER_client local-address=10.15.32.33 name=USER remote-address=ovpn-lan

/ip firewall address-list add address=10.0.0.10 list=VPN_USER_server


/ip firewall filter
add action=jump chain=forward jump-target=VPN_USER src-address-list=VPN_USER_client

add action=accept chain=VPN_USER dst-address-list=VPN_USER_server dst-port=3389 protocol=tcp
add action=drop chain=VPN_USER
 
User avatar
lopar
just joined
Posts: 23
Joined: Mon Jan 30, 2017 5:47 pm

Re: how to limit VPN user access to one server?

Thu Mar 29, 2018 3:05 pm

hi all,
I tried to use rules for l2tp, provided by @matiaszon, but rule to allow Internet for VPN user did not work for me.
Also I have another question: you used jump rule add chain=forward action=jump jump-target=ppp to ignore networking rules. Do you have another jump rule at the end of VPN rules to jump back, or it will be done automatically?

Who is online

Users browsing this forum: No registered users and 18 guests