Hi all
I have Mikrotik with a VPN server configured. Users connect via VPN and route traffic through the Mikrotik router, this is done so that they use a different IP address.
Please tell me, is it possible to block port scanning programs on the VPN client side on Mikrotik? If so, how. Otherwise, I see in the connections all the internal IP addresses in the destination that it scans, and the provider reacts poorly to this.
I tried PSD, it works great on the incoming interface, and blocks external addresses. But it doesn't work in forward traffic.
Re: Blocking the port scanner on the VPN client side
Not sure what you mean.
Are you saying that one of the remote users coming into your router is using your internet to conduct port scanning of the internet???
Are you saying that one of the remote users coming into your router is using your internet to conduct port scanning of the internet???
Re: Blocking the port scanner on the VPN client side
One of the users connects to the VPN using the router’s Internet and scans the local network
Re: Blocking the port scanner on the VPN client side
You mean scans the LOCAL LANS on the router or something else???
Why would your service provider care what goes on in the local LANs behind your router???
Do you know which user?
How many users do you have.........
What if you created some firewall rules limiting ports to 80 and 443 ??
add action=accept chain=forward in-interface=wireguard out-interface-list=WAN dst-port=80,443
Why would your service provider care what goes on in the local LANs behind your router???
Do you know which user?
How many users do you have.........
What if you created some firewall rules limiting ports to 80 and 443 ??
add action=accept chain=forward in-interface=wireguard out-interface-list=WAN dst-port=80,443
Re: Blocking the port scanner on the VPN client side
@Baktery
I didn't understand what your local network has to do with the external service provider. Does your mikrotik work as a firewall at all??
Open terminal, write: /IP/Firewall/filter/export
Copy the config here..
It is not really understand from which side the port scan takes place, from the router or already from the LAN side?
Here PSD solution will not be the best. I had a similar case at a client's office. One of the external vpn users, when connecting to the internal network, overloaded it, creating a flood in the entire network. It turns out that his computer was infected with some kind of trojan. So that such cases do not recur, I separated the subnets and denied access to vpn users (end-users) to the entire network, allowing only the specifically needed resource. Do not forget to use address-lists.
Example: add action=accept chain=forward comment="Restricted user access only NAS" dst-address-list=NAS src-address-list=VPN-user
If a vpn user starts a port scan, he will not see anything more than the resource assigned to him.
It is impossible to say something more precisely without seeing your firewall configuration.
I didn't understand what your local network has to do with the external service provider. Does your mikrotik work as a firewall at all??
Open terminal, write: /IP/Firewall/filter/export
Copy the config here..
It is not really understand from which side the port scan takes place, from the router or already from the LAN side?
Here PSD solution will not be the best. I had a similar case at a client's office. One of the external vpn users, when connecting to the internal network, overloaded it, creating a flood in the entire network. It turns out that his computer was infected with some kind of trojan. So that such cases do not recur, I separated the subnets and denied access to vpn users (end-users) to the entire network, allowing only the specifically needed resource. Do not forget to use address-lists.
Example: add action=accept chain=forward comment="Restricted user access only NAS" dst-address-list=NAS src-address-list=VPN-user
If a vpn user starts a port scan, he will not see anything more than the resource assigned to him.
It is impossible to say something more precisely without seeing your firewall configuration.
Re: Blocking the port scanner on the VPN client side
The user's VPN connections are enabled in the settings - use the remote router's gateway. It receives the external address of the router, and when the user starts scanning, the provider sees it.
Blocking rule doesn't help.
On the router in Torch you can see the following: 800(ip) 1(icmp) Src 192.168.12.2 Dst 10.50.1.3
Where Src 192.168.12.2 is the address that the VPN client receives
and Dst 10.50.1.3 - local address that the user scans.
The provider sent a message stating that scanning is taking place at local addresses 10.50.1.0/24.
There are no such addresses on the router, it is a local network that the user scans.
Blocking rule doesn't help.
On the router in Torch you can see the following: 800(ip) 1(icmp) Src 192.168.12.2 Dst 10.50.1.3
Where Src 192.168.12.2 is the address that the VPN client receives
and Dst 10.50.1.3 - local address that the user scans.
The provider sent a message stating that scanning is taking place at local addresses 10.50.1.0/24.
There are no such addresses on the router, it is a local network that the user scans.
Re: Blocking the port scanner on the VPN client side
There are thoughts to ban scanner applications using the L7 protocol. But I can’t find examples of using it for scanners anywhere. I haven't been able to write my own regex yet
Re: Blocking the port scanner on the VPN client side
So to be clear, the user is scanning the 10... something network and by local you mean not on your router, but the SAME network that the ISP provides your WANIP on.
In other words scanning the ISPs network??
If thats the case then simply make a firewall rule.
add chain=forward action=drop in-interface=VPN dst-address=10.x.x.0/24
add chain=forward action=accept in-interface=VPN out-interface-list=WAN
What kind of VPN are you using??
In other words scanning the ISPs network??
If thats the case then simply make a firewall rule.
add chain=forward action=drop in-interface=VPN dst-address=10.x.x.0/24
add chain=forward action=accept in-interface=VPN out-interface-list=WAN
What kind of VPN are you using??
Re: Blocking the port scanner on the VPN client side
The user scans local networks, with VPN l2tp enabled, with traffic routed to the router
Re: Blocking the port scanner on the VPN client side
Do you have a firewall configured at all? Open terminal, write: /IP/Firewall/filter/export
Copy the config here..
When configuring a network for example office, we always separate subnets so that they do not see each other. One subnet for example is 10.10.0.0/24 (management)...LAN2- 10.20.0.0/24 (User)... LAN3- 10.30.0.0/24 (IoT)
Management is available for everything, but for user LAN only for a specifically defined resource in User Lan. Everything. Scan as much as you want, you won't see anything else.
Copy the config here..
When configuring a network for example office, we always separate subnets so that they do not see each other. One subnet for example is 10.10.0.0/24 (management)...LAN2- 10.20.0.0/24 (User)... LAN3- 10.30.0.0/24 (IoT)
Management is available for everything, but for user LAN only for a specifically defined resource in User Lan. Everything. Scan as much as you want, you won't see anything else.
Last edited by johnson73 on Sun Apr 14, 2024 5:22 pm, edited 1 time in total.
Re: Blocking the port scanner on the VPN client side
Since you are unable to articulate with more information I will move on.
Re: Blocking the port scanner on the VPN client side
The rules in the picture are at the very top
Last edited by Baktery on Sun Apr 14, 2024 8:53 pm, edited 1 time in total.
Re: Blocking the port scanner on the VPN client side
These are all your firewall rules??
Re: Blocking the port scanner on the VPN client side
Everything below is the basic permission rules
Re: Blocking the port scanner on the VPN client side
Mikrotik firewall always starts with "Input" chain. When the last rule of the input chain, Drop=All ends, continues with the Forward chain.
Its order is important, the rules are followed from top to bottom, otherwise there will be no correct traffic operation.
Please copy the entire firewall section from beginning to end. (without sensitive information)
It seems that the problem will be in your traffic configuration.
Its order is important, the rules are followed from top to bottom, otherwise there will be no correct traffic operation.
Please copy the entire firewall section from beginning to end. (without sensitive information)
It seems that the problem will be in your traffic configuration.
Code: Select all
/ip firewall address-list
add address=192.168.88.0/24 list=Admin
/ip firewall filter
{Input Chain} +++++++
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
{forward chain} ++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANRe: Blocking the port scanner on the VPN client side
the rule helped - Сhain -forward, Protocol tcp, Dst port !443, In Interface ppp
and a similar rule only in which the icmp was completely closed
thanks for the help
and a similar rule only in which the icmp was completely closed
thanks for the help
Who is online
Users browsing this forum: Google [Bot] and 38 guests