Hi All,
I have a complicated setup and I am hoping that someone can advise how to do the following:
Currently we have a Mikrotik RB/450G setup as the default gateway. It is passing pptp traffic to a windows server behind it and it works well.

What we now want to do is add another 2nd WAN address to the router.
The 2nd WAN address is basically going to be used for 2 purposes.
One is to provide a DMZ to a pc behind it,
but the other is to provide a 2nd vpn connection.

The 2nd vpn connection is where it gets a bit complicated.
We want a specific group of people to be able to VPN in but only be able to access one pc on the network.
They should not be allowed to access any other machine or any network drives etc…
Also the pc is on our current LAN, it needs to be accessed by the local users.

Is this possible to restrict the 2nd VPN so that it can only access the one pc on the network and not get access to anything else.
Is this going to mean that I need to have a different LAN to put this PC on and have some rules to seperate traffic ?

Sorry I haven’t really worked out in my own head how this can be done so please forgive me being a bit vague here.
any help is appreciated.

Firewall rules on the second VPN router can block any traffic coming in via the VPN. If the PC the users need to be able to access also has to be available through the other VPN you will either have to use static routes to those users on the PC, or NAT the users on the VOM router, which - depending on how you are able to NAT them - will make it impossible to track their connections as they will all appear to come from the same IP.

So generally that isn’t hard to do. The more details you give on the question the more detailed the answer can be.

Hi, thanks for the reply - I wonder if you could give me the commands or just the basics on how to do this.
The PC the users need to be able to access does not need to be available through the other VPN.

Lets say that the new WAN address is 1.1.1.1,
and the local address of the pc that the users need to be able to access is 192.168.0.20,

I will need to setup the VPN on the Microtik router so that it is the VPN endpoint,
and I will need to create the appropriate rules so that the users can only access the 192.168.0.20 pc once connected.
Do I also need to have some rule so that when this pc goes to surf the net it is going out through the 1.1.1.1 Wan address and not the usual address that the router already has ?

Would you be so kind as to give me some examples of how this is done, and thanks again.

Lets say that the new WAN address is 1.1.1.1,
and the local address of the pc that the users need to be able to access is 192.168.0.20,

I will need to setup the VPN on the Microtik router so that it is the VPN endpoint,
and I will need to create the appropriate rules so that the users can only access the 192.168.0.20 pc once connected.

The below makes the following assumptions: the PPTP users dialing in will have 172.16.0.0/24 addresses, the WAN interface is called ‘outside’ and the LAN interface is called ‘inside’.Replace those values in the rules below accordingly. Really, there is only very little required: pass all established and related traffic, drop all invalid traffic, pass all traffic from the LAN to the WAN, allow traffic from the PPTP users to 192.168.0.20, drop everything else:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=LAN out-interface=WAN action=accept
add chain=forward src-address=172.16.0.0/24 dst-address=192.168.0.20 action=accept
add chain=forward action=drop

Do I also need to have some rule so that when this pc goes to surf the net it is going out through the 1.1.1.1 Wan address and not the usual address that the router already has ?

If possible that would make things much easier, yes. Just set the new router as the PC’s default gateway, and configure a source NAT rule just as you already have on your existing router. If you don’t want to do that create a route to 172.16.0.0/24 via the second router’s LAN IP address on 192.168.0.0/24 on the 192.168.0.20 host, how you do that depends on the operating system of the host. But if you can just make the second router that host’s default gateway you’ll simplify things some.

Hi fewi,
I wonder if Ican trouble you for one more question, by the way thanks for all your help it is starting to make sense now
Here is the setup config I am currently using, note have changed all the external ip addresses so that it is not a security issue
I am wondering where in the config I put the lines you mentioned so that it still works as it currently does but drops any other traffic not destined to the 192.168.0.20 address.
Would this line here
add chain=forward src-address=172.16.0.0/24 dst-address=192.168.0.20 action=accept
go into the following config just before the line which states
/ip firewall filter add chain=input action=drop comment=“Drop everything else”

Oh and also how do I modify the line for the masquerading so that the pc on 192.168.0.20 goes out the new static ip address instead of the old static ip address
ie: if we currently have the static ip address of 1.1.1.2 and all existing pc’s use that external address when going out, how do I make the 192.168.0.20 pc use the new external address of 1.1.1.1
Here is the Masquerade command from the config.
/ip firewall nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment=“default configuration”

Here is the current config - external addresses changed:

Set Interface Name and enable

/interface set ether1 name=ether1-gateway disabled=no
/interface set ether2 name=ether2-local-master disabled=no
/interface set ether3 name=ether3-local-slave disabled=no
/interface set ether4 name=ether4-local-slave disabled=no
/interface set ether5 name=ether5-local-slave disabled=no

Setup the switching ports, your pc should be connected to port 5, after entering these commands you will be disconnected, just reconnect as before.

/interface ethernet set ether3-local-slave master-port=ether2-local-master
/interface ethernet set ether4-local-slave master-port=ether2-local-master
/interface ethernet set ether5-local-slave master-port=ether2-local-master

Add IP Addresses

/ip address add address=192.168.0.253/24 interface=ether2-local-master comment=“default configuration”
/ip address add address=1.1.1.2/30 interface=ether1-gateway

Add Default Gateway

/ip route add gateway=1.1.1.4

Firewall Nat Command

/ip firewall nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment=“default configuration”

Setup Firewall Input Chains (these are going to the router)

/ip firewall filter add chain=input connection-state=established comment=“Accept established connections”
/ip firewall filter add chain=input connection-state=related comment=“Accept related connections”
/ip firewall filter add chain=input connection-state=invalid action=drop comment=“Drop invalid connections”
/ip firewall filter add chain=input protocol=udp action=accept comment=“UDP” disabled=no
/ip firewall filter add chain=input protocol=icmp limit=50/5s,2 comment=“Allow limited pings”
/ip firewall filter add chain=input protocol=icmp action=drop comment=“Drop excess pings”
/ip firewall filter add chain=input protocol=tcp dst-port=22001 comment=“SSH for secure shell”
/ip firewall filter add chain=input protocol=tcp dst-port=8291 comment=“winbox”
/ip firewall filter add chain=input src-address=1.1.1.3/32 comment=“From mynetwork”
/ip firewall filter add chain=input protocol=tcp dst-port=22001 action=drop src-address-list=!SSH_Access
/ip firewall filter add chain=input protocol=tcp dst-port=22002 action=drop src-address-list=!TELNET_Access
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=drop src-address-list=!WINBOX_Access
/ip firewall filter add chain=input action=log log-prefix=“DROP INPUT” comment=“Log everything else”
/ip firewall filter add chain=input action=drop comment=“Drop everything else”

Firewall Forwarding Rules

/ip firewall filter add chain=forward connection-state=established comment=“allow established connections”
/ip firewall filter add chain=forward connection-state=related comment=“allow related connections”
/ip firewall filter add chain=forward connection-state=invalid action=drop comment=“drop invalid connections”

Add Virus Filter

/ip firewall filter add chain=virus protocol=tcp dst-port=135-139 action=drop comment=“Drop Blaster Worm”
/ip firewall filter add chain=virus protocol=udp dst-port=135-139 action=drop comment=“Drop Messenger Worm”
/ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment=“Drop Blaster Worm”
/ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment=“Drop Blaster Worm”
/ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment=“"
/ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="”
/ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment=“Drop MyDoom”
/ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment=“________”
/ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment=“ndm requester”
/ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment=“ndm server”
/ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment=“screen cast”
/ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment=“hromgrafx”
/ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment=“cichlid”
/ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=“Worm”
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Bagle Virus”
/ip firewall filter add chain=virus protocol=tcp dst-port=2283 action=drop comment=“Drop Dumaru.Y”
/ip firewall filter add chain=virus protocol=tcp dst-port=2535 action=drop comment=“Drop Beagle”
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Drop Beagle.C-K”
/ip firewall filter add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=“Drop MyDoom”
/ip firewall filter add chain=virus protocol=tcp dst-port=3410 action=drop comment=“Drop Backdoor OptixPro”
/ip firewall filter add chain=virus protocol=tcp dst-port=4444 action=drop comment=“Worm”
/ip firewall filter add chain=virus protocol=udp dst-port=4444 action=drop comment=“Worm”
/ip firewall filter add chain=virus protocol=tcp dst-port=5554 action=drop comment=“Drop Sasser”
/ip firewall filter add chain=virus protocol=tcp dst-port=8866 action=drop comment=“Drop Beagle.B”
/ip firewall filter add chain=virus protocol=tcp dst-port=9898 action=drop comment=“Drop Dabber.A-B”
/ip firewall filter add chain=virus protocol=tcp dst-port=10000 action=drop comment=“Drop Dumaru.Y”
/ip firewall filter add chain=virus protocol=tcp dst-port=10080 action=drop comment=“Drop MyDoom.B”
/ip firewall filter add chain=virus protocol=tcp dst-port=12345 action=drop comment=“Drop NetBus”
/ip firewall filter add chain=virus protocol=tcp dst-port=17300 action=drop comment=“Drop Kuang2”
/ip firewall filter add chain=virus protocol=tcp dst-port=27374 action=drop comment=“Drop SubSeven”
/ip firewall filter add chain=virus protocol=tcp dst-port=65506 action=drop comment=“Drop PhatBot, Agobot, Gaobot”

Add jump to Virus Filter

/ip firewall filter add chain=forward action=jump jump-target=virus comment=“jump to the virus chain”

Allow the traffic that we want and then drop everything else

/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80 comment=“Allow HTTP”
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=25 comment=“Allow SMTP”
/ip firewall filter add chain=forward protocol=tcp comment=“allow TCP”
/ip firewall filter add chain=forward protocol=icmp comment=“allow ping”
/ip firewall filter add chain=forward protocol=udp comment=“allow udp”
/ip firewall filter add chain=forward action=drop comment=“drop everything else”

Setup DNS

/ip dns set allow-remote-requests=yes
/ip dns static add name=router address=192.168.0.254
/ip dns set servers=1.1.1.7

Don’t allow Mac Telnet Server

/tool mac-server remove 0

Setup ports for Access to Router

/ip service set ssh port=22001
/ip service set telnet port=22002

Setup address lists for Access to the Router

/ip firewall address-list add list=SSH_Access address=1.1.1.7/32
/ip firewall address-list add list=TELNET_Access address=1.1.1.7/32
/ip firewall address-list add list=WINBOX_Access address=1.1.1.7/32
/ip firewall address-list add list=SSH_Access address=1.1.1.7/32
/ip firewall address-list add list=TELNET_Access address=1.1.1.7/32
/ip firewall address-list add list=WINBOX_Access address=1.1.1.7/32

Disable other services to Stop Client Access to Router

/ip service disable ftp,www,www-ssl

Enable the Sip Protocol

/ip firewall service-port enable sip

Port Forwarding:

/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.0.128 to-ports=25
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=21 action=dst-nat to-addresses=192.168.0.18 to-ports=21
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.128 to-ports=80
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.0.7 to-ports=443
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=49994 action=dst-nat to-addresses=192.168.0.128 to-ports=49994
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=1723 action=dst-nat to-addresses=192.168.0.128 to-ports=1723
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=82 action=dst-nat to-addresses=192.168.0.33 to-ports=82
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=1720 action=dst-nat to-addresses=192.168.0.230 to-ports=1720 comment=“Video Conferencing”
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=3230-3243 action=dst-nat to-addresses=192.168.0.230 to-ports=3230-3243 comment=“Video Conferencing”
/ip firewall nat add chain=dstnat dst-address=1.1.1.2 protocol=udp dst-port=3230-3285 action=dst-nat to-addresses=192.168.0.230 to-ports=3230-3285 comment=“Video Conferencing”