Good evening,
I have a small network with several machines inside the network that have to be able to communicate betwen themselves. Some of these machines only need access to the internal network, some - to be able to use the Internet too.
There is also a need to allow VPN connection from outside to the router, in order to communicate with any of the devices mentioned above. The addresses from which the connection will be made are unknown and will vary.
I’ve got the router (750) up and running, all the machines are able to access internet and VPN works. I now want to limit these connections as I described above, but I either get all (or most at least) incoming traffic accepted or no VPN at all.
[user@router] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; This allows access from admins
chain=input action=accept src-address-list=COMPANY
1 chain=forward action=accept dst-address-list=Devices connection-type=pptp
2 chain=input action=accept connection-type=pptp
3 X chain=input action=drop connection-state=new src-address=!192.168.36.0/24 connection-type=!pptp
Address list COMPANY has the IP’s from which the router can be managed + the LAN subnet
The 3rd item is intended to drop anything that does not come from internal network and is not a pptp connection
However, as soon as I turn on the 3rd rule, only the IP’s in the list COMPANY can connect.
What should the configuration be for my needs?
And what would be the best way to limit some of the devices from accessing Internet, but still be accessible through VPN from outside?
I’m sorry if my question is a bit silly perhaps, but this is my first significant experience with configuring a routerboard from scratch.
Thanks!