Allowing connections to another subnet / interface and blocking from those subnets / interfaces

a4x4kiwi · July 24, 2018, 3:25am

Hi all,
I have unsuccessfully looking for a solution to this.

I have various remote Mikrotik routers connecting to our office core router via VPN from customer sites in order to allow remote management.
I would like to allow access to those routers from our network, but block access from the remote routers to our network.

This is to prevent someone at a remote site from connecting to a router port and being able to access our internal network.

I am hoping someone suggest suitable firewall rules to achieve this. I would prefer to use interface lists, but any suggestions welcome.

Thanks in advance,
Mal

a4x4kiwi · July 24, 2018, 7:14am

Answering my own post.

What was confusing me is that when I implemented the rule, the pings continued. I think this is because the UDP timeout is 10s where as a ping is usually one second so each ping is not considered ‘New’
Here is my rule that seems to work well.

add action=drop chain=forward comment="Block connections between M&C VPN networks" in-interface-list="M&C VPN" out-interface-list="M&C VPN"
add action=drop chain=forward comment="Block connections from VPN M&C networks," connection-state=new in-interface-list="M&C VPN"

Mal