Block all except connection to VPN

RouterOS Beginner Basics
1

Hi. Please suggest rules for firewall

Network map:

PC1 connected to microtik > Microtic to ISP.

on PC1 have an OpenVPN client which connects to remote VPN server. So I need that all traffic go through tunnel.

On microtik I need to disable everything except connection to VPN.
Please help with rules, I read documentation, setup following rules, but it blocks everything (include connection to VPN)
add chain=forward action=accept protocol=tcp dst-port=53 comment=“Allow DNS tcp”
add chain=forward action=accept protocol=udp dst-port=53 comment=“Allow DNS udp”
add chain=forward action=accept protocol=tcp dst-port=443 comment=“Allow 443”
add chain=forward action=accept protocol=tcp dst-port=943 comment=“Allow 943 OpenVPN”
add chain=forward action=accept protocol=udp dst-port=1194 comment=“Allow 1194 OpenVPN”
add chain=forward action=accept protocol=tcp dst-port=1194 comment=“Allow 1194 OpenVPN”
add chain=forward action=accept protocol=udp dst-port=1143 comment=“Allow 1143”
add chain=forward action=accept protocol=tcp dst-port=1143 comment=“Allow 1143”
add chain=forward action=drop comment=“drop everything else”

2

Hello
are you have a vpn server ip

3

yes, I have. Why ?

4

you can block all dst ip address except vpn ip replace 192.168.1.1 with your vpn ip

 /ip firewall filter add chain=forward dst-address=!192.168.1.1 action=drop
5

@tiftok, thanks

Could u please help, if I need to deny everything, except 443 and 53 port, what rules should be?
Because
add chain=forward action=accept protocol=tcp dst-port=53 comment=“Allow DNS tcp”
add chain=forward action=accept protocol=udp dst-port=53 comment=“Allow DNS udp”
add chain=forward action=accept protocol=tcp dst-port=443 comment="Allow 443
add chain=forward action=drop comment=“drop everything else”

Drops everything

6

hello
please make BACKUP BEFOR TEST i am not tested this rule i write qiuk :sunglasses:

/ip firewall mangle add chain=forward protocol=udp src-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp src-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp src-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp src-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp dst-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp dst-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall filter add chain=forward connection-mark=!myallwo action=drop ;