i would like to block all inbound and outbound traffic from the mikrotik router, except for any traffic that is flowing through its VPN tunnel.
Anyone done this? please share your ideas
Without a network diagram, we can just guess.
I guess you have a VPN server with a fixed Public IP where your users need to connect remotely.
The easiest way is to use firewall. (not saying it’s the best way).
Let’s assume your remote VPN server is a OpenVPN server on a public IP of 100.100.1.1 address and port udp:1194.
Your firewall rules may look like this:
/ip firewall filter add chain=forward connection-state=established,related action=accept
/ip firewall filter add chain=forward dst-address=100.100.1.1 protocol=udp port=1194 action=accept
/ip firewall filter add chain=forward action=discard
If you use a domain name as VPN server, make sure you also allow dns requests or enable the local dns relay and point your clients dns request to it.
If the VPN server is the Mikrotik itself, It’s quite easier.
If the end devices are under RFC1819 IP addresses (private IPs) and you NAT them to reach the internet content, you just need to tune up the masquerade rule to NAT only the source IPs released by the VPN service you use.
Something along these lines:
/ip firewall nat add chain=srcnat src-address=10.10.0.0/24 action=masquerade
Where 10.10.0.0/24 are the addresses given by your VPN server
thanks guy ! your input is much appreciated!
Wow, that’s actually sorted out my problem! Thanks for help!!!