I set up a MikroTik router running v6.48 to allow OpenVPN connections from a few remote users so they can RDP into their office desktops. The office network is on the 192.168.0/24 subnet and the VPN users are connecting on the 192.168.2/24 subnet. How do I set it so that all traffic other than RDP and DNS is blocked between the subnets? Thanks.
Well assuming you have allowed initial connections to be established on the input chain
Then the openvpn users are coming in on what I would call a FAUX LAN level.
WIthout seeing your config its hard to say for sure what the best course of action is.
/export hide-sensitive file=anynameyouwish
OK here’s the router’s config if you’d like to take a look. I replaced any public IP addresses used with xxx.xxx.xxx.xxx. Thanks again.
(1) From
add address=192.168.0.254/24 comment=defconf interface=ether2-master network=
192.168.0.0
TO
add address=192.168.0.254/24 comment=defconf interface=bridge network=
192.168.0.0
(2) What is the purpose of this rule ?? (it has no bearing on any subnet or interface on the router)??
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24
There are different ways. For example, add new interface list:
/interface list
add name=vpn-clients
Then add interface-list=vpn-clients to your PPP profile. Now every connected OpenVPN client will be added to this list. And then some filtering as you like:
/ip firewall filter
add chain=forward in-interface-list=vpn-clients action=jump jump-target=vpn-in
add chain=vpn-in action=accept dst-address=192.168.0/24 protocol=tcp dst-port=3389
add chain=vpn-in action=accept dst-address=192.168.0/24 protocol=udp dst-port=3389
add chain=vpn-in action=accept dst-address=192.168.0/24 protocol=tcp dst-port=53
add chain=vpn-in action=accept dst-address=192.168.0/24 protocol=udp dst-port=53
add chain=vpn-in action=reject reject-with=icmp-admin-prohibited
I don’t know. It was a rule that was in the router from when I originally set it up new years ago. Maybe it has something to do with connecting the router to the built-in ethernet ports? Just guessing.