I’m looking for information on how to filter a specific user connected by PPTP.
What I usually do is straight forward, just add a static pptp-server interface, add proper filtering to forward Chain, link that user to that interface and voila.
Right now I need to have a group of user with specific filtering and need to use ppp / Profile / Incomming-filter. Right now I have defined the specific chain in firewall/filter, I see that a dynamic jump is added at the end of rules when user is pptp connected but magic does not appen. Filtering are not working.
Can’t seems to find correct information wiki for inconmming-filter. Example show nothing about needed firewall/filter needed rules.
To directly add a jump to the custom chain specified as incoming-filter in /ppp profile to the end of existing chains (forward and input) would be a bad approach as it would impose some requirements on the overall strategy used to build your firewall; basically, you would only be able to use the “accept everything except what you know must be dropped” strategy. The inverse (and much safer) strategy, “drop everything except what you know must be accepted” normally has a “drop the rest” rule as the last one in each chain, so adding any other rule after that one would make no sense as no packet would ever reache it.
Therefore, RouterOS doesn’t actually add the dynamic rule as the last one in any particular chain, but as the first and only one in a dedicated chain called ppp:
So it is your job to statically place another two action=jump rules with in-interface=all-ppp (not in-interface**-list**=all-ppp**!**) to appropriate places in your existing firewall chains (or, if you use the “drop everything except what you know must be accepted” strategy, maybe only to one of them) and compose the rules in your custom chain (the-chain-name-from-ppp-profile) according to your general firewall strategy. If you place it to both chain=input and chain=forward and you need different rules for input packets and forward packets, you may want to split the chain into two again, using another action=jump rule matching dst-address-type=local for input packets.
But you can also skip all the above, use the interface-list and/or address-list attributes of the /ppp profile, and refer to these items in your firewall rules.