I have a typical “drop everything that is not explicitly allowed” kind of firewall setup on a RouterOS system and have just added a PPTP server to allow remote access into the local network.
My problem now is, how do I add a filter rule to allow traffic from ANY pptp interface into the local network?
With IPtables I was used to use -I ppp+ to specify any dynamically generated ppp interface but I don’t seem to be able to do that on RouterOS, so what’s the solution to this problem on this platform?
I’ve currently worked around the problem with a rule like:
add action=accept chain=forward dst-address-list=Local in-interface=!internet out-interface=local \
src-address-list=Local
Which allows traffic from any interface but the internet interface. That’s good enough for this setup, but in larger environments you might not want to allow traffic from multiple interface and then it’s not good enough to use a in-interface=NOT-xxx rule.
Any solution? Hmm, perhaps I could create a bridge device and have it dynamically add the PPTP interfaces to the bridge and use that bridge interface in the filter rules…