Hi,
I have configured standard Tunnel site-to-site IPSEC connection:
Src.Address=172.16.8.0/24
Dst.Address=192.168.0.0/24
Protocol=255 (all)
everything works OK, full access between these two LAN, but I need to filter this connection that remote network 192.168.0.0 could connect to my network only on port 3355, 80 and ICMP Ping, anything other should be blocked. Outgoing traffic from LAN to remote should only respond to this incoming connections to ports 3355, 80, icmp and additionally to 3389 port, any other outgoing traffic should be blocked.
Is any way to do this on IPSEC tunnel connection (I don’t have access to remote router so can’t change this configuration to GRE or any other transport protocol)?
What have you tried so far?
Try this (not sure it will work):
Srcnat not only by IP but by ports also. This way traffic should pass from remote site to yours by IPSec however when your LAN clients try reply to it the traffic won”t match srcnat and never pass IPSec tunnel.
Yes, filtering traffic from IPSec tunnel is possible. Important first step is to not use the option to make traffic from/to tunnel untracked (it was added to RouterOS not long ago). Then it will be traffic like any other and you can do any filtering you need. It’s only a little confusing, because IPSec tunnel doesn’t have own interface and all traffic looks like it comes from/to WAN interface. There’s a ipsec-policy firewall matcher that can help to distinguish it from regular traffic.