I need help with firewall configuration.
This is the situation. I have MikrotTik set up as a gateway for a local lan. All computers on the lan also have dial-up vpn conection. So they have dual ip addresses. I want to allow only email (on the internet) and anything on the vpn ( 192.168.15.0/24) to pass through the firewall. Is there a simple way to do this? An example would be great.
syd2o2 -
The easiest way would be to;
Winbox /
IP / Firewall / Filter
Here add;
src-addr=192.168.15.0/24, in-interface=your local interface name, action=accept - This allows anything via the VPN addresses
src-addr=‘secondary IP address’ in-interface=your local interface name, protocol=tcp dst-port=25 action=accept
src-addr=‘secondary IP address’ in-interface=your local interface name, protocol=tcp dst-port=110 action=accept
src-addr=‘secondary IP address’ in-interface=your local interface name, protocol=tcp dst-port=‘Whatever other port you want to allow’ action=accept
Allow mail (and whatever other port you want) to pass through
src-addr=‘secondary IP address’ in-interface=your local interface name, action=drop
Now drop everything not allowed…
The only thing you didn’t ask for was DNS services… You can use the same action=accept rules above but make the port 53 and the protocol tcp and another for udp.
There are other ways to do this - such as using firewall / mangle and marking the packets, then connections and then use the filter section of IP / Firewall to discard anything not allowed. That is a more elegant solution, the one I would use, but this one will work and it’s quick and dirty…
R/