Hi Guys,
I’m talking about rule #18 in the firewall output. Why is that jump rule required? I don’t quite understand.
Background info:
What the PPTP VPN rules do, is block a VPN-user from reaching my LANs. In orde to reach a LAN, you have to move packects out of a VLAN interfaces. Hence, rule #19 blocks traffic to VLAN interfaces.
The VPN is thus only used to reach the internet when a user is, for instance, connected to a public hotspot but wants to surf more securely.
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
6 ;;; Allow VLAN10- LAN to router (required for DNS)
chain=input action=accept src-address=192.168.100.0/24 in-interface=!WAN
7 ;;; Allow VPN-subnet to router (required for DNS)
chain=input action=accept src-address=192.168.1.0/24
15 ;;; PPTP-VPN rules
chain=input action=accept protocol=tcp dst-port=1723
16 chain=input action=log protocol=gre log-prefix=""
17 chain=input action=accept protocol=gre
18 chain=forward action=jump jump-target=ppp in-interface=all-ppp
19 chain=internet-only-in action=drop out-interface=all-vlan
20 ;;; Drop everything that has not been previously allowed
chain=input action=drop
/ppp profile> print
Flags: * - default
1 name="internet-only" local-address=192.168.1.254 remote-address=VPN-users
remote-ipv6-prefix-pool=(unknown) use-ipv6=yes use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=yes incoming-filter=internet-only-in
outgoing-filter=internet-only-out address-list=""
dns-server=192.168.100.254
2 * name="default-encryption" local-address=192.168.1.254
remote-address=VPN-users remote-ipv6-prefix-pool=(unknown) use-ipv6=yes
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes address-list=""
dns-server=192.168.100.254