Firewall rule for VPN access to LAN resources

hogg101 · July 8, 2020, 3:24pm

Hi, I’m trying to decide on a firewall rule that will allow my remote dial in users via L2TP/IPSEC to access all hosts on the LAN.

For now I have an accept rule that works well but I don’t know if there’s a more belt and braces approach?

Relevant parts of my config (the rule that allows VPN clients to be forwarded is the last one shown):

/ip pool add name=vpn-pool ranges=192.168.14.2-192.168.14.254

/ppp profile add change-tcp-mss=default local-address=192.168.14.1 name=vpn-profile remote-address=vpn-pool use-compression=yes use-upnp=no dns-server=1.1.1.1
/ppp secret add name=*username* password=*password* profile=vpn-profile

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=*secret* keepalive-timeout=10 max-mru=1460 max-mtu=1460 use-ipsec=yes

/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.14.0/24
/ip firewall filter
add action=accept chain=input dst-port=22,8282,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp src-address=192.168.14.0/24 comment="allow ssh,webadmin,winbox from VPN"
add action=accept chain=input dst-port=53 log=yes log-prefix="VPN DNS" protocol=udp src-address=192.168.14.0/24 comment="allow dns from VPN"
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=forward comment="Accept VPN clients through firewall" src-address=192.168.14.0/24

So my question is - is the last rule, filtering only by source address, a safe one? Or am I open to attackers guessing and spoofing their address as a valid one in my VPN pool? It gets the job done, but is it secure? Any feedback appreciated!

Sob · July 8, 2020, 6:59pm

It’s not ideal, spoofed packets would get through. There wouldn’t be much communication, because route to 192.168.14.0/24 would not be to where attacker is (WAN most likely), but still… With L2TP you can use in-interface=all-ppp to limit it further.

hogg101 · July 8, 2020, 7:54pm

Thanks Sob. Am I right in thinking that if my WAN interface is PPPoE, that still leaves me open? I guess I could also add the option: in-interface-list=!WAN

Appreciate your time

Sob · July 8, 2020, 8:36pm

It’s somewhat undocumented, but based on the name, it probably includes PPPoE too. So not what you’re looking for.

Excluding unsafe interfaces using address list is possible too.

Or there’s RP filter in IP->Settings. It will automatically drop spoofed packets coming in via wrong interfaces. It’s not compatible with more complex setups (e.g. asymmetric routing) and not easily debuggable, because it works silently. But with simple config it should be ok. I don’t use it often, so I’m not sure about all details. You may need unreachable route for whole VPN subnet (dynamic routes to individual clients will override it) to hopefully exclude it from default route for RP filter’s use.

hogg101 · July 8, 2020, 9:02pm

Thanks for the tip about RP. I’ll look into it.

For now I’ve just added those couple extra conditions to the rule:

add action=accept chain=forward in-interface=all-ppp in-interface-list=!WAN src-address=192.168.14.0/24

Hopefully that leaves me in at least a slightly better position?!

Sob · July 8, 2020, 10:45pm

Only PPP and not WAN, it doesn’t leave much else, so it’s definitely better.