Hi folks. I’ve recently purchased a MikroTik router and am trying to get inbound VPN working. The client devices will initially be Windows laptops and Android phones. I would like to use IPSec and not OpenVPN or PPTP.
I am on RouterOS v6.42.7.
I basically followed this guide: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication.
One element that doesn’t seem to be covered is that after the connection is established, all actual packets from the client are dropped by the rule “defconf: drop all from WAN not DSTNATed”.
Do I have to add an Accept rule for anything coming from my VPN private IP range? Seems a bit odd that I have to allow a private range on the WAN interface, so I thought I’d check.
Here are my rules:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" dst-port=500,4500 in-interface=ether1 log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" in-interface=ether1 log=yes log-prefix=pass-ipsec protocol=ipsec-esp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=drop-invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=drop-no-dstnat
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log=yes log-prefix=drop-from-wan
If I add a rule before the Drops, then it seems to work. I’m just worried that I’ve opened myself up to some sort of exploits.
/ip firewall address-list
add address=192.168.77.0/24 list=vpn
/ip firewall filter
add action=accept chain=forward log=yes log-prefix=vpn-in src-address-list=vpn