Help on firewall

kgninfos · April 23, 2014, 2:17pm

hi
i am using
http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling
can any one suggest me how to allow ipsec with this rules
router is placed between the customer device and the ipsec server
am using ospf and customer is having an public ip (no nat)

also can anyone advice if this rules should be placed before the hotspot rules or after it??
Thanks

MovingNetworksFwd · April 23, 2014, 10:01pm

The easiest way to allow IPSec through with this firewall set is to set as rule 0 in IP firewall, nat, mangle as an input accept rule (if the target router) from the network or host that the remote end is coming from. You can also do the same things in Mangle and NAT to prevent those services from affecting the connection.

/ip firewall filter add chain=input src-address=x.x.x.x/32 action=accept
/ip firewall nat add chain=srcnat src-address=x.x.x.x/32 action=accept
/ip firewall mangle add chain=input src-address=x.x.x.x/32 action=accept

If the router is not the local target of the IPSec tunnel then you will need to change the rules to reflect the source and destination of the IPSec peer and change the chains that say input to forward.

I would put the rules above the hotspot rules, I didn’t look at the rules closely though I didn’t see an explicit drop rule in it, if there is one it will need removed before the hotspot rules can be added. If there is an explicit drop rule the hotspot rules will have no effect as the rule will drop the rest of the traffic from going further on down the chain into those rules.

You could also put it after the hotspot rules but if for some reason the hotspot allows some malicious traffic the rules after the hotspot will have no effect since the hotspot has already accepted the users connection pre filters, because of this it is not recommended.

Ryan

kgninfos · April 25, 2014, 3:43am

thanks but the setup is like
IPSec server(Public IP)>>Some other ISP>>(WAN Public IP)My Router>>End customer(Sonic Wall)(have public ip from me)

i am using the firewall rule in My Router all of these have public ips and i am using OSPF in my router

MovingNetworksFwd · April 25, 2014, 4:56pm

If you want to keep them out of the hotspot and always authenticated then you should only have to put accept rules into the firewall filter like these

add src-address=x.x.x.x/32(remote side) dst-address=x.x.x.x/32(your customers ip) action=accept
add src-address=x.x.x.x/32(your customers IP) dst-address=x.x.x.x/32(remote side) action=accept

Put these in your whitelist section/ or the first two rules in /ip firewall filter to allow this past the hotspot/firewall system.

Ryan

kgninfos · April 26, 2014, 5:59am

can you share your contact details
i will send you the network map and objective for firewall config
i can pay you a bit if my issue is resolved

Thanks

MovingNetworksFwd · April 28, 2014, 9:18pm

Contact email is ryan@movingnetworksforward.com

Ryan