Hello, i need to estabilish a VPN connection from an external company to provide a specific TCP service only to 2 machines of my network, 192.168.1.18 and 192.168.1.28. How can i manage this without giving complete access to entire class C 192.168.1.0/24?
Thank you in advance for your suggestions
There are multiple ways to achieve what you need. The first two options that come to mind are:
Both approaches have their pros and cons. The first option looks cleaner to me, however if you’re likely to add new IP addresses to the list of those two in the future, I’d go with the second approach.
Andriys thanks for your answer.
Does this approach work also for a LAN to LAN IPSEC VPN connection?
Sure, it does.
That solution only works when the same thing is done at the other side.
When you have influence on the configuration at the other side, I would recommend using an explicit tunnel interface
with IPsec under it. I.e. a GRE tunnel, IPIP tunnel or L2TP tunnel with IPsec transport.
This is easily configured in a MikroTik and will be familiar to many other routers and their administrator (especially GRE and L2TP).
The advantage is that you get an explicit tunnel interface that you can use in firewall rules.
From my experience “corporate” admins (as opposed to ISP people) are usually much more familiar with classic policy-based IPsec (and seriously consider it more secure).
Firewall has ipsec-policy matcher since 6.30.