I am trying to setup a firewall on our remote devices, each remote site is using EoIP, IPSec, MPLS, VPLS and OSPF back to two main offices IPs. I’ve looked at some of the manuals/wiki’s and understand some of it, but I’m quite over whelmed. Any help would be greatly appreciated. Here is what I’d like to do:
Allow Winbox only from remote IPs 24.xxx.xxx.xxx and 74.xxx.xxx.xxx
Allow icmp from anywhere
Allow EOIP and IPSec from the two IPs listed above
Allow NAT from Internal DHCP Range
Block Everything Else
Thanks in advance!
Can anyone out there help me?
anav
June 17, 2019, 1:22pm
3
Yes, thats easy.
Wow… Thank you for your words of wisdom. Much appreciated, have a great day.
anav
June 17, 2019, 3:21pm
5
There are many far wiser on this forum (at least for MT configs) that may chime in. Patience is your friend.
Ok, I think I figured it out. For future reference for someone.
/ip firewall filter
add action=accept chain=input dst-address-list="Local WAN" protocol=icmp src-address-list="Remote Sites"
add action=accept chain=input comment=Winbox dst-address-list="Local WAN" dst-port=8291 log=yes protocol=tcp src-address-list="Remote Sites"
add action=accept chain=input comment="IPSec Enc. on GRE" dst-address-list="Local WAN" protocol=ipsec-esp src-address-list="Remote Sites"
add action=accept chain=input comment=ISAKMP dst-address-list="Local WAN" dst-port=500 protocol=udp src-address-list="Remote Sites" src-port=500
add action=accept chain=input comment="IPSec NAT Authentication" dst-address-list="Local WAN" dst-port=4500 protocol=udp src-address-list="Remote Sites" src-port=4500
add action=accept chain=input comment=GRE dst-address-list="Local WAN" protocol=gre src-address-list="Remote Sites"
add action=accept chain=input comment=AH dst-address-list="Local WAN" protocol=ipsec-ah src-address-list="Remote Sites"
add action=drop chain=input in-interface="01 - ISP" log=yes src-address=0.0.0.0/0