how deny all connection from "office 1" to "office 2" except some IP address?

vvv777 · August 22, 2016, 6:57pm

Situation:

Network office 1 “a” : 10.0.10.0/24
Network office 2 “b” : 10.0.20.0/24

both offices have a different location and should connect through VPN, IPSec,

how deny all connection from “office 1” to “office 2” except some IP address?
what is a best way?

ZeroByte · August 22, 2016, 9:30pm

Set the VPN to use a specific range of IP addresses - use a CIDR-friendly block-

e.g. 10.0.10.32/28 ( which is .32 through .47)

Then make a firewall address list which contains the IPs that VPN users should be allowed to reach, and make a filter rule:
chain=forward src-address=10.0.10.32/28 dst-address-list=!vpn-access action=drop

Then only give VPN access to users who should be able to reach those servers.

vvv777 · August 23, 2016, 6:48am

hi, thank you for reply,
what you think maybe create the NAT rule with access list and NAT only addresses that I need, without filtering rule?

for example:
create address lists for both routers

/ip firewall address-list add list=allow_IP_addresses=10.0.10.2
/ip firewall address-list add list=allow_IP_addresses=10.0.10.3
/ip firewall address-list add list=allow_IP_addresses=10.0.10.4

Router 1

/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address=10.0.10.0/24 dst-address-list=allow_IP_addresses

Router 2

/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address=10.0.20.0/24 dst-address-list=allow_IP_addresses

ZeroByte · August 23, 2016, 2:02pm

No - do not get into the habit of using lack of NAT as a way to break connectivity between network segments.
You should forward the traffic between the two networks w/o using NAT at all.

NAT = manipulating addresses for various purposes such as over-subscribing a public IP address, working around networks that cannot be re-numbered because of things like having to work with routers / firewalls that you do not control, etc. Basically, for NAT, think “make things reach each other when you can’t properly route the addresses”

For administrative policy enforcement, use filter rules. That’s what they’re for. Refusing to NAT a packet for certain connections may have the side effect of “breaking” connectivity, but the packets still actually flow. For instance, if some LAN host 192.168.x.x should not go on the Internet, then block it with a filter. If you just “don’t NAT” that host, then the packets still go out to the Internet - they just don’t get your public IP address on them. There are still naughty things that could be done. Suppose your ISP doesn’t drop packets with a private IP address as the source… these packets could still reach remote destinations. Services that use UDP (like SNMP and DNS) could still be attacked even if the source doesn’t get natted. You don’t NEED to see the replies to do your damage…

If 192.168.31.45 should not go to some destination, then drop packets from 192.168.31.45 for that destination.