Hi,
I’m verry new to routerOS. I have a working ipsec tunnel between a cisco router and a RB2011 (running 5.24).
I’d like to firewall the output to the ipsec tunnel on the routerOS so that only allowed traffic can exit through the VPN (the same is done on the cisco).
The configuration I try doesn’t really works.
Here’s my whole firewall configuration
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="isakmp from Paris" dst-port=500 protocol=udp src-address=**
add chain=input comment="ipsec from Paris" protocol=ipsec-esp src-address=**
add chain=input comment="HTTP from Paris" dst-port=80 protocol=tcp src-address=**
add chain=input comment="SSH from Paris" dst-port=22 protocol=tcp src-address=**
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=jump chain=output dst-address-list=paris-lan jump-target=ipsec-paris src-address-list=losaltos-lan
add chain=ipsec-paris dst-address-list=paris-lan dst-port=427,548,445,139,22,389,638,80,443,25,587,110,143,993,995 protocol=tcp src-address-list=losaltos-lan
add chain=ipsec-paris dst-address-list=paris-lan dst-port=53,123,138,137 protocol=udp src-address-list=losaltos-lan
add chain=ipsec-paris protocol=icmp
add action=log chain=ipsec-paris dst-address-list=paris-lan log-prefix=ipsec-denied src-address-list=losaltos-lan
add action=reject chain=ipsec-paris dst-address-list=paris-lan reject-with=icmp-admin-prohibited src-address-list=losaltos-lan
I added a new chain (called ipsec-paris) attached to the output. So it should trigger whenever a packet goes from the internal lan behind the routerOS and in direction of the cisco lan (so called paris-lan in the addresses list above).
I tried to attach the chain to the forward chain, but in this case I can’t for instance ssh from paris-lan to the routerOS lan, I get this log:
ipsec-denied ipsec-paris: in:bridge-local out:ether1-gateway, src-mac 00:14:51:a6:fd:1c, proto TCP (SYN,ACK), 192.168.1.11:22->172.16.10.4:56019, len 64
Which means the return SYN of an initiated connection fro, the paris lan is dropped by my ipsec-paris rule, which is correct because the firewall doesn’t allow this traffic.
I’m now stuck. and I’m certainly missing something very obvious. Can someone help me on this?
Thanks!