I pay for a VPN service to unblock media streaming. For this I have a IPSec connection set up on my Mikrotik router and all traffic from a certain VLAN goes through this VPN and it works great.
But I wonder if this vpn tunnel actually gives the VPN provider access to my router and my devices. I’m not sure how to prevent them from having access, while still running the VPN tunnel from my main router.
VPN is simply another IP interface. Peer authentication means that the tunnel will only establish if peer is verified (hence importance to safeguard secrets used for this purpose). Encryption means that 3rd party can not listen to traffic over established tunnel nor can it change contents of traffic.
But none of these mechanisms safeguard your network (VPN gateway included) from anything coming through VPN tunnel. You still have to put appropriate firewall rules in place unless you completely trust the remote side to do things properly (e.g. because you yourself are nerwork admin of the remote end of tunnel).
When considering typical MT default config (on SOHO devices which DO have firewalll configured as defalt), puting VPN interface in WAN interface list will take care of most of things. When doing additional config to allow certain services, one has to be paranoid enough not to make too big of a hole in FW rules. Since most VPN tunnels are used to get around some limitations (either by local ISP/government) or by global service provider (not providing service in user’s geographical area), one has to consider VPN provider untrustworthy when it comes to own LAN security.
Mkx, do you mean something like this???
add action=DROP chain=forward in-interface=VPN-interface dst-address-list=LAN
(assumes a drop all rule is not at the end of the forward chain, in which case the above rule would NOT be required!)
Hmm, but how do I add IPSec tunnel to WAN list?
You don’t as there is currently no virtual interface associated to IPsec. The in-interface attribute of IPsec payload packets is inherited from the transport packets that brought them. Normally, there is an ipsec-policy match condition, which matches when a packet matches, or doesn’t match, any of the existing IPsec policies. So action=drop in-interface-list=WAN ipsec-policy=in,ipsec is a rule that drops IPsec payload packets that came in via WAN.
But except rare cases, the firewall should be built using the “drop everything except what you explicitly want to accept” principle rather than the “accept everything except what you explicitly want to drop”. The default set of firewall rules of the SOHO models follows the former approach, but it assumes that whatever came in via IPsec should be accepted. So if you use it (hard to say as you haven’t shown your configuration), removing the action=accept ipsec-policy=in,ipsec rules from filter chains input and forward will be enough to protect your router itself and LAN hosts from connections incoming via IPsec.