L2TP/IPSEC firewall rules for vpn clients (ipv6)

Hello,

I’d like to have some firewall rules for my VPN clients. My default policy will drop everything not allowed. Right now I’m allowing forwarding from the VPN-Pool from any interface. This means someone in my guest LAN could sent packets from an IP in the VPN range and it would get forwarded to my internal network. I’d like to make sure those packets are coming from the VPN clients and not from WAN or the guest LAN.

In the firewall rules I only see “all ppp” as a filter for the interface. Problem is I also have a pppoe interface which would probably be included.

What is the correct way to enforce firewall rules on my VPN clients?

Thanks for your help!

Hello everybody,

I’ve found a partial solution to my problem. Using a separate firewall chain and incoming/outgoing filter in my ppp profile I can filter vpn traffic according to my needs.

This will only work for ipv4 right now. Is there any way to make this work for ipv6? I’ve found an almost identical question in the forum which wasn’t answered: http://forum.mikrotik.com/t/ppp-profile-incoming-outgoing-filter-for-ipv6/81640/1

Can anyone point our how to filter both v4 and v6 traffic for vpn clients?