I am trying to limit a certain vpn user to access only particular servers. I have created a PPP secret to use the “Consultants” profile. In the consultants profile I set it up as follows:
name=“Consultants” local-address=10.10.253.254 remote-address=L2TP_Pool
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=default
incoming-filter=Consultants-In outgoing-filter=Consultants-Out
address-list=Consultant-IP dns-server=10.16.2.1,10.16.2.2
I have created the associated firewall chains and have the following rules in them:
add chain=Consultants-In dst-address=10.16.8.41
add chain=Consultants-In dst-address=10.16.2.1 dst-port=53 protocol=udp
add chain=Consultants-In dst-address=10.16.2.2 dst-port=53 protocol=udp
add action=log chain=Consultants-In disabled=yes log-prefix=Constultant-DROP
add action=drop chain=Consultants-In
add action=log chain=Consultants-Out log-prefix=“Consultants-Out DROP”
add action=drop chain=Consultants-Out
The problem that I am having is that the VPN user doesn’t automatically use these chains and I have to create a jump rule near the top of my firewall based on the vpn ip address in order to process the vpn packets. My theory is that if I had to create a jump rule, why have the incoming filter. Am I missing something in this setup?