I am trying to limit a certain vpn user to access only particular servers. I have created a PPP secret to use the “Consultants” profile. In the consultants profile I set it up as follows:
name=“Consultants” local-address=10.10.253.254 remote-address=L2TP_Pool
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=default
incoming-filter=Consultants-In outgoing-filter=Consultants-Out
address-list=Consultant-IP dns-server=10.16.2.1,10.16.2.2
I have created the associated firewall chains and have the following rules in them:
add chain=Consultants-In dst-address=10.16.8.41
add chain=Consultants-In dst-address=10.16.2.1 dst-port=53 protocol=udp
add chain=Consultants-In dst-address=10.16.2.2 dst-port=53 protocol=udp
add action=log chain=Consultants-In disabled=yes log-prefix=Constultant-DROP
add action=drop chain=Consultants-In
add action=log chain=Consultants-Out log-prefix=“Consultants-Out DROP”
add action=drop chain=Consultants-Out
The problem that I am having is that the VPN user doesn’t automatically use these chains and I have to create a jump rule near the top of my firewall based on the vpn ip address in order to process the vpn packets. My theory is that if I had to create a jump rule, why have the incoming filter. Am I missing something in this setup?
If you create a non-default chain, you have to use a jump in one of the default chains in order to get to your chain.
Otherwise the OS has no idea what you intended to do.
Or did I mis-understand your question?
Right, I understand that is the case in general. I was just trying to understand the filter rules defined in the PPP profile. Does the user accounts associated to that profile automatically use the incoming and outgoing filters or do you still have to define specific jump rules to capture that traffic. And if I have to define jump rules for that VPN user, then why have the filter option at all?
Yes. All traffic passes through the default chains. Defining other chains is for your convenience and to improve filter rule efficiency. If you want to apply a lot of rules to one specific host, or group of hosts, that could take up a lot of of filter processing time. If those hosts are not a majority of your traffic, then you are wasting that filter processing time.
RouterOS does not know when you want to leave the default chain and switch to your PPP specific chain. You may want to block, or allow, some traffic from all hosts regardless of connection type, then jump to your specific chain. You may have 200 different profiles with their own chain. In which order should they be evaluated in order to have minimum impact on the router’s CPU?
RouterOS has a lot of flexibility. That means you have more opportunities to shoot yourself in the foot. It also means you can optimize things to be as efficient as possible. MikroTik programmers can not read your mind. So, they leave a few things up to you, like deciding when to jump to another firewall chain.