Hi is it possible to only allow http traffic on an IP sec site to site VPN. 3rd party provider requested the VPN but I want to secure it from the rest of the network and only allow http. Is it possible to do this with Mikrotik? I googled it but couldn’t find any information. I did find for Cisco though.
Allow “new” connections going via VPN only for http port 80 and https 443 and all “related” traffic.
IPSec doesn’t create an interface. See the “IPSec Encryption” and “IPSec Decryption” packet flow diagrams in this link:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#IPsec_encryption
For inbound packets, I believe you’d set up a forward rule in the filters. The packet diagram shows that an inbound packet comes in the WAN and then decrypted and put into the routing logic. At this point now the packet has the src ip equal to the private IP of the remote, and the dst-ip equal to the private IP on your network. Now you can create a firewall filter rule in the Forward chain. You will need a default deny rule saying that all packets from remote network are denied. Then create your allow rule above the default-deny rule.
When packet is from your network to their network, you can set up a firewall to prevent sensitive data from leaking out. The packet flow diagram says packets destined to the remote network first go through the wan interface before being intercepted, encrypted and put back into the routing logic. So you can place your filter rules in the forward chain stating only the web server can send out and only from src-port = 80
Does that make sense??
Yes it does make sense. I’ll have to play with it and come back if not clear.
Sent from my SM-G935F using Tapatalk