Hello
LAN Network: 10.0.1.0
Some IP in that LAN: 10.0.1.10
Tunnel VPN user: test
External address: 10.10.10.10
Internal address: 10.10.10.11
How to achieve connection (access) to only one address IP (10.0.1.10) without rest LAN network.
The name L2TP is a bit misleading. Unless the client device is another Mikrotik and you use BCP to extend the local L2 segment all the way to the client, the traffic between the client and the devices in LAN is actually routed, despite the fact that the address of the client fits into the LAN subnet. Therefore, the traffic between the client and any device in the LAN passes through the IP firewall on the router, so you can use rules in it to permit only connections to particular ports on particular addresses.
Since the order of firewall rules matters, you’ll have to post the export of your configuration if this information is not enough and you need a more detailed advice regarding the rules.
Thank You for response
Client (not another mikrotik) is connected by L2TP/IPSEC.
My firewall rules
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
1 ;;; L2TP
chain=input action=accept protocol=udp src-address-list="" dst-port=500,1701,4500 log=no log-prefix=""
2 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
3 ;;; WireGuard
chain=input action=accept protocol=udp dst-port=[my_port] log=no log-prefix=""
4 ;;; Accept Winbox
chain=input action=accept protocol=tcp in-interface=WireguardMain dst-port=[my_port] log=no log-prefix=""
5 ;;; Accept Graphs
chain=input action=accept protocol=tcp in-interface=all-ppp dst-port=80 log=no log-prefix=""
6 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
8 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
9 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
10 X chain=forward action=drop src-address=10.0.1.85 log=no log-prefix=""
11 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
12 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
13 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
and NAT rule
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
OK, so the simplest change, in order to avoid breaking something else, will be to add another rule to the end of the forward chain:
chain=forward src-address=10.10.10.10 dst-address=**!**10.0.1.10 action=drop
But this is not how a secure firewall should look like. The firewall rules from the default configuration are optimized for the configuration where only WAN is considered “dangerous” and devices in all other subnets are allowed to freely talk to each other. So you may get inspired by other posts dealing with firewall rules and redo your firewall rules so that the firewall would prohibit (drop) anything that is not explicitly allowed, rather than allowing anything that is not explicitly dropped, which is how the forward chain of filter behaves now.
Many Thanks for help.
Not that it would matter, but next to the [Edit], [Report], and [****Quote] buttons, there is also a [Mark as Solution] one. So instead of editing the topic title, pressing that button on the post that contained the final bit of the solution is normally used to mark the topic as solved.