Following setup:
(LAN1: 172.12.0.0/24) MT-ROS-1 <=> Internet <=> MT-ROS-2 (LAN2: 10.11.0.0/16)
I have an IPSEC VPN connection between this networks. Everything is working.
On the right site (MT-ROS-2) I have following firewall rule in the first line: (I have more, but this one is for interest)
/ip firewall filter
add in-interface=WAN out-interface=LAN src-address 172.12.0.0/24 dst-address=10.11.0.0/16 chain=forward action=accept
This is for VPN traffic from left to right.
Now my security question:
If someone has access to the provider router (the one that is my default gw at the provider) and give himself an IP address e.g. 172.12.0.123 and set a route to my Mikrotik
the above firewall rule would give him access to my LAN, right?
I know that this is an internal net (172.12.0.0/24) and they will not be routed through the internet. But someone could do this if he/she has access to the provider router (e.g. hacked).
How can I setup a firewall rule for VPN traffic, that doesn’t use the WAN interface (for me it’s a security problem)?
I know this from the Linux kernel 2.4 where you have to use e.g. the ipsec0 interface in the firewall rules.
Kind regards
Carsten