I browsed the forums and spent a few hours trying to research this on my own before reaching out.
I have an internal VPN server (not part of routeros, Ubuntu workstation) at my location. I setup port forwarding and I can connect to the VPN server with no issues.
I set up a firewall rule to drop all packets outside of a specified IP address list. It works as far as blocking web access to the mikrotik router, etc.
However, it’s still allowing connections to the ports I’ve set up forwarding for (VPN, OpenVPN, etc). I put the drop firewall rule at the top thinking that would work.
I have something wrong somewhere, obviously. Can anyone provide any suggestions? Thanks for your help. I’ve attached some screenshots of the firewall rules and the address list I created.
firewall.png
address_list.png
Guess it looks ok in the sense it looks like what you wanted to achieve, regarding security a complete export would be needed for assesment, and from what I can see in the winbox window wouldn’t say so secure, you allow everything in the input chain then drop… in firewall the first rule that matches is the one applied…
For security’s sake is better doing it the “other way”: restrict everything, and just let pass whichever is specifically allowed, i.e. If I wanted to let some external ips connect to an internal PPTP server, the logic would be:
forward chain, in interface wan, allow new connections from ips in the address list to internal tcp port 1723
forward chain drop everything
Have a look at the Wiki Page, there are very useful examples to learn from. Also knowing how RouterOS handles Packet Flow
is a must.