Hello , I have configured my router with l2tp von service which was working before I set firewall rules for port scanning . After it it cannot connect to VPN and I assume that it have to do with exclude src address … I’ve added already exclude my local lan , to let access for me via web . But then I’ve added in all rules with ! - vpn address with list option , and it’s doesn’t work .
In the input chain, place your rules permitting IKE, IPSec, and L2TP before all of your new rules. These include 500/udp, 4500/udp, ESP, and 1701/udp (within the ipsec,in IPSec policy).
If that doesn’t do the trick, please post your filter rules so we can have a look at it further.
Hello ghostinthenet and thanks for the reply , I have Nat behind Nat router , so I have already added port forward to the ISP router with these ports , as for the new rules I’ll attach them here ( I use gui not cli but I can copy them for you ) . Where 192.168.0.0 is my local lan - excluded for me to enter from WiFi in router :
1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w
log=no log-prefix=“”
2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w log=no log-prefix=“”
3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w log=no log-prefix=“”
4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w log=no log-prefix=“”
5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w log=no log-prefix=“”
6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w log=no log-prefix=“”
7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp src-address=!192.168.0.0/16 psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w log=no log-prefix=“”
8 chain=input action=drop src-address=!192.168.0.0/16 src-address-list=port scanners log=no log-prefix=“”