/ip firewall filter
{input chain}
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMan)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="[color=#0000FF]Drop all else"[/color][/b]
{forward chain}
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
There is a Site-to-site IPSec VPN between my office and home. Both locations have Mikrotik HapAC2 routers. The IP address range of the office network is 192.168.0.0/24 to the home 192.168.1.0/24 (BLU_VLAN). This rule ensures that all devices in the two networks see each other and can connect to each other.(1) This rule I could not make heads or tails of especially as there is no subnet on the router that I can see (192.168.0.0/24)......... Please let us know what the intent of this rule actually is, from the user perspective.
add action=accept chain=input comment=\
"Accept all from LAN works with drop input" in-interface=BR1
add action=accept chain=input comment="Accept ssh to subnet" dst-address=\
192.168.1.0/24 dst-port=22 protocol=tcp src-address=192.168.0.0/24
In addition to the Site-to-Site VPN, the client has an L2TP/IPSec VPN for remote work.These rules would direct traffic from the L2TP/IPSec remote client into and out of the BLUE_VLAN.(2) These rules I could not make heads or tails of as you appear to be giving access from one thing to itself and is the case for both rules actually. ?????????????
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
dst-address=192.168.1.0/24 in-interface=all-ppp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
dst-address=192.168.1.0/24 out-interface=all-ppp src-address=\
192.168.1.0/24
This rule originally routed traffic to the 192.168.1.0/24 network, now routes it to the BLUE_VLAN. There was also another subnet, but not as a VLAN, but I don't use it anymore. Now this other subnet would be the GREEN_VLAN to which I would connect a server.(3) This rule is TOO wide open, it has no destination detailed.......
add action=accept chain=forward in-interface=BR1 src-address=192.168.1.0/24 missing dst-address? dst-address-list? out-interface? out-interface-list?
This would be openVPN port forwarding to the server placed in GREEN_VLAN for direct connection.(4) This looks like a destination NAT rule and not a port forward rule!!
add action=accept chain=forward dst-address=10.0.20.2 dst-port=1195 \
in-interface-list=WAN protocol=udp
Similar to (4), this is openVPN port forwarding to the Zentyal server, which is located in the BLUE_VLAN...(5) This rule make no sense to me............ you are again allowing BLUE VLAN to be accessed by WAN, sounds like destination NAT.
add action=accept chain=forward comment="forward openVPN to Zentyal" \
dst-address=192.168.1.1 dst-port=1196 in-interface=pppoe-out1 protocol=udp
"also in one rule you use wan interface list, here you use the actual interface why the inconsistency??"
What do you suggest? What should I use WAN or ether1 or pppoe designation? Isn't it easier to refer to WAN?
This rule ensures Site-to-Site VPN connectivity between public static IP addresses.(6) I left out this rule on the input chain as well, as I dont see its purpose, it appears to be very non-standard................???
add action=accept chain=input comment="Site2Site VPN" dst-address=\
XXX.XXX.177.63 in-interface-list=WAN src-address=XXX.XXX.43.161
Without this rule, the two networks cannot be traversed, there is no traffic between them, they cannot see each other. Do you have a better solution for this?(8) I am not very familiar with how to source nat your LAN traffic going out the ipsec tunnel but this does not appear correct to me. I appreciate it mirrors your ipsec policy though!!
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
192.168.1.0/24
Sorry, but I don't understand what you mean here. vpn and isipos are not interfaces, but login names used for L2TP/IPSec connection under /ppp secret..."Perhaps use out-interface=vpn or out-interface=isipos ??? I am out on left field on this one."
The public IP address is a static IP address at both locations...(9) DST NAT RULES are not consistently applied.
I see you two rules missing the standard dynamic IP in-interface-list=WAN while the other two use a static IP approach which is not correct for pppoe unless its a static IP??? ( dst-address=94.21.....)
/ip firewall filter
{Input chain}
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMan)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow BLUE" in-interface-list=BLUE
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
{forward chain}
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding"\
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip route
add blackhole disabled=no dst-address=0.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.0.2.0/24
add blackhole disabled=no dst-address=192.88.99.0/24
add blackhole disabled=no dst-address=192.18.0.0/15
add blackhole disabled=no dst-address=192.51.100.0/24
add blackhole disabled=no dst-address=203.0.113.0/24
add blackhole disabled=no dst-address=203.0.113.0/24
etc....
I set the BLUE VLAN to be trusted to manage the router. This is different from what is described by @pcunite, but I have to manage the router from the local network because ethernet or WiFi is not suitable due to the choice of location. As I wrote in the text, BLE_VLAN is the local network, GREE_VLAN is the DMZ for the server and BASE_VLAN is the guest WiFi (BASE because it is a basic service without anything else). What do you suggest I use a different name for?Clearly you have set the BLUE VLAN to be your Trusted/Management VLAN by the config settings.
I forgot to disable it, it was off before, I don't use it either... I allow access from the 192.168.0.0/23 subnet because the 192.168.0.0/24 and 192.168.1.0/24 subnets are connected with an IPSec VPN and I need to access the routers of both networks from both subnets...Your winbox setting for allowed IPs,
Excuse me, are you asking or stating that? Could you explain because I don't know what you mean. My English is not the best...The sourcenat rule you have is that to give everyone from the blue subnet going out the ipsec tunnel,, the IP address of the tunnel for source??
Indeed, the IP address was lost, but fortunately it still works, otherwise my wife would have already complained...Your dst-nat rule is not configured properly....
This is how the service provider provides a static IP address via pppoe service, this is how it should be set. I think that one of the IP addresses of a DHCP range is statically assigned to the pppoe connection and thus remains permanent.Since by the other two DST NAT rule it would appear you have a fixed static IP address???
I need to carefully review the firewall rules as you described. My apologies, according to your previous comments, I modified the previous order, but I do not rule out that I overlooked something.Your firewall rules, are crap.
If I don't set this here, even if the NAT rule is in place, the remote client cannot connect to the server via an openVPN connection because the openVPN server runs on Zentyal... Do you have a better idea?add action=accept chain=forward comment="forward openVPN to Zentyal" \
If I do not set this here, the remote L2TP/IPSec client cannot connect to the local network (BLUE_VLAN) even if the NAT rule is in place. Do you have a better idea?add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
I am happy to learn from others and I know that I do not know everything. Unfortunately, I don't understand why you wrote the quoted text, since these rules are listed in a similar form on the official mikrotik pages and on the iptables pages as examples.(-3-) All the other rules are youtube garbage.
If I connect to the router over the Internet with L2TP/IPSec I can't access the Internet, only the local network (BLUE_VLAN). This was not a problem before... What could be the reason for this?
Another problem is that from the BLUE_VLAN the router can be reached from all IP addresses, e.g. From addresses 192.168.1.254, 10.0.20.254 and 192.168.5.254. Why is this and can it cause problems or can it be disabled?
This is not part of the L2TP/IPSec VPN, but of the Site2site IPSec VPN, so I can't skip it because then the VPN between the office and home doesn't work.Leaving the first rule out of the NAT part of the config so that it can be understood as to what you are trying to accomplish.
I have this as an action=masquerade entry under /ip firewall nat.. Should I change it? But then there will be no access to the Internet...Now that we know you have a fixed WANIP address..........
ip firewall nat
add action=src-nat chain=srcnat to-addresses=fixedWANIPout-interface=pppoe1-out \
ipsec-policy=out,none
You have already mentioned this to me and I have already modified it.add action=dst-nat chain=dstnat dst-address=fixedWANIP \
comment="Port forward openVPN port to Zentyal" dst-port=1196 protocol=udp \
to-addresses=192.168.1.1 to-ports=1196
These are really public static IP addresses. I marked the first two octets with Xs, leaving the last two to help interpretation.NOt sure what your 156.53 is alluding to? Is this your fixed WANIP or something else????
Typically a rule on the remote router is required to allow traffic from outside it, or you dont have a route on a local router to it, OR you dont have route on the remote router to tell it where to send the return traffic from your queries.I found a post to restart the routers on both sides at the same time. I tried to restart it from the office earlier, but due to limited access, I could only restart one at a time. Of course, I didn't know any of them because they were working on it with openVPN...
Tonight I restarted both and IPSec Site2Site VPN, L2TP/IPSec remote management VPN and openVPN to the server are working. All three run...
But there is another problem that I can access the office and home networks and the devices operating on them via the IPSec Site2site VPN, but only the remote router is not accessible with Winbox but I can ping it . So I don't even get SNMP data from the remote router...
I need to find the rule that prohibits access to the remote pouter.
Any ideas?