Hi All,
i would like to allow certain incoming ports only from VPN connected clients.
So the port is open when connected by vpn, but is closed when the clients is not connected by VPN
When a client is connected i do see the interface "l2tp-user", and i can configure it like this:
Chain:forward
protocol:TCP
destination port:portnr
In Interface :l2tp-user
Action: Accept
Chain:dstnat
protocol:TCP
destination port:portnr
In Interface :l2tp-user
Action: dst-nat
to adress: serverip
to port: portnr
When the client is disconnected the rule is not valid anymore
i tried to filter on the "PPP" in-interface like this:
Chain:forward
protocol:TCP
destination port:portnr
In Interface :All PPP
Action: Accept
Chain:dstnat
protocol:TCP
destination port:portnr
In Interface :All PPP
Action: dst-nat
to adress: serverip
to port: portnr
But for some reason i can still connect to the port even when i'm not connected via vpn. (or is PPP for outgoing vpn users?)
i also try to filter on only private ip adresses, like this:
Chain:forward
Source address: vpn pool ip
proocol:TCP
destination port:portnr
In Interface :All PPP
Action: Accept
Chain:dstnat
Source address: vpn pool ip
protocol:TCP
destination port:portnr
In Interface :All PPP
Action: dst-nat
to adress: serverip
to port: portnr
But the source from the vpn clients, are still public ips.
It's sounds like a common issue that probably is already solved by one of you guys.
Firewall config only allow certain ports from VPN connection
Last edited by madcat on Wed Mar 12, 2014 1:42 pm, edited 2 times in total.
Re: Firewall config only allow certain ports from VPN connec
I'm actually trying to solve something similar right now.
Sent from my SCH-I545 using Tapatalk
Sent from my SCH-I545 using Tapatalk
-
-
c0d3rSh3ll
Long time Member
- Posts: 557
- Joined:
- Location: [admin@Chile] >
Re: Firewall config only allow certain ports from VPN connec
You can add a l2tp server interface for each user so the ppp interface is not created/removed dynamycally, then you can set your firewall rules without any problem and are valid when the user is disconnected.
When a client is connected i do see the interface "l2tp-user", and i can configure it like this:
Chain:forward
protocol:TCP
destination port:portnr
In Interface :l2tp-user
Action: Accept
Chain:dstnat
protocol:TCP
destination port:portnr
In Interface :l2tp-user
Action: dst-nat
to adress: serverip
to port: portnr
When the client is disconnected the rule is not valid.
sent from my mobile phone with tapatalk
Re: Firewall config only allow certain ports from VPN connec
Thanks one step further!
i have added the L2TP Server Binding, via PPP -> Add new -> L2TP Server Binding
Set the name to l2tp-madcat and the user to "madcat" (the same as i have set in PPP -> secrets -> name)
And am now able to see the interface in the Firewall and NAT rules.
it is invalid when there is no vpn connection and automatically enabled this rule when the connection is available. so far so good.
But when i'm connect via VPN, i still can't connect to the port.
When i change the "in interface" from "l2tp-myname" to "All PPP" it is working, but then for both vpn and non vpn connections
Am i missing something or could this be a bug?
i'm using a 2011UiAS-2HnD on firmware 3.1 with RouterOS 6.9)
i have added the L2TP Server Binding, via PPP -> Add new -> L2TP Server Binding
Set the name to l2tp-madcat and the user to "madcat" (the same as i have set in PPP -> secrets -> name)
And am now able to see the interface in the Firewall and NAT rules.
it is invalid when there is no vpn connection and automatically enabled this rule when the connection is available. so far so good.
But when i'm connect via VPN, i still can't connect to the port.
When i change the "in interface" from "l2tp-myname" to "All PPP" it is working, but then for both vpn and non vpn connections
Am i missing something or could this be a bug?
i'm using a 2011UiAS-2HnD on firmware 3.1 with RouterOS 6.9)
Who is online
Users browsing this forum: unhuzpt and 105 guests