i just configured an openvpn server on mikrotik for testing and i set up a very basic firewall.
The setup is the following:
@CRS125 the port 24 is set up with no master port.
On that port is a external modem for the internet connection which is done via pppoe.
The openvpn server is listening on port 443 and has ip pool 10.100.10.0
My internal subnets connected to the router are 10.0.0.0/8
In the first tests, i only allowed on the input chain port 443 and could connect the openvpn server, but i was not able to reach the router itself on ip 10.10.10.1 or my private subnets 10.0.0.0/8 (i pushed the correct route in the client config though)
After the first tests i allowed at the input and forward chain the 10.100.10.0/24 subnets and everything is working as expected.
The openvpn device is dynamic, so it could not be used for firewalling i guess.
Code: Select all
/ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=accept connection-state=established,related log=no log-prefix="" 1 chain=input action=accept in-interface=ether1-master-local log=no log-prefix="" 2 chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix="" 3 chain=input action=accept src-address=10.100.10.0/24 log=no log-prefix="" 4 X chain=input action=drop connection-state=invalid log=no log-prefix="" 5 chain=input action=drop log=no log-prefix="" 6 chain=forward action=accept connection-state=established,related log=no log-prefix="" 7 chain=forward action=accept dst-address=0.0.0.0/0 in-interface=ether1-master-local log=no log-prefix="" 8 chain=forward action=accept src-address=10.100.10.0/24 log=no log-prefix="" 9 chain=forward action=drop connection-state=invalid log=no log-prefix="" 10 chain=forward action=drop log=no log-prefix=""
What is the best practice to allow all traffic that is coming in via openvpn without handling it with subnets?