Community discussions

 
ddejager
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Tue Oct 18, 2011 5:13 am

Default firewall rules now block management over VPN

Wed Apr 25, 2018 1:37 am

Sometime in the past few releases the default firewall rules where changed for the INPUT chain to block all access not coming from the LAN as the last INPUT rule. Previously the last INPUT chain rule was set to block all access coming from the gateway (WAN) port. This change means that, by default, management access to the router is block from VPN connections to the router. It took me a few hours to notice this and determine why I could not access the router from a VPN connection to the router. This seems to me like a mis-feature.

Was it ever clearly documented that VPN management would not work on a default configuration when VPN is simply enabled via QuickSet? Why is this a "good" idea?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Default firewall rules now block management over VPN

Wed Apr 25, 2018 3:03 am

Most likely the change was made for the Home Market where they are not using VPN for management. I can see also that VPN clients in an Enterprise Environment would not want their employees access to the management.

But it also blocks you from using the router as DNS on VPN by default, which I have helped someone with today.
 
ddejager
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Tue Oct 18, 2011 5:13 am

Re: Default firewall rules now block management over VPN

Sun Apr 29, 2018 2:52 am

MikroTik, Any answer as to why and when this change was made to the default configuration?
 
sindy
Forum Guru
Forum Guru
Posts: 3931
Joined: Mon Dec 04, 2017 9:19 pm

Re: Default firewall rules now block management over VPN

Sun Apr 29, 2018 10:13 am

MikroTik, Any answer as to why and when this change was made to the default configuration?
Send it to support@mikrotik.com (a reference to the forum topic is sufficient). They don't react on every topic on the forum.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 107 guests