Here is my current firewall configuration:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="L2TP szerver 2/1" port=1701,500,4500 protocol=udp
add action=accept chain=input comment="L2TP szerver 2/2" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers 5/1" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="drop ssh brute forcers 5/2" connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/3" connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/4" connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/5" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="L2TP (es LAN) dns 2/1" dst-port=53 protocol=udp src-address=192.168.5.0/24
add action=accept chain=input comment="L2TP (es LAN) dns 2/2" dst-port=53 protocol=tcp src-address=192.168.5.0/24
add action=accept chain=input comment="ssh router" dst-port=22 in-interface=all-ethernet protocol=tcp
add action=accept chain=input comment="ssh dbserver" dst-port=2222 in-interface=ether1-TCOM protocol=tcp
add action=accept chain=input comment="olajkut 4/1" dst-port=6055 in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="kamera rogzito 6/1" dst-port=82 in-interface=all-ethernet protocol=tcp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="kamera rogzito 6/3" dst-port=1030 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="kamera rogzito 6/4" dst-port=1030 in-interface=all-ethernet protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack (DISABLED, SEE NEXT)" connection-state=established,related disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack with ipsec exception" connection-mark=!ipsec connection-state=established,related
add action=accept chain=input comment="kamera rogzito 6/5" dst-port=8181 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="kamera rogzito 6/6" dst-port=8181 in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="WinBox remote" dst-port=8291 in-interface=all-ethernet protocol=tcp
add action=accept chain=input comment="WinBox Bridge 8292" dst-port=8292 in-interface=all-ethernet protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
Code: Select all
/ppp profile
add comment="L2TP szerver" dns-server=192.168.5.254,8.8.8.8 local-address=192.168.5.254 name=ipsec_vpn
Code: Select all
add name=gandalf password=xxxxxxxxxxxxxxxxx profile=ipsec_vpn remote-address=192.168.5.202 service=l2tp
* Windows ppp client can connect to the router.
* Windows ppp client can ping/connect any other computer that is on the LAN side of the router. For example, 192.168.5.202 can ping 192.168.5.1 ( ppp client -> router -> lan works)
* The ppp client cannot be pinged/connected from the LAN side
* The ppp client cannot be pinged/connected from the router either
I would like to allow a specific port (e.g. TCP/5900) to be accessed from LAN -> router -> ppp -> ppp client direction. But I'm stuck. I don't know what other rules I need to add for this.
Thanks,
Laszlo