Community discussions

MikroTik App
 
anshugiri
just joined
Topic Author
Posts: 8
Joined: Sun Jun 07, 2020 4:19 pm

Drop all rule blocking PPTP

Fri Sep 10, 2021 7:11 pm

Hi Folks,

Ive been trying to get PPTP connection to work... but the problem is that it only works if i disable the "drop everything else" rule.

Here are the rules. Thanks in advance for your help.

/ip firewall filter
add action=accept chain=input protocol=tcp src-port=1723
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=input protocol=udp src-port=161-162
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Accept established and related packets" \
connection-state=established,related
add action=accept chain=input comment="Allowed to Router" src-address-list=\
Allowed_To_Router
add action=accept chain=input comment="Allow ICMP to Router" protocol=icmp
add action=accept chain=input comment="Allow Secure_LAN to access Internet" \
src-address-list=Secure_LAN
add action=reject chain=forward comment="Layer7 Block Websites" \
layer7-protocol=Block log=yes log-prefix=Porn reject-with=\
icmp-network-unreachable
add action=drop chain=forward comment="Block Internet from Disallow_Internet" \
src-address-list=Disallow_Internet
add action=drop chain=input comment="Drop all other connections" \
connection-state="" src-address-type=""
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=\
"Drop all packets which are not destined to router IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which\
\_should not exist in public network" in-interface=ether1 src-address-list=\
bogons
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface=ether1 \
src-address-list=bogons
add action=drop chain=forward comment="Drop all packets from local network to in\
ternet which should not exist in public network" dst-address-list=bogons \
in-interface=ether2
add action=drop chain=forward comment=\
"Drop all packets in local network which does not have LAN address" \
in-interface=ether2 src-address=!10.0.0.0/16
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop all rule blocking PPTP

Fri Sep 10, 2021 8:28 pm

I will give you some advice.
Repost the list such that
a. all the INPUT chain are in one grouping
b. all the forward chain are in one grouping.

The order of the rules should reflect the actual order in the configuration as well.
\
Finally, most of your rules are not planned in a coherent manner and there is probably some overlap or interference.
What can be said, is to simplify and reduce.

How to achieve this!!
Simple at the end of each chain put in place the default rules with some modification and of course your required VPN rules in the input chain.
Then put in a block all else drop rule at the end of each chain.
Thus all traffic will be blocked that you do not want.]
Then add traffic you wish to allow.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Drop all rule blocking PPTP

Fri Sep 10, 2021 8:33 pm

If there was a "driving license for routing", successful completion of the "how firewalls work" test should be mandatory to get the "setting up VPNs" permission category.

The "drop everything else" name you've used says it all. There simply isn't any rule before this one that would accept the traffic received via the PPTP interface. It's up to you whether you make such a rule (or several rules) more selective, e.g. allowing only access to particular IP addresses and protocol ports, or whether you fully trust the pptp client and let them get anywhere.

Also, what makes you use PPTP, given that L2TP with use-ipsec=yes is equally simple (or equally complex) to configure and way more secure?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop all rule blocking PPTP

Fri Sep 10, 2021 8:36 pm

Firewall rules INPUT Chain.

+++++YOUR VPN RULES GO HERE++++++
add action=accept chain=input comment="defconf: accept established,related,untracked"\
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" source-address-list=allowadmin *** ( IPs allowed to config router)
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

DO NOT ADD THIS LAST RULE AT THE BOTTOM UNTIL YOU ARE SURE YOU HAVE ADMIN ACCESS !!!! ***
add action=drop chain=input comment="Drop All Else"

************** Basically the idea here is the same as the forward chain, you want to lock down any traffic to and from the router itself and then only allow traffic required.
The most important thing to do is to ensure ONLY the admin has FULL access to the router. The rest of the users DO NOT and thus we typically give FULL access only to the ethernet port (or subnet(s) or VLAN(s)) the admin will be using to access/config the router. The rest of the users typically only need DNS services from the router (sometimes NTP).

I would not add any other rules until the configuration is working as expected. Most other rules people add are just noise.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Drop all rule blocking PPTP

Fri Sep 10, 2021 8:38 pm

Then put in a block all else drop rule at the end of each chain.
In fact, one common "drop the rest" rule in the root chain is sufficient - although the action name "jump" suggests otherwise, when a packet reaches and end of a custom chain without matching any of that chain's rules, its processing commences from the next rule following the "jump" one in the invoking chain.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Drop all rule blocking PPTP

Fri Sep 10, 2021 8:38 pm

Firewall rules........ FORWARD CHAIN DEFAULT RULES sort of........

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding"\ (can be removed or disabled if not doing any port forwarding.)(
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=\

Now you have a forward chain that drops all traffic from LAN to LAN, LAN to WAN and WAN to LAN.
If you wish to ENABLE any traffic then you have to add the rules where the +++++++ line is located (before the drop all else rule as the end)

For example if you wish to allow all your subnets to the internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN ***

HERE is where we can be of help to you and that is efficiently adding rules to allow traffic.
Thus please state a set of requirements (use cases) that individual users or groups of users, AND individual devices or groups of devices
should be
a. able to do
b. not able to do
Without using any words of networkign equipment or the configuration.

Then we can be efficient and clean.

Who is online

Users browsing this forum: kazza, Soleous75 and 72 guests