The OP mentioned access to network server shares. Broadcast traffic over the VPN is not necessary to provide access to network server shares. They can be accessed using the IP address or name if name lookup is available.You all obviously discarded the most important request for Taylor's network: His boss has to be able to browse the network from home. That requires all machines to be on the same network so that windows can resolve machine names via SMB broadcasts.
Browsing which will not work on MT anyway, because their PtP implementations lack broadcast forwarding, and bridging is not available for windows clients.
The irony is that in networks small enough for such browsing to be useful it is fairly trivial to make the necessary shortcuts to render browsing unnecessary. Even in a small business network, creating unfiltered layer 2 connectivity just to support broadcasts for network browsing is pretty ugly from the security perspective. Explaining to the "boss" how to provide the business connectivity necessary for the business while reducing the vulnerability profile can indeed be an art form, but once the boss buys in everybody else will fall in line, so it can be well worth the effort.Taylor mentioned "as if he was connected", which usually doesn't imply access using IP addresses. From own experiences I can tell you, bosses want browsing, visible names in My Network and so on.
That would certainly be preferable - even better if we can lock that port to permitted client MAC addresses.on the boss house the EoIP end is on bridge with one ethernet or one VirtualAP.
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward action=log log-prefix=email protocol=tcp dst-port=25
add chain=forward action=drop protocol=tcp dst-port=25
Not with the filter rules you showed above! The input chain only covers traffic to the router itself. At the moment the forward chain is pretty much open so for instance inbound WAN>LAN traffic is not being restricted.So yes I am blocking everything from coming in, ........
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward connection-state=established comment="Accept established connections"
add chain=forward connection-state=related comment="Accept related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward action=log dst-port=25 log-prefix=email protocol=tcp src-address=!192.168.2.250
add chain=forward action=drop dst-port=25 protocol=tcp src-address=!192.168.2.250
add chain=forward action=log log-prefix="DROP FORWARD" comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmp limit=20/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
add chain=forward connection-state=established comment="Accept established connections"
add chain=forward connection-state=related comment="Accept related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections"
add chain=forward comment="Accept New LAN>WAN FORWARD" connection-state=new in-interface=bridge-local out-interface=ether1-gateway
add chain=forward action=log dst-port=25 log-prefix=email protocol=tcp src-address=!192.168.2.250
add chain=forward action=drop dst-port=25 protocol=tcp src-address=!192.168.2.250
add chain=forward action=log log-prefix="DROP FORWARD" comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"
Correct - you also need to add forward rules to permit the DST NATed traffic. These should use the internal IP as one of the selective elements since DST NAT occurs before the forward chain.I did the below, and i tried it on my home router, but now my NAT rules are blocked by this new forward chain