Hi,
I have a concern about the SSTP tunnel setup. I have two mikrotik router (750 and CCS) with current version (6.24) and an SSTP tunnel between them according to the wiki manual. It works perfectly, both side the whole subnet is available through the tunnel.
My issue is how do I limit this tunnel using firewall settings?
I created a simple firewall forward rule that related, established shall be accepted and nothing else, but with this all communication goes through the tunnel. A client from SideA subnet can ping a client in SideB subnet, where clients are PCs and not the routers.
How do I limit that SideB clients (say branch) can only access a few servers in SideA (main office)? If I add the deny rule before related, established rules, the communication stops, but ofc that denies all communication.
Thanks,
Andras
/note: I have submitted this as support ticket too.
Re: SSTP tunnel firewall question
Hi,
The firewall is an ordered list of rules. to allow some traffic but block all else you will need to create specific 'allow' rules (specifying source and or destination by IP for example) higher up the list, followed immediately by your 'drop' rule.
I would create these rules at the branches so that the tunnel isn't passing unnecessary traffic
For example, the following rules allow existing (established and related) traffic
It also allows traffic from 172.24.0.20 from one Site to the other Site
All other traffic is dropped
You will need to expand on this simple example depending on your requirments
The firewall is an ordered list of rules. to allow some traffic but block all else you will need to create specific 'allow' rules (specifying source and or destination by IP for example) higher up the list, followed immediately by your 'drop' rule.
I would create these rules at the branches so that the tunnel isn't passing unnecessary traffic
For example, the following rules allow existing (established and related) traffic
It also allows traffic from 172.24.0.20 from one Site to the other Site
All other traffic is dropped
Code: Select all
add action=allow chain=forward connection-state=established,related
add chain=forward src-address=172.24.0.20 dst-address=10.0.0.2
add action=drop chain=forward
Re: SSTP tunnel firewall question
Thank you for the answer!
Maybe I wasn't clear enough.
I have the following rules on branch site:
allow established forward
allow related forward
drop all forward
And still, I can ping PCs behind this branch router from the main site.
As if the new (that is not related or established) communication is always allowed when going through the SSTP tunnel.
Maybe I wasn't clear enough.
I have the following rules on branch site:
allow established forward
allow related forward
drop all forward
And still, I can ping PCs behind this branch router from the main site.
As if the new (that is not related or established) communication is always allowed when going through the SSTP tunnel.
Re: SSTP tunnel firewall question
Hi kosztyua,
Can you paste in both of your configs here (export from cli) so that we can have a look at the whole picture.
Might just be something simple, I've often spent time ripping my hair out on things like this only to discover a subtle change is all that's required.
Can you paste in both of your configs here (export from cli) so that we can have a look at the whole picture.
Might just be something simple, I've often spent time ripping my hair out on things like this only to discover a subtle change is all that's required.