Community discussions

 
OriiOn
newbie
Topic Author
Posts: 37
Joined: Thu Feb 25, 2010 11:54 am

IPSec VPN limiting access inside LAN

Fri May 17, 2019 8:58 pm

I have successfully established an IPSec tunnel via a software VPN Client (running on a PC with local IP 10.42.1.43) to a Mikrotik router. If I specify the correct IP-range of the LAN behind the router (192.168.2.0/24) the remote PC has access to the entire LAN.
/ip ipsec policy
add src-address=192.168.2.0/24 dst-address=10.42.1.43/32 sa-dst-address=88.116.xx.xx sa-src-address=88.117.xx.xx tunnel=yes
That's nice, but that is not what I want. Instead I want to limit access through the VPN to only one IP:port inside the LAN (192.168.2.20:80).

I have a second requirement to the solution: I also want to be able to change that IP-address (192.168.2.20) the remote client has access to, without "the client side knowing" or the need to make changes on the client side, to eg 192.168.2.21.

How can I achieve that? Being a novice I figure a solution could be to define a non-existant IP-(range) (like 192.168.33.1/32) in the ipsec policy, and then have a (NAT)-rule that would make sure that VPN traffic coming from 192.168.33.1 is forwarded to 192.168.2.20 (or any other address I might change it to in the future) - only for port 80.
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN limiting access inside LAN

Fri May 17, 2019 10:13 pm

According to the standard, the traffic selector of an IPsec policy can indeed be as narrow as to specify two IP:port tuples and a protocol. The client may not be fully compliant, though.

As for changing the address at Mikrotik side transparently to the client, your suggestion regarding NAT is correct.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
OriiOn
newbie
Topic Author
Posts: 37
Joined: Thu Feb 25, 2010 11:54 am

Re: IPSec VPN limiting access inside LAN

Sat May 18, 2019 12:38 pm

Yes, the NAT rule solved the problem nicely. I forward traffic from the imaginary VPN address 192.168.33.1 to the actual PC inside the LAN (192.168.2.20).
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.33.1 dst-port=80 protocol=tcp to-addresses=192.168.2.20 comment=VPN
In addition I only allow port 80 in the NAT rule, so that solves my problem of limiting traffic to port 80 only.
As a result the remote VPN client can only access 192.168.33.1:80 - just like I wanted.

Are there any other security concerns? Should I have to add firewall rules that limit access from 192.168.33.1 to any other subnet (like 192.168.2.0/24)?
Thank you for your help!

Who is online

Users browsing this forum: No registered users and 77 guests