Mikrotik Firewall rule: block all connection except to VPN server
PPTP uses
- TCP port 1723
- GRE (protocol ID 47) for tunneling
Accept PPTP in Mikrotik:
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1723
/ip firewall filter add chain=input action=accept protocol=gre
L2TP/IPSec uses
- TCP port 1701
- UDP port 500 for Security Association (SA) - to negotiate security method (password, certificate, kerberos)
- AH (Protocol ID 50) - Authentication Header
- ESP (Protocol ID 51) - Encapsulated Secure Payload
Accept L2TP/IPSec in Mikrotik:
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1701
/ip firewall filter add chain=input action=accept protocol=udp dst-port=500
/ip firewall filter add chain=input action=accept protocol=ipsec-ah
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Block all other incoming connection (TCP)
/ip firewall filter add chain=input protocol=tcp action=reject reject-with=tcp-reset
You can use action=drop
instead of reject
, but according to Hannes Schmidt, NMAP can still see the port is open but dropped (filtered) by firewall
Related videos on Youtube
niren
Updated on September 18, 2022Comments
-
niren over 1 year
As the title says I need to block all the connection to mikrotik router from outside except connection to VPN server. Then allow Remote desktop to LAN's system over VPN(either L2TP/IPSec or PPTP) from outside LAN.
What would be the rule in Mikrotik router's Firewall to block all the connection except rdp over vpn?
Addition info:
There is LAN setup in our office and the final gateway is Mikrotik router. I know how to create VPN server, VPN client in clients system and make rdp from clients system. I want that external firewall should only let in connections to VPN server vpn firewall rdp mikrotik
-
Mehdi Haghshenas over 9 yearsplease answer my qyestion
-
BlackFur about 9 years@MehdiHaghshenas: which question?