Mikrotik Firewall rule: block all connection except to VPN server

Question 1

As the title says I need to block all the connection to mikrotik router from outside except connection to VPN server. Then allow Remote desktop to LAN's system over VPN(either L2TP/IPSec or PPTP) from outside LAN.

What would be the rule in Mikrotik router's Firewall to block all the connection except rdp over vpn?

Addition info:

There is LAN setup in our office and the final gateway is Mikrotik router. I know how to create VPN server, VPN client in clients system and make rdp from clients system. I want that external firewall should only let in connections to VPN server vpn firewall rdp mikrotik

Question 2

PPTP uses

TCP port 1723
GRE (protocol ID 47) for tunneling

Accept PPTP in Mikrotik:

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1723
/ip firewall filter add chain=input action=accept protocol=gre

L2TP/IPSec uses

TCP port 1701
UDP port 500 for Security Association (SA) - to negotiate security method (password, certificate, kerberos)
AH (Protocol ID 50) - Authentication Header
ESP (Protocol ID 51) - Encapsulated Secure Payload

Accept L2TP/IPSec in Mikrotik:

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1701
/ip firewall filter add chain=input action=accept protocol=udp dst-port=500
/ip firewall filter add chain=input action=accept protocol=ipsec-ah
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Block all other incoming connection (TCP)

/ip firewall filter add chain=input protocol=tcp action=reject reject-with=tcp-reset

You can use action=drop instead of reject, but according to Hannes Schmidt, NMAP can still see the port is open but dropped (filtered) by firewall

Question 3

please answer my qyestion

Question 4

@MehdiHaghshenas: which question?

Question 5

superuser.com/questions/876150/…

BlackFur 1514 bronze badges · Answer 1 · 2013-12-10 06:15:35Z

PPTP uses

TCP port 1723
GRE (protocol ID 47) for tunneling

Accept PPTP in Mikrotik:

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1723
/ip firewall filter add chain=input action=accept protocol=gre

L2TP/IPSec uses

TCP port 1701
UDP port 500 for Security Association (SA) - to negotiate security method (password, certificate, kerberos)
AH (Protocol ID 50) - Authentication Header
ESP (Protocol ID 51) - Encapsulated Secure Payload

Accept L2TP/IPSec in Mikrotik:

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1701
/ip firewall filter add chain=input action=accept protocol=udp dst-port=500
/ip firewall filter add chain=input action=accept protocol=ipsec-ah
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Block all other incoming connection (TCP)

/ip firewall filter add chain=input protocol=tcp action=reject reject-with=tcp-reset

You can use action=drop instead of reject, but according to Hannes Schmidt, NMAP can still see the port is open but dropped (filtered) by firewall

please answer my qyestion

Mehdi Haghshenas
– Mehdi Haghshenas

2015年02月10日 15:37:40 +00:00
Commented Feb 10, 2015 at 15:37
@MehdiHaghshenas: which question?

BlackFur
– BlackFur

2015年02月25日 08:18:41 +00:00
Commented Feb 25, 2015 at 8:18
superuser.com/questions/876150/…

Mehdi Haghshenas
– Mehdi Haghshenas

2015年02月25日 17:50:23 +00:00
Commented Feb 25, 2015 at 17:50

Stack Exchange Network

Mikrotik Firewall rule: block all connection except to VPN server

1 Answer 1

You must log in to answer this question.

Linked

Hot Network Questions

Mikrotik Firewall rule: block all connection except to VPN server

1 Answer 1

You must log in to answer this question.

Linked

Related

Hot Network Questions