Hello,
I have a L2TP VPN setup on my mikrotik, authentication is done via my AD server using RADIUS
I was wondering is there a way to control what each user has access to on my network? I.e User 1 can only access 1 ip address on the network or a set subnet and user 2 can access the whole network/subnets
I tried using NPS on my AD server but as the traffic isnt flowing through this server and only being used to authenticate the user I cant use any IP filters using NPS.
Can this traffic management be done via the mikrotik? If so how?
Thanks
Re: Manage Radius Users Traffic over VPN
You mean impose restrictions by using radius? See Mikrotik-Address-List Attribute.
Re: Manage Radius Users Traffic over VPN
Yes
Basically I have a list of users in RADIUS that have access to my Mikrotik L2TP VPN for network access.
I would like say user
Bob - allow access to only my ftp server at 172.28.8.96 but not be able to access any other services I have running on the network should he know the IP of those services. So if he were to try to go to 172.28.8.32 as my storage server it will just say time out or impose some kind of restriction so that he cant access it.
Or even a range/list of ip addresses he can access but not others should I want to say give him access to a second service.
At the moment any user that logs in has access to the whole of 172.28.8.0/24 subnet
Basically I have a list of users in RADIUS that have access to my Mikrotik L2TP VPN for network access.
I would like say user
Bob - allow access to only my ftp server at 172.28.8.96 but not be able to access any other services I have running on the network should he know the IP of those services. So if he were to try to go to 172.28.8.32 as my storage server it will just say time out or impose some kind of restriction so that he cant access it.
Or even a range/list of ip addresses he can access but not others should I want to say give him access to a second service.
At the moment any user that logs in has access to the whole of 172.28.8.0/24 subnet
Re: Manage Radius Users Traffic over VPN
Any ideas?
Thanks
Thanks
Re: Manage Radius Users Traffic over VPN
1.- Create the mentioned Attribute for the user in radius, say Mikrotik-Address-List := FTPAllowedUsers
When that client connects to the VPN, the router itself will add the VPN client IP automatically to the address-list UsersAllowedFTP
2.- Create a firewall rule to use that address-list, e.g.
3.- Add a drop everything rule as the last one in the forward firewall chain.
When that client connects to the VPN, the router itself will add the VPN client IP automatically to the address-list UsersAllowedFTP
2.- Create a firewall rule to use that address-list, e.g.
Code: Select all
add chain=forward comment="Permit FTP to Allowed users" src-address-list=FTPAllowedUsers dst-address=172.28.8.96
Re: Manage Radius Users Traffic over VPN
Ah Amazing, got this working.
The User connects and an address list is created on the mikrotik.
I have set the forward rule in the firewall as you said above.....the only issue im having now is that the restriction isnt working.
The user can still pass traffic over the whole network.....If I set the dst-address as 172.28.8.82 the user can still access my storage server on another ip address.
I have a drop rule at the bottom of my firewall list but its showing 0b as if the device isnt hitting this rule.
Just to help you understand my setup my internal network is on the range 172.28.8.0/24 and my VPN users get given 172.28.9.0/24 a route has been setup so users on the 9.0/24 network can see the internal network on 8.0/24
Here is my forward chain
The User connects and an address list is created on the mikrotik.
I have set the forward rule in the firewall as you said above.....the only issue im having now is that the restriction isnt working.
The user can still pass traffic over the whole network.....If I set the dst-address as 172.28.8.82 the user can still access my storage server on another ip address.
I have a drop rule at the bottom of my firewall list but its showing 0b as if the device isnt hitting this rule.
Just to help you understand my setup my internal network is on the range 172.28.8.0/24 and my VPN users get given 172.28.9.0/24 a route has been setup so users on the 9.0/24 network can see the internal network on 8.0/24
Here is my forward chain
Code: Select all
/ip firewall filter
add chain=forward dst-address=172.28.8.82 src-address-list= FTPAllowedUsers"\
add chain=forward comment=\
"Allow new connections through router coming in LAN interface" \
connection-state=new in-interface=ether2-master-local
add chain=forward comment=\
"Allow established connections through router" connection-state=\
established
add chain=forward comment="Allow related connections through router" \
connection-state=related
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=jump chain=forward comment="jump to the virus chain" \
jump-target=virus
add chain=forward protocol=tcp
add chain=forward comment="Allow Plex" dst-port=32400 protocol=tcp
add chain=forward comment="Allow BT Vision " protocol=udp
add chain=forward comment="Allow TCP Protocol 6 for PPTP" protocol=tcp
add chain=forward comment="Allow Ping Over PPTP" protocol=icmp
add action=drop chain=forward comment=\
"Drop all other connections through the router"
Re: Manage Radius Users Traffic over VPN
Code: Select all
add chain=forward dst-address=172.28.8.82 src-address-list= FTPAllowedUsers"\
Code: Select all
add chain=forward protocol=tcp
Re: Manage Radius Users Traffic over VPN
Just double checked and there is not space on the mikrotik, its definitely pointing to the correct list. Think It was just a mistake with the copy/paste to the thread.
The address list is being created and the IP populated into the list.
I can see data traveling through the forward firewall rule that I set up to link to the address list so its allowing traffic but its not then blocking the traffic I want it to. I.e only allowing access to ftp at 172.28.8.82.
With regards to the TCP rule you pointed out I enabled that for some reason but cant remember why now. Ive disabled it for now and wait to see if anything breaks because of it.
The address list is being created and the IP populated into the list.
I can see data traveling through the forward firewall rule that I set up to link to the address list so its allowing traffic but its not then blocking the traffic I want it to. I.e only allowing access to ftp at 172.28.8.82.
With regards to the TCP rule you pointed out I enabled that for some reason but cant remember why now. Ive disabled it for now and wait to see if anything breaks because of it.
Re: Manage Radius Users Traffic over VPN
Which interface does VPN connections come from to the mikrotik?
A complete export will speed up and ease diagnosing.
A complete export will speed up and ease diagnosing.
Re: Manage Radius Users Traffic over VPN
Apologies,
Here is my input and forward chains. Ive left out the virus jump chain as that wont show you much. Its just blocking a few known ports for viruses. Its the standard virus script on the mikrotik wiki.
Ether 1 connects to an ADSL 2 modem via cat 5
PPPoE is set to use Ether 1 and dial out
LAN connects via Ether 2
Here is my input and forward chains. Ive left out the virus jump chain as that wont show you much. Its just blocking a few known ports for viruses. Its the standard virus script on the mikrotik wiki.
Ether 1 connects to an ADSL 2 modem via cat 5
PPPoE is set to use Ether 1 and dial out
LAN connects via Ether 2
Code: Select all
/ip firewall filter
add chain=forward dst-address=172.28.8.82 src-address-list=FTPAllowedUsers
add chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface=ether2-master-local
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add chain=forward comment="Allow Plex" dst-port=32400 protocol=tcp
add chain=forward comment="Allow BT Vision " protocol=udp
add chain=forward comment="Allow TCP Protocol 6 for PPTP" protocol=tcp
add chain=forward comment="Allow Ping Over PPTP" protocol=icmp
add action=drop chain=forward comment="Drop all other connections through the router"
add chain=input comment="Allow everything from the LAN interface to the router" in-interface=ether2-master-local
add chain=input comment="Allow established connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=services comment="Allow L2TP" dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp
add chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
Re: Manage Radius Users Traffic over VPN
Just to add to this....
If I add a forward drop rule with the Source as the FTPAllowedUsers list and leave the destinations blank and put this rule directly under the accept forward rule for the FTPallowedusers this works and blocks all traffic to the network apart from 172.28.8.82
So something in my forward chain is allowing the traffic to still pass and stopping it from hitting the drop all rule at the bottom. The only way Ive got it to work is as I say above and to put another drop rule right underneath the first forward rule.
Also another issue ive found with using the drop rule right below the first forward rule....
If I connect using this restricted user account via my windows 10 laptop and have the "use gateway on remote network" OFF I can still surf the internet just fine and the rest of the traffic over the VPN is blocked apart from 8.82.
If I do this via my mobile phone iOS and connect with the same user....again the gateway for the remote network is switched off. My Internet access is blocked and seems the drop rule is stopping me from access the internet. The traffic to anything but 8.82 is also blocked which is what I want to happen but for some strange reason this drop rule is preventing internet traffic via iOS unless i remove the rule of course then it works. I wouldnt of though this could happen if I have the remote gateway switched off. It dosent do this on my laptop....
If I add a forward drop rule with the Source as the FTPAllowedUsers list and leave the destinations blank and put this rule directly under the accept forward rule for the FTPallowedusers this works and blocks all traffic to the network apart from 172.28.8.82
So something in my forward chain is allowing the traffic to still pass and stopping it from hitting the drop all rule at the bottom. The only way Ive got it to work is as I say above and to put another drop rule right underneath the first forward rule.
Also another issue ive found with using the drop rule right below the first forward rule....
If I connect using this restricted user account via my windows 10 laptop and have the "use gateway on remote network" OFF I can still surf the internet just fine and the rest of the traffic over the VPN is blocked apart from 8.82.
If I do this via my mobile phone iOS and connect with the same user....again the gateway for the remote network is switched off. My Internet access is blocked and seems the drop rule is stopping me from access the internet. The traffic to anything but 8.82 is also blocked which is what I want to happen but for some strange reason this drop rule is preventing internet traffic via iOS unless i remove the rule of course then it works. I wouldnt of though this could happen if I have the remote gateway switched off. It dosent do this on my laptop....
Re: Manage Radius Users Traffic over VPN
Any one got any ideas?
Re: Manage Radius Users Traffic over VPN
Is anyone able to help me with this please??
Re: Manage Radius Users Traffic over VPN
These rules:So something in my forward chain is allowing the traffic to still pass and stopping it from hitting the drop all rule at the bottom. The only way Ive got it to work is as I say above and to put another drop rule right underneath the first forward rule.
Mean:add chain=forward comment="Allow BT Vision " protocol=udp
add chain=forward comment="Allow TCP Protocol 6 for PPTP" protocol=tcp
add chain=forward comment="Allow Ping Over PPTP" protocol=icmp
add action=drop chain=forward comment="Drop all other connections through the router"
Allow any connection through the router as long as is UDP no matter in or out interface
Allow any connection through the router as long as is TCP no matter in or out interface
Allow any connection through the router as long as is ICMP no matter in or out interface
Drop everything else no matter in or out interface
You should be very specific specially when allowing: protocol, src/dst ports, src/dst address or address lists, in or out interface...
Firewalls are pure logic in their behaviour, there are really no shortcuts to understand them, take an spare hour with fresh mind and have a look at http://wiki.mikrotik.com/wiki/How_to_co ... P_firewall
If you take a default deny approach for the firewall (which you should) you should never forget that firewall (iptables) process filters from top to bottom: the first rule that matches is what gets applied, the rest is ignored.
So there are two important things to have in mind:
1.- Allow rules come first, and should be the more specific the better
2.- Deny (drop) rules come last, and should be the more generic the better
There are two things that can help you enormously when playing with the firewall: IP > filter rule counters, and enabling logging for specific rules to see if traffic is hitting a certain rule or not.