Hello,
i have something peculiar to pull off in a routerboard that's acting as a pptp client concentrator:
i want that the remote network have access ONLY to a computer that has initiated traffic on the LAN side, i dont know if that's clear enough, or here goes an example:
i'm dialing N pptp connections with mikrotik, one of the remote hosts has ip 192.168.1.1, in the mikrotik LAN network(let's say 10.10.10.x) with my PC(10.10.10.100) i open remote desktop to 192.168.1.1, so far so good. What i want is that for 192.168.1.1 to have full access to 10.10.10.100 in response to that connection. same if i where to connect from 10.10.10.120 for example, or whatever other computer.
¿can this somehow be done with packet/connection marks?, ¿like marking connections that go through the pptp and then using that connection mark to trigger a FW rule?(but how do i tell utik which is the originator dynamically?)
Re: dynamic FW rules based on outgoing traffic
I think you could accomplish this by using firewall action = add dst/src to address list
Combine this with the use of ppp -> profiles -> add -> scripts (winbox navigation)
The idea is that when a dial up connection is established, a script will run that creates:
- a fw rule with dst-address=[client ip] src-address-list=[some dial in connection identification] action=accept
- a fw rule with dst-address(-list)=[servers subnet (or list of server ip's)] src-address=[client ip] action=add-dst-to-address-list address-list=[some dial in connection identification]
And for disconnection you'll need a script to clean up the rules and address list
How the script would get the values in [...] I don't know. In worst case it will have to parse the log.
Combine this with the use of ppp -> profiles -> add -> scripts (winbox navigation)
The idea is that when a dial up connection is established, a script will run that creates:
- a fw rule with dst-address=[client ip] src-address-list=[some dial in connection identification] action=accept
- a fw rule with dst-address(-list)=[servers subnet (or list of server ip's)] src-address=[client ip] action=add-dst-to-address-list address-list=[some dial in connection identification]
And for disconnection you'll need a script to clean up the rules and address list
How the script would get the values in [...] I don't know. In worst case it will have to parse the log.
-
-
Eliminateur
Frequent Visitor
- Posts: 96
- Joined:
Re: dynamic FW rules based on outgoing traffic
destination rules are of no consequence, those will be static for the entire lan to each remote subnet in its entirety.
the return rules are the thing.
your solution would not work, because the connections are established at system boot adnw ill be maintained up continuously, also, multiple stations will use the same connections at the same time so rules must be done on the fly dynamically, not at tunnel up or down.
the return rules are the thing.
your solution would not work, because the connections are established at system boot adnw ill be maintained up continuously, also, multiple stations will use the same connections at the same time so rules must be done on the fly dynamically, not at tunnel up or down.
Re: dynamic FW rules based on outgoing traffic
What I showed is to logic to create those return rules.
Now as you say there is a lan to lan dial up, you skip the connection scrips, and just create a set of those two rules explained for each client ip you want. (or make a script to generate the for you)
I recommend putting them in a new chain, and make a jump rule in forward to limit how often the router has to walk through all these rules.
Now as you say there is a lan to lan dial up, you skip the connection scrips, and just create a set of those two rules explained for each client ip you want. (or make a script to generate the for you)
I recommend putting them in a new chain, and make a jump rule in forward to limit how often the router has to walk through all these rules.
-
-
Eliminateur
Frequent Visitor
- Posts: 96
- Joined:
Re: dynamic FW rules based on outgoing traffic
that's the issue, i can't think of way to identify the clients to add them to an address list.
the thing is that the client ip is unknown and varying, i can't make a list beforehand.
hmmm or a FW rule from LAN to the list of remote networks/hosts with action add source to address list should work(or it will simply add the entire lan ip range.. i'll have to test this)?, then i can simply do the rule you pasted
- a fw rule with dst-address=[client ip] src-address-list=[some dial in connection identification] action=accept
and i would need no script then
the thing is that the client ip is unknown and varying, i can't make a list beforehand.
hmmm or a FW rule from LAN to the list of remote networks/hosts with action add source to address list should work(or it will simply add the entire lan ip range.. i'll have to test this)?, then i can simply do the rule you pasted
- a fw rule with dst-address=[client ip] src-address-list=[some dial in connection identification] action=accept
and i would need no script then
Re: dynamic FW rules based on outgoing traffic
You said the remote part would have to make connection to a server first, the you wanted a rule to be created from that server to the client. In that sense you know the clients ip, and can use the ip as identifier. It will work as long as the client keeps the same ip while connected. When IP changes, it will have to make a new connection.
If you are somewhat in control of these clients you could schedule a ping towards your server once an hour or so. (Or even a telnet connection attempt (which fails and time out) on a port of your choice)
If you don't know the clients ip at any point, you can't really make connections towards it either.
If you are somewhat in control of these clients you could schedule a ping towards your server once an hour or so. (Or even a telnet connection attempt (which fails and time out) on a port of your choice)
If you don't know the clients ip at any point, you can't really make connections towards it either.