I have subscribed to a VPN service and configured multiple virtual interfaces as PPTP clients on the Mikrotik for various rule-based routing purposes. Since the VPN is a shared service, other customers connecting to the same VPN gateways would be placed in the same private subnet as my virtual interfaces.
I am wondering if the Input chain of my existing firewall rules would also apply to these virtual interfaces? Or do I need to setup sepcific rules under the forward chain to filter unwanted incoming traffic from these VPN tunnels? It is difficult to determine if the existing rules are in effect as there are not a lot of unsolicited packets hitting the virtual interfaces.
Many thanks!
Re: Firewall chain for virtual interfaces of tunnels [SOLVED]
Input chain is for any packet coming INTO router, from any available interface.
forward chain is for packets passing through router, so from one interface of router to another.
forward chain is for packets passing through router, so from one interface of router to another.
Re: Firewall chain for virtual interfaces of tunnels
The input chain of your firewall should be configured to accept the outer packets of the VPN, in this case TCP port 1723 and protocol 47 (GRE).
The forward chain of your firewall should be configured for the payload of the packets, the traffic from your clients to the remainder of the network.
(this assumes that your clients do not have to access the router itself. if they do, e.g. for use of the DNS resolver, input rules to accept that payload have to be made as well)
The forward chain of your firewall should be configured for the payload of the packets, the traffic from your clients to the remainder of the network.
(this assumes that your clients do not have to access the router itself. if they do, e.g. for use of the DNS resolver, input rules to accept that payload have to be made as well)