Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Block all except connection to VPN

Locked
 
2510506
just joined
Topic Author
Posts: 9
Joined: Thu May 19, 2016 5:27 pm

Block all except connection to VPN

Thu May 19, 2016 5:38 pm

Hi. Please suggest rules for firewall

Network map:

PC1 connected to microtik > Microtic to ISP.

on PC1 have an OpenVPN client which connects to remote VPN server. So I need that all traffic go through tunnel.

On microtik I need to disable everything except connection to VPN.
Please help with rules, I read documentation, setup following rules, but it blocks everything (include connection to VPN)
add chain=forward action=accept protocol=tcp dst-port=53 comment="Allow DNS tcp"
add chain=forward action=accept protocol=udp dst-port=53 comment="Allow DNS udp"
add chain=forward action=accept protocol=tcp dst-port=443 comment="Allow 443"
add chain=forward action=accept protocol=tcp dst-port=943 comment="Allow 943 OpenVPN"
add chain=forward action=accept protocol=udp dst-port=1194 comment="Allow 1194 OpenVPN"
add chain=forward action=accept protocol=tcp dst-port=1194 comment="Allow 1194 OpenVPN"
add chain=forward action=accept protocol=udp dst-port=1143 comment="Allow 1143"
add chain=forward action=accept protocol=tcp dst-port=1143 comment="Allow 1143"
add chain=forward action=drop comment="drop everything else"
Top
 
tiftok
newbie
Posts: 49
Joined: Thu Apr 07, 2016 1:40 pm

Re: Block all except connection to VPN

Fri May 20, 2016 11:51 am

Hello
are you have a vpn server ip
Top
 
2510506
just joined
Topic Author
Posts: 9
Joined: Thu May 19, 2016 5:27 pm

Re: Block all except connection to VPN

Sun May 22, 2016 6:55 pm

yes, I have. Why ?
Top
 
tiftok
newbie
Posts: 49
Joined: Thu Apr 07, 2016 1:40 pm

Re: Block all except connection to VPN

Mon May 23, 2016 2:29 pm

you can block all dst ip address except vpn ip replace 192.168.1.1 with your vpn ip
Code: Select all
 /ip firewall filter add chain=forward dst-address=!192.168.1.1 action=drop
Top
 
2510506
just joined
Topic Author
Posts: 9
Joined: Thu May 19, 2016 5:27 pm

Re: Block all except connection to VPN

Tue May 24, 2016 2:10 pm

@tiftok, thanks

Could u please help, if I need to deny everything, except 443 and 53 port, what rules should be?
Because
add chain=forward action=accept protocol=tcp dst-port=53 comment="Allow DNS tcp"
add chain=forward action=accept protocol=udp dst-port=53 comment="Allow DNS udp"
add chain=forward action=accept protocol=tcp dst-port=443 comment="Allow 443
add chain=forward action=drop comment="drop everything else"

Drops everything
Top
 
tiftok
newbie
Posts: 49
Joined: Thu Apr 07, 2016 1:40 pm

Re: Block all except connection to VPN

Tue May 24, 2016 10:21 pm

hello
please make BACKUP BEFOR TEST i am not tested this rule i write qiuk 8)
Code: Select all
/ip firewall mangle add chain=forward protocol=udp src-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp src-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp src-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp src-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp dst-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=53 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall mangle add chain=forward protocol=udp dst-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=443 action=mark-connection new-connection-mark=myallwo  passthrough=yes;

/ip firewall filter add chain=forward connection-mark=!myallwo action=drop ;
Top
Locked

Who is online

Users browsing this forum: jaclaz and 23 guests
  4. RouterOS
  5. Beginner Basics