MikroTik

Community discussions
https://forum.mikrotik.com/

IPsec and firewall issues

https://forum.mikrotik.com/viewtopic.php?t=125645

Page 1 of 1

IPsec and firewall issues

Posted: Fri Sep 15, 2017 12:11 pm
by az1984
Hello,

at the moment I'am struggeling with firewall-rules on ipsec traffic. I already read that there are some issues with filtering IPsec traffic, but I hope there is a way to solve my problem.

I have a RB3011 with has several IPsec tunnels to our customer routers (non mikrotik). Via IPsec policy the customers LAN is tunneled to our LAN which works well. As these tunnels are only for support purposes, we want to secure our LAN and block any access from customer-LAN to our LAN.

Now I tried the following:
our LAN: 192.168.77.0/24
customers LAN: 10.0.0.0/24

I added this filter rule for testing:
Code: Select all
add action=drop chain=forward disabled=no dst-address=192.168.77.0/24 src-address=10.0.0.0/24
As supposed there is no connection between 192.168.77.x and 10.0.0.x possible, but the tunnel is still active and is also rebuild if I kill the active IPsec connection. I think this is because this firewall rule will work in both directions (correct me if I'am wrong), regardless of the dst- and scr-addresses. So is there any way to allow 192.168.77.x -> 10.0.0.x and deny 10.0.0.x -> 192.168.77.x at the same time? Maybe I can refine the filter rule and deal with connection states? I'am a bit helpless at this point.

Can someone help me out?

Thanks for help.
Andreas

Re: IPsec and firewall issues

Posted: Fri Sep 15, 2017 1:52 pm
by petterg
I never (with a few exceptions) create drop rules, except for the final drop all rule. My philosophy is that everything should be dropped unless I specify otherwise.
What you probably want is:
Code: Select all
add action=accept chain=forward comment=Established connection-state=established
add action=accept chain=forward comment=Related connection-state=related
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.77.0/24
add action=drop chain=forward dst-address=192.168.77.0/24 src-address=10.0.0.0/24
If you don't have the related/established rules already, you should probably check carefully what your firewall actually does. If you have a working internet access through a firewall without using an established rule, you probably allow too much. (Another approach is to use connection-state=new in the drop rules.)

Re: IPsec and firewall issues

Posted: Fri Sep 15, 2017 2:20 pm
by az1984
You are right and it seems I figured out what was wrong.

First I had a global forward accept rule, which I don't really need at all. I also don't know why I created this rule, maybe a relict from former tests.
The accept-rule for related and established connections I already had. So the point was, to set the requested deny-rule after this accept-rules.

Now I changed the rule to use address-lists to manage all my remote-vpn-LANs with one rule and it is working fine so far.

My firewall filter now looks like this:
Code: Select all
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward dst-address=192.168.77.0/24 src-address-list="VPN rejects"
...more firewall rules...
So in general I even don't need the rule for allowing 192.168.77.x -> 10.0.0.x.

Thanks for helping out :)
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/