UPDATE*: Guys, its getting out of hand, i already configured the "system", eveything is good, but i want to limit the access from local resources for the VPN users.
So the question would be, how can i make it happen, that from one subet, which is NATted to the other subnet,things ONLY on port 3389 work?! nothing else!

Dead MikroTIk Community,

could u please help me with this?

I'd like to set things up, that vpn users can only use RDP (so they use vpn and after that they will rdp to local server.
Lets say vpn users get 10.10.10.0/24 addresses and the internal subnet is 192.168.11.0/24

if i do a firewall rule like "chain=input(or forward, neither worked) action=drop protocol=udp src-address=10.10.10.0/24 dst-port=!3389 log=no log-prefix="" i see that packages go trough this rule, but i cannot connect, if i disable this, i can connect with no problem. I used torch and i saw 443,80 and 3389 used and from source ip i saw something above 50000. How to achieve this the right way?

Only RDP should be "usable" from 10.10.10./24.

Thank you in adnvace!

Try those rules:

So you are running an RDP on your LAN and you want users to VPN to the right LAN network and then use their RDP client to talk to the RDP server?

So you are running an RDP on your LAN and you want users to VPN to the right LAN network and then use their RDP client to talk to the RDP server?

Im running in the "internal lan"(192.168.X.X) an RDP server(terminal server), and from the "vpn lan"(10.10.10.X) its NATted to "internal lan" (where the rdp server is) and it works, but i want to limit, that the "rdp users" only can use RDP. If u ask why dont do the VPN users connect from beginning to the "internal lan", because there are few users, who should have our ip, but no acces to our internal lan.

Excellent input! For me its about getting the requirements right. Please confirm
a. some external users need access to VPN, to RDP But not to internal LAN
b. some external users need access to VPN, to RDP and need access also to internal LAN
c. some external users need access to VPN and need access to internal LAN but not to RDP.

Which statements are true and which are false?

Q1. Do you have a list of external users that only require RDP access - their WANIP addresses?

Excellent input! For me its about getting the requirements right. Please confirm
a. some external users need access to VPN, to RDP But not to internal LAN
b. some external users need access to VPN, to RDP and need access also to internal LAN
c. some external users need access to VPN and need access to internal LAN but not to RDP.

Which statements are true and which are false?

Q1. Do you have a list of external users that only require RDP access - their WANIP addresses?

thx for ur time anav!
i would say it otherwise: there are external users, who need only our ip address, but not internal lan
there are external users, who need acces to VPN, but no access to local resources, EXPECT RDP (3389)

i hope i was clear enough and you can help me

or even easyer explained: there are external users, who need vpn, but only internet no internal access
and there are external suers, who need vpn, but no internet, no internal access ONLY rdp (3389). thank you m8

This is precisely my requirement,
only - a) users who must have only RDP access to their workstation but not the LAN directly, if I understand things correctly once logged into their workstation they will still have the access that they have when sitting at their desk.

In my case the VPNs are SSTP and each VPN user gets a LAN IP (192.168.14.x)

I've been asked to limit their access to just RDP and just their workstation (192.1683.14.y) Workstations have a DHCP reservation so their IP doesn't change.

I'm new to writing firewall rules, so any suggestions where to start would help. A good read perhaps?

Thanks for the clarifications so let me see if I have got it.

Two types of external users.

A. Require access via VPN to the mikrotik solely for the purpose of accessing the internet via the Mikrotik and not from their local connection.

B. Require access via VPN to the mikrotik solely for the purpose of accessing the RDP server, and with their RDP Client do what ??????? Login into ????

Since I am not an RDP user, its not clear to me how one gains access to a PC via RDP because that assumes there is someone at the PC to turn it on or accept the RDP request??
Are these virtual PCs that are on all the time? In other words, how do you give access to PCs on a LAN to external users but then state they should not have access to the LAN?
Wont they have access from their PC? Or is that okay and you just dont want them to physically connect from their computer at the remote site to peruse the LAN. THey are permitted through the RDP PC to work on the LAN?


By the way, the first thing that comes to mind is to have two different sets of VPN connections.
One set for RDP users and one set for internet users. That should help keep it clean and perhaps easier to modify and add rules later. Just guessing though.

Guys, its getting out of hand, i already did the "system", eveything is good, but i want to limit the access from local resources for the VPN users.
So the question would be, how can i make it happen, that from one subet, which is NATted to the other subnet,things ONLY on port 3389 work?! nothing else!

Code: Select all

chain=forward action=accept protocol=tcp src-address=10.10.10.0/24 dst-address=192.168.11.0/24 dst-port=3389
chain=forward action=accept protocol=udp src-address=10.10.10.0/24 dst-address=192.168.11.0/24 dst-port=3389
chain=forward action=drop src-address=10.10.10.0/24 dst-address=192.168.11.0/24 

this worked, thank you! have a nice day!