90
edits
User:TomJepp/RouterOS L2TP: Difference between revisions
→Firewall
|
=== Firewall ===
We will add some extra firewall rules - these rules will allow *all* traffic to the public IP ranges, and allow traffic from the public IP ranges to the internet, and to the DNS server on the router.
However, we will not allow the public IP ranges to initiate connections to the LAN bridge we set up earlier.
==== IPv4 firewall ====
# Go to '''IP, Firewall''' and select the '''Filter Rules''' tab.
# Add a new rule:
## '''General, Chain''': "input"
## '''General, Protocol''': "udp"
## '''Dst. Port''': "53"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "input: allow UDP DNS from L2TP LAN"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "input"
## '''General, Protocol''': "tcp"
## '''Dst. Port''': "53"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "input: allow TCP DNS from L2TP LAN"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "forward"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''General, Out. Interface''': "l2tp-aaisp"
## '''Action, Action''': "accept"
## '''Comment''': "forward: allow from L2TP public bridge to the internet"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "forward"
## '''General, In. Interface''': "l2tp-aaisp"
## '''General, Out. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "forward: allow from the internet to the L2TP public bridge"
## Save the rule with '''OK'''.
Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.
==== IPv6 firewall ====
We'll repeat exactly the same rules for IPv6:
# Go to '''IPv6, Firewall''' and select the '''Filter Rules''' tab.
# Add a new rule:
## '''General, Chain''': "input"
## '''General, Protocol''': "udp"
## '''Dst. Port''': "53"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "input: allow UDP DNS from L2TP LAN"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "input"
## '''General, Protocol''': "tcp"
## '''Dst. Port''': "53"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "input: allow TCP DNS from L2TP LAN"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "forward"
## '''General, In. Interface''': "bridge-l2tp-public"
## '''General, Out. Interface''': "l2tp-aaisp"
## '''Action, Action''': "accept"
## '''Comment''': "forward: allow from L2TP public bridge to the internet"
## Save the rule with '''OK'''.
# Add a new rule:
## '''General, Chain''': "forward"
## '''General, In. Interface''': "l2tp-aaisp"
## '''General, Out. Interface''': "bridge-l2tp-public"
## '''Action, Action''': "accept"
## '''Comment''': "forward: allow from the internet to the L2TP public bridge"
## Save the rule with '''OK'''.
Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.
== CLI config example ==
| |||