![]() ![]() ![]() If you found this articles useful please take a moment to share it on twitter! Join the conversartion by writing a comment below or check my other Mikrotik Tutorials. The same technique can be used to whitelist/blacklist other protocols such as SSH. I know that all of my IPsec clients will be coming from one class A subnet (owned by one of the major wireless carriers) so I’ve added it to the ipsec-trusted-nets address list. This technique will limit the total attack surface of your public facing IPsec VPN router. "Allow UDP:4500 to ADDRESS-LIST:ipsec-trusted-nets" dst-port=4500 in-interface=\Īdd action=drop chain=input comment="Deny UDP:500 from \"ipsec-uninvited\" list" \ĭst-port=500 in-interface=ether1 log=yes log-prefix=ipsec-uninvited protocol=udp \ "Allow UDP:500 from \"ipsec-trusted-nets\" list" dst-port=500 in-interface=\Įther1 protocol=udp src-address-list=ipsec-trusted-nets "Add unknown IPsec attempts to \"ipsec-uninvited\" list" connection-state=new \ĭst-port=500 in-interface=ether1 protocol=udp src-address-list=\ ![]() It should be the same as the IP address you chose, but with a zero at the end, and the netmask afterwards. The Address field is what ties the Address Pool, DHCP Server and Network Configuration all together. Add action=add-dst-to-address-list address-list=ipsec-uninvited \Īddress-list-timeout=4w2d chain=input comment=\ Now, jump over to the Networks tab and add new configuration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |