If you found this articles useful please take a moment to share it on twitter! Join the conversartion by writing a comment below or check my other Mikrotik Tutorials. Go to IP, Firewall, click on the Address Lists tab, click on the plus sign and type LAN for the address list name and 192.168.100.0/24 as the address and click OK. The same technique can be used to whitelist/blacklist other protocols such as SSH. I know that all of my IPsec clients will be coming from one class A subnet (owned by one of the major wireless carriers) so I’ve added it to the ipsec-trusted-nets address list. This technique will limit the total attack surface of your public facing IPsec VPN router. "Allow UDP:4500 to ADDRESS-LIST:ipsec-trusted-nets" dst-port=4500 in-interface=\Īdd action=drop chain=input comment="Deny UDP:500 from \"ipsec-uninvited\" list" \ĭst-port=500 in-interface=ether1 log=yes log-prefix=ipsec-uninvited protocol=udp \ "Allow UDP:500 from \"ipsec-trusted-nets\" list" dst-port=500 in-interface=\Įther1 protocol=udp src-address-list=ipsec-trusted-nets MikroTik HowTo Articles Basic Script to Configure a Blank MikroTik Router I have developed a script you can simply paste into the router and it will configure everything for you and get you started on the right track. "Add unknown IPsec attempts to \"ipsec-uninvited\" list" connection-state=new \ĭst-port=500 in-interface=ether1 protocol=udp src-address-list=\ Add action=add-dst-to-address-list address-list=ipsec-uninvited \Īddress-list-timeout=4w2d chain=input comment=\
0 Comments
Leave a Reply. |