What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Allow access to VPN (PPTP) only from specific public IPs and general security questions

M

Matwic

New Around Here
I have a basic knowledge of iptables and practically no idea how asuswrt hadles the routing / firewalling / security.

1. I installed asuswrt-merlin (380.57) on RT-AC87U and would like to setup a VPN (PPTP) server to only allow incoming connections from a specific ip/ip ranges and drop all others. A sample firewall-start script would be greatly appreciated.

2. default iptables rules seems to be a bit of a mess (default settings, VPN enabled):

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source        destination
DROP       icmp --  anywhere      anywhere      icmp echo-request
DROP       all  --  anywhere      anywhere      state INVALID
ACCEPT     all  --  anywhere      anywhere      state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere      anywhere      state NEW
ACCEPT     all  --  anywhere      anywhere      state NEW
ACCEPT     udp  --  anywhere      anywhere      udp spt:bootps dpt:bootpc
ACCEPT     icmp --  anywhere      anywhere      icmp !echo-request
ACCEPT     tcp  --  anywhere      anywhere      tcp dpt:1723
ACCEPT     gre  --  anywhere      anywhere
DROP       all  --  anywhere      anywhere

Wouldn't these allow any incoming connections to be accepted? And if not, how is port forwarding handled? If I forward a port should't there be an associated rule in the INPUT chain?

3. Where is Guest-Wifi isolation handled? (the rules so the guest-wifi cant access other LAN clients)? I would like to change these rules so even Guest-Wifi clients can connect to the DHCP and DNS services (and only those services) on a local server (Windows server).
 
I think part of your problem is that you are not seeing all of the iptables information, like which interface the rules apply to or the nat/mangle chains.

Try using iptables-save to see all the rules in a "raw" format.
 
Code: 
iptables -L -v
 
You must log in or register to reply here.

Similar threads

F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
1K
ColinTaylor
C
adri
Firewall, Port Forwarding, and DoS Question
Replies
8
Views
679
ColinTaylor
C
R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
745
RandomUser777
R
R
One router, two segments desired.
Replies
4
Views
1K
Rombo
R
J
Port Scan shows open ports but they aren't forwarded in router - iptables questions
Replies
8
Views
3K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
postoronnim-v How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)? Asuswrt-Merlin 18
S Prevent client from connecting to router but allow connection to internet via access point Asuswrt-Merlin 4
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
A How to allow incoming WAN connections for WireGuard clients? Asuswrt-Merlin 5
B Asus - RT-AX88U - USB Application - Network Place (Samba) Share / Cloud Disk - Problem when enabling Allow guest login Asuswrt-Merlin 4
N How to allow different VPN clients ping each other? Asuswrt-Merlin 5
M Restrict access to specific device on LAN Asuswrt-Merlin 1
0 Wireguard- How to restrict LAN resource access by WAN clients? Asuswrt-Merlin 9
C Remote home access, using Wireguard Asus AX86U and GLiNet Beryl AX Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 450 (members: 8, guests: 442)
Back
Top