Can a VPN client take an address not from the VPN pool specified in Mikrotik?

L

lazix2020-04-21 21:17:34

Mikrotik

lazix, 2020-04-21 21:17:34

Made vpn-server on mikrotik for client-to-site. In order for clients to be able to see the server behind Mikrotik, I had to give them addresses from the local subnet, "dividing" it into hits - for local devices and for those connecting via vpn. I went through seven circles of hell before identifying the proxy-arp option so that the server finally began to see)

And now I thought - the client can explicitly specify the address for the VPN connection in Windows and thus fall under the local firewall rules, get access to the local area. Or not?

How to protect yourself from this?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

poisons, 2020-04-21
@lazix

1. Create a
ppp profile profile add name=remote interface-list=remote remote-address=1.1.1.1 local-address=1.1.1.1
1.1.1.1 replace with your addresses/pools
2. ip firewall filter allows you to operate interface-list. Those. it doesn’t matter what addresses the client hangs there, it will be possible to unambiguously allow / deny any traffic from / to him based on the interface.
When connecting, a dynamic interface will be created for each vpn client and automatically placed in the interface-list according to the profile.

D

Drno, 2020-04-21
@Drno

Couldn't you just make a separate addressing for vpn? And then either route / port forwarding or proxy arp, if the entire locale is needed