Why is the DROP rule not working?

D

Danil2017-09-29 13:34:37

VPN

Danil, 2017-09-29 13:34:37

Task: create a whitelist of IP addresses that can connect to my VPN. A PPTP server has been set up on Mikrotik, the same Mikrotiks are logging in to it.
I created an adress list in which I added all the ips that I want to give access to. After that, I added the following right to Firewall -> Filter Rules:

Image should be opened in a new tab

And after it is this:

Image should be opened in a new tab

Well, the logic is this - allow my list, and drop everything. But when I remove someone's IP address from the address sheet, the client continues to work. How to make it so that it is no longer allowed?
UPD

 > /ip firewall export
# sep/29/2017 XX:56:52 by RouterOS X.XX.X
# software id = XXX
#
/ip firewall address-list
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=lXXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
add address=XXX.XXX.XXX.XXX comment=XXX list=dyndns_host
/ip firewall filter
add chain=input comment="Accept VPN" port=1723 protocol=tcp src-address-list=dyndns_host
add chain=forward port=1723 protocol=tcp src-address-list=dyndns_host
add action=drop chain=input port=1723 protocol=tcp
add action=drop chain=forward port=1723 protocol=tcp

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Viktor Belsky, 2017-09-29
@Veneomin

To the input drop rule, you still need to do a forward drop.
In general, to drop at the end, you need all the packets that came to the wan interface
ZY . If the user has already connected to you, then after removing him from the address list, you still need to drop his connection to ip firewall connections.