What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Allow access to VPN (PPTP) only from specific public IPs and general security questions

M

Matwic

New Around Here
I have a basic knowledge of iptables and practically no idea how asuswrt hadles the routing / firewalling / security.

1. I installed asuswrt-merlin (380.57) on RT-AC87U and would like to setup a VPN (PPTP) server to only allow incoming connections from a specific ip/ip ranges and drop all others. A sample firewall-start script would be greatly appreciated.

2. default iptables rules seems to be a bit of a mess (default settings, VPN enabled):

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source        destination
DROP       icmp --  anywhere      anywhere      icmp echo-request
DROP       all  --  anywhere      anywhere      state INVALID
ACCEPT     all  --  anywhere      anywhere      state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere      anywhere      state NEW
ACCEPT     all  --  anywhere      anywhere      state NEW
ACCEPT     udp  --  anywhere      anywhere      udp spt:bootps dpt:bootpc
ACCEPT     icmp --  anywhere      anywhere      icmp !echo-request
ACCEPT     tcp  --  anywhere      anywhere      tcp dpt:1723
ACCEPT     gre  --  anywhere      anywhere
DROP       all  --  anywhere      anywhere

Wouldn't these allow any incoming connections to be accepted? And if not, how is port forwarding handled? If I forward a port should't there be an associated rule in the INPUT chain?

3. Where is Guest-Wifi isolation handled? (the rules so the guest-wifi cant access other LAN clients)? I would like to change these rules so even Guest-Wifi clients can connect to the DHCP and DNS services (and only those services) on a local server (Windows server).
 
I think part of your problem is that you are not seeing all of the iptables information, like which interface the rules apply to or the nat/mangle chains.

Try using iptables-save to see all the rules in a "raw" format.
 
Code: 
iptables -L -v
 
You must log in or register to reply here.

Similar threads

J
Debugging NAT traversal with a ASUS RT-AC66U B1
Replies
2
Views
1K
jp_rider
J
F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
2K
ColinTaylor
C
adri
Firewall, Port Forwarding, and DoS Question
Replies
8
Views
1K
ColinTaylor
C
D
Solved GT AX6000 - Home Assistant can't access IoT VLAN devices
Replies
16
Views
3K
CaptainSTX
C
R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
890
RandomUser777
R
Similar threads
Thread starter Title Forum Replies Date
outlaw78 "Allow Client <-> Client" Help Asuswrt-Merlin 2
bengalih PSA - RT-AC68U with CTF/NAT Acceleration may allow IPv6 UDP traffic through firewall Asuswrt-Merlin 8
CntrlAltDel Allow ICMP from whitelist .txt hosted online? Asuswrt-Merlin 1
Zakalwe Disallow OVPN clients on asuswrt-merlin from accessing ANY LAN devices, but allow WAN? Asuswrt-Merlin 3
P SNMP allow list Asuswrt-Merlin 1
L strange problem router not passing packets when connect via secondary access points Asuswrt-Merlin 2
Labdoc AX56 aimesh node shows open access (no password or security) Asuswrt-Merlin 5
M Does switching between operational modes wipe settings, and does repeater mode also send data to secondary router access point if connected via wire? Asuswrt-Merlin 2
Zirescu BE92U Semi Random Issue / Loss of Web UI access / DNS failures / wifi drops Asuswrt-Merlin 9
M Cannot access blocked devices over VPN Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,268 (members: 15, guests: 1,253)
Back
Top