关于VPN(PPTP) 服务器的防火墙设置问题

FanZhen2002

routeros 防火墙能设置 IP Protocol ID of 47吗？ 向各位请教。


Packet filters for Point-to-Point Tunneling Protocol (PPTP)

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

    * Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723.
      This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.
    * Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47.
      This filter allows PPTP tunneled data from the PPTP client to the PPTP server.
    * Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] source port of 1723.
      This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. TCP [established] traffic is accepted only when the VPN server initiated the TCP connection.

FanZhen2002

我的情况是这样的：
RoutorOS服务器在公司，员工下班后，通过VPN来访问内部网。
首先在防火墙限制访问的IP地址范围。
然后限制外部进入内部网只能是PPTP通讯，TCP 1723端口及IP Protocol ID =47（这个不知道怎么设置？）。

tlze

把上面两条说到防火墙的最上面，第三来个Drop所有连接，设置time实现定时。

FanZhen2002

搞定。
http://forum.mikrotik.com/viewtopic.php?f=2&t=11571

chain=input protocol=tcp dst-port=1723 action=accept
chain=input protocol=47 action=accept

kevin121

看看。