Níže je moje nastavení, VPN mám přes L2TP a ta funguje. Pokud na firewallu zapnu pravidlo č. 8 a č. 9
add action=drop chain=input disabled=yes
add action=drop chain=input comment="Vsechno ostatni ma smulu" disabled=yes
přestane mi jet ten přístup z VPN.
Na ten bych tedy potřeboval nastavit nějaké to další pravidlo, a nevím jak ne to.
Ještě mám prozatím zdvojený ten povolený přístup z konkrétních IP, jednou jako samotné pravidlo ve firewallu a podruhé přes povolené ip v adress lists "allowed to router". To doufám nevadí.
Díky moc za rady
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast " list=not_in_internet
add address=192.168.1.0/24 comment=RFC6890 list=not_in_internet
add address=192.168.2.0/24 comment=RFC6890 list=not_in_internet
add address=192.168.5.0/24 comment=RFC6890 list=not_in_internet
add address=192.168.10.0/24 comment=RFC6890 list=not_in_internet
add address=192.168.10.2-192.168.10.254 list=allowed_to_router
add address=veřejná IP č. 1 comment=č.1 list=allowed_to_router
add address=veřejná IP č. 2 comment=č.2 list=allowed_to_router
add address=veřejná IP č. 3 comment=č.3 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=input comment="Pristup na Mikrotik z vlastni site - č. 1" src-address=veřejná IP č. 1
add action=accept chain=input comment="Pristup na Mikrotik z vlastni site - č. 2" src-address=veřejná IP č. 2
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Povoleni ICMP (PING)" protocol=icmp
add action=drop chain=input disabled=yes
add action=drop chain=input comment="Vsechno ostatni ma smulu" disabled=yes
add action=accept chain=forward dst-address=192.168.10.99 dst-port="" protocol=tcp
add action=accept chain=forward in-interface=ether1 protocol=icmp
add action=accept chain=forward dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward connection-state=established in-interface=ether1
add action=accept chain=forward out-interface=ether1
add action=drop chain=forward in-interface=ether1
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.10.0/24
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat