MikroTik Tutorial: Firewall ruleset for IPsec whitelisting

MikroTik Tutorial: Firewall ruleset for IPsec whitelisting

This article will show you how to setup a firewall whitelist for IPsec peer associations on a MikorTik router. The firewall ruleset will make use of address-lists to allow UDP 500 traffic only from trusted networks.

The address list for trusted networks will be called ipsec-trusted-nets and all other hosts that attempt IPsec traffic will be added to the list ipsec-uninvited.

Here are the firewall input rules

Please Note: This is not a complete firewall ruleset, only the rules relevant to whitelist/blacklist IPsec traffic to the router.

/ip firewall filter
add action=add-dst-to-address-list address-list=ipsec-uninvited \
    address-list-timeout=4w2d chain=input comment=\
    "Add unknown IPsec attempts to \"ipsec-uninvited\" list" connection-state=new \
    dst-port=500 in-interface=ether1 protocol=udp src-address-list=\
add action=accept chain=input comment=\
    "Allow UDP:500 from \"ipsec-trusted-nets\" list" dst-port=500 in-interface=\
    ether1 protocol=udp src-address-list=ipsec-trusted-nets
add action=accept chain=input comment=\
    "Allow UDP:4500 to ADDRESS-LIST:ipsec-trusted-nets" dst-port=4500 in-interface=\
    ether1 protocol=udp src-address-list=ipsec-trusted-nets
add action=drop chain=input comment="Deny UDP:500 from \"ipsec-uninvited\" list" \
    dst-port=500 in-interface=ether1 log=yes log-prefix=ipsec-uninvited protocol=udp \

Decision Flowchart

This technique will limit the total attack surface of your public facing IPsec VPN router. I know that all of my IPsec clients will be coming from one class A subnet (owned by one of the major wireless carriers) so I’ve added it to the ipsec-trusted-nets address list. The same technique can be used to whitelist/blacklist other protocols such as SSH.

If you found this articles useful please take a moment to ! Join the conversartion by writing a comment below or check my other Mikrotik Tutorials.

NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool

CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ads Blocker Image Powered by Code Help Pro

πŸ™πŸ™A Humble Request to Disable AdBlock πŸ™πŸ™

You can close this message & continue reading but...
❀️❀️❀️ Please consider visiting one of my sponsors first ❀️❀️❀️

DigitalOcean πŸš€

Sign up and get a $200, 60-day credit to try DO.
Spend $25 after your credit expires and I will also get $25 in credit!
DigitalOcean Referral Badge

Pictory πŸ€–

Create amazing videos using Pictorys AI powered software.
Its FREE to create your first 3 video projects

Hi Reader, I noticed that you are using an ad blocker while visiting my website. While I completely understand that excessive ads can hinder your browsing experience, ad revenue helps pay for the cost associated with operating this website.

jcutrer.com is a labor of love, created with the primary aim to provide you with quality content, free of cost. It’s a space where I share information, ideas, and insights that I hope have a meaningful impact. However, maintaining and updating this platform incurs substantial costs.