Allow RDP only over VPN
I want to do allow 3389 port(RDP) only through VPN connection, not normally. How can I do this?
I have configured VPN server in Mikrotik. I have blocked all traffic except http and https by firewall filter. I allowed 3389 by filter rule and right now other systems(outside of our network) able to do RDP to our intranet systems regardless of VPN. I mean Laptop(client outside of our network) can able to do RDP with/without VPN client. I need client should connect to VPN server of Mikrotik then do RDP to intranet system otherwise disconnect.
How do I block other RDP connection except RDP over VPN?
Right Now:
-------- pptp tunnel ------------ ----------
| | ============ | | | |
|laptop | -------------- | Mikrotik |-------| system A |
| | ============ | | | |
| | -------------- | router |-------| |
-------- | | ----------
------------
I want :
-------- pptp tunnel ------------ ----------
| | ============ | | | |
|laptop | -------------- | Mikrotik |-------| system A |
| | ============ | | | |
| | | router | | |
-------- | | ----------
------------
What you've essentially done is setup a VPN AND setup RDP access through the firewall (opening port 3389 to the world).
You shouldn't allow RDP access through the firewall at all if you want to limit it to VPN users. Disable that rule completely for RDP.
Then...A user will VPN in using the VPN tunnel you setup and THEN rdp into "system A". The VPN puts them on "System A"'s local network, allowing them access to the server.
IF you haven't already setup a VPN server/setup (can't quite tell by your question) then that's what you'll need to configure and make sure it is working.
This is the rule I need to add to allow rdp only over vpn and block all other connection.
add chain=forward action=accept protocol=tcp dst-port 3389 in-interface=VPN comment="Allow RDP via VPN"