Filtering on PPTP username

RouterOS General
1

Hi,

I’d like to know how to setup firewall filter rules based on PPTP users (the users are external, authenticated via Radius and external Windows Domain Controller).

For instance, after successful connection I have both user1 and user2 (dynamic interfaces pptp-user1 and pptp-user2); I need to setup some rules in order to allow user1 to access host1 only and user2 to host2 only.

Any hint is greatly appreciated.

Riccardo

2

Ricardo,
I guess you may use static interface in ‘interface pptp-server add name=’ [command to create static interface].
So you may use interfaces in firewall rules and set additional matcher IP address, etc. to achieve your requirements.

3

i think that defeats the purpose of using radius, if there are a lot of users to do this for. I’m no expert on radius, isnt there a way to hand back a firewall filter chain to put on a user ? you could then put those users thru a special chain that firewalled things the way you wanted.

4

As far as I know the problem is this:

  1. the users must be authenticated externally (by Windows AD)
  2. the filter rules must rely on username only (the IP is dinamically assigned by MT PPTP server)
  3. so there is no “easy” relationship between username and IP
  4. the “internal” session created by PPTP service has no knowledge about username credentials used to login
  5. I can successfully intercept username login by filtering on protocol=47 (GRE) and content= but that’s unuseful because it’s the “external” session, not the internal (the one I need to filter)
  6. I’ve created a script to add into an address-list the source address dinamically associated to the username:

/ip firewall address-list add list=group1 address=[/ppp active get [find name=user1] address ]

In this way I could re-create a relationship username->internal-IP and use it to filter by source-address-list, but I didn’t find any way to automatically run that script after a successful PPTP login (and a similar one to remove the access-list item after the logout).

  1. I’ve found the way to handle PPTP traffic packets using a dedicated chain declared using Incoming-filter into PPP-Profile, then a jump from forward chain to ppp chain, so the dedicated chain is automatically linked when dynamic PPTP interfaces are created.
    But this method still have the initial problem: there is no usable field that can bring to the original username.

I’ll try Sergejs’s hint to make a single static PPTP interface for each username, because that provides a usable field (In. Interface) to set in filter rule.

Riccardo

5

There should be possibility to run certain scripts when user connects like ip.up ip.down in linux, this would be really appreciated in MT :wink:

Cheers
Michal