I have an L2TP server configured on a MikroTik router with over 4000 active users. I’m using an IP pool to assign addresses to users dynamically. For auditing purposes, I need to save NAT logs for each user.
The issue I’m encountering is that when a user disconnects, the router immediately reassigns their IP address to a new connection, sometimes within milliseconds. This causes log entries to show two different users with the same IP within the same second, creating inconsistencies in my auditing.
I’ve researched and found that MikroTik IP pools do not have a built-in option for lease time or delay before reassigning IPs. To resolve this, I want to implement a script that runs in the On Down section of the PPP profile. The script would add the IP address to a firewall address list for a specified duration (e.g., 1 minute) before allowing it to be reassigned.
However, I’m having trouble getting this script to work correctly. Has anyone implemented a similar solution or have suggestions on how to achieve this in MikroTik?
Any advice or alternative approaches would be greatly appreciated.
On Up:
:log warning “user: $“user” connected at: $[/system clock get date] $[/system clock get time] from: IP wan: $“caller-id” IP vpn: $“remote-address””
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark=“L2TP_$“user”” passthrough=yes src-address=“$“remote-address””
On Down:
:log warning “user: $“user” disconnected at: $[/system clock get date] $[/system clock get time] from: IP wan: $“caller-id” IP vpn: $“remote-address””
/ip firewall mangle remove [find where new-connection-mark=“L2TP_$“user””]
—cut pat_CODE—
/ppp profile
add on-down=“:log warning "user: $"user" disconnected at: $[/system c
lock get date] $[/system clock get time] from: IP wan: $"caller-id" IP vpn: $"remote-address""\r
\n/ip firewall mangle remove [find where new-connection-mark="L2TP_$"user""]” on-up=“:log warning "user: $"user" connected at: $[/system clock get date] $[/system clock get time] from: IP wan: $"call
er-id" IP vpn: $"remote-address""\r
\n/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new new-connection-mark="L2TP_$"user"" passthrough=yes src-address="$"remote-address""”
remote-address=pool1_dhcp_LAN_sns use-encryption=yes
–end cut—