Community discussions

MUM Europe 2020
 
acypkob
just joined
Topic Author
Posts: 20
Joined: Sun Sep 25, 2016 12:33 pm

add source IP of VPN client to trusted_ip address list in /ip firewall

Mon Oct 10, 2016 3:49 pm

What is the best way to add source IP of VPN client to trusted_ip address list in /ip firewall?
Should I run script every minute to do this? Does GOD forbid MikroTik's scheduler to run script on successful VPN login event? ... or maybe I've missed somthing?
 
acypkob
just joined
Topic Author
Posts: 20
Joined: Sun Sep 25, 2016 12:33 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Mon Oct 10, 2016 3:52 pm

I am trying to invent somethig like this
> :put [:foreach N in=[/ppp active find where uptime>0] do={/ppp active get $N value-name=caller-id}]
;37.140.66.96
but still it is all disgusting, why there isn't autofilled address-list of success VPN clients source IP?
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Mon Oct 10, 2016 4:34 pm

I had similar dilemma, and decided to go with solution where I call a script when any VPN client connects.

First I've added event in VPN profile where script runs when any client connects:
/ppp profile set vpn on-up="/system script run vpn-on_connect"
This is "vpn-on_connect" script that's been called by mentioned routine:
:delay delay-time=3

:global pptpCount [interface pptp-server print count-only]
:global ovpnCount [interface ovpn-server print count-only]

:if ($ovpnCount != 0) do {
	:foreach i in=[/interface ovpn-server find] do={
		:global clientNameOVPN [/interface ovpn-server get $i name]       
		:global clientAddrOVPN [/interface ovpn-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrOVPN comment=$clientNameOVPN
	}
}

:if ($pptpCount != 0) do {
	:foreach i in=[/interface pptp-server find] do={
		:global clientNamePPTP [/interface pptp-server get $i name]       
		:global clientAddrPPTP [/interface pptp-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrPPTP comment=$clientNamePPTP
	}
}
The script checks for active PPTP and OVPN clients and adds their source IPs to the whitelist. I've put variables to be global so it's easier to troubleshoot (via system/scripts/evironment), but you can have those as local as well.
 
acypkob
just joined
Topic Author
Posts: 20
Joined: Sun Sep 25, 2016 12:33 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Mon Oct 10, 2016 6:32 pm

very interesting, but on my 6.27 there is no such thing like vpn "on-ip="
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Mon Oct 10, 2016 7:42 pm

Just upgrade the board to current RouterOS, 6.27 was out in February 2015 and there were a lot of new features and fixes implemented since then. And if you don't want to upgrade, just use my script and schedule it to run on whatever interval you think is fine.
 
acypkob
just joined
Topic Author
Posts: 20
Joined: Sun Sep 25, 2016 12:33 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Tue Oct 11, 2016 12:20 pm

yes, thanks ... but I'll do it later since I am 300+ km away of the board and if something goes wrong during update?
 
acypkob
just joined
Topic Author
Posts: 20
Joined: Sun Sep 25, 2016 12:33 pm

Re: add source IP of VPN client to trusted_ip address list in /ip firewall

Sun Jan 29, 2017 5:31 pm

guess we need same thing for ssh logins also ... (if ssh login was successful add source IP to trusted_ips for some time)

Who is online

Users browsing this forum: Bing [Bot], petertosh and 95 guests