Community discussions

MUM Europe 2020
 
johnm
newbie
Topic Author
Posts: 27
Joined: Thu Feb 19, 2009 9:40 pm

connection to the l2tp server on mikrotiku

Fri Nov 29, 2019 9:23 pm

Hello.
Is it possible to set up the l2tp server on the mikrotik so that you can log in within a specified period of time?
I would like to be able to connect to the client, e.g. from 8:00 to 14:00.
Thank you in advance for the hint.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: connection to the l2tp server on mikrotiku

Fri Nov 29, 2019 10:19 pm

No unless you write a script for that...
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: connection to the l2tp server on mikrotiku

Fri Nov 29, 2019 10:59 pm

...or you can just use "Time" firewall matcher to restrict establishing the l2tp connection outside the needed time interval...
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: connection to the l2tp server on mikrotiku

Fri Nov 29, 2019 11:03 pm

@xvo is right on that...
 
johnm
newbie
Topic Author
Posts: 27
Joined: Thu Feb 19, 2009 9:40 pm

Re: connection to the l2tp server on mikrotiku

Sat Nov 30, 2019 9:29 am

Yes, but can I set a ban on the firewall only for selected logins (users)?
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: connection to the l2tp server on mikrotiku

Sat Nov 30, 2019 9:38 am

Yes, but can I set a ban on the firewall only for selected logins (users)?
Only on src-address basis.
Or you can let the user connect, but not allow to reach anything.

Otherwise - couple of scripts in the scheduler, that will disable/enable needed ppp secrets/interfaces.
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: connection to the l2tp server on mikrotiku

Sat Nov 30, 2019 12:21 pm

In general bear in mind that in a stateful firewall, the permissive rules are normally used to control only the process of creation of a new connection. So in order to be able to block already established connections and at the same time let mid-connection packets be still handled by just a single rule, you'd have to have several "accept established,related" rules with additional match conditions (matching on address lists or interface lists) and let the time conditions enable just one of them at any given time. Time conditions have the specialty of removing the rule from the internal chains outside the active time, so the packets are not matched against it at all.

If you use fasttracking, the above won't work as the fasttracked packets bypass firewall rules completely and most connections can survive a dropped packet now and then.

Plus if you wanted to have more than one time window, things would quickly get complicated.

So all in all I think scheduled scripts are a better way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 82 guests