Hi,
I use a VPN service, and based upon a named list in "ip firewall address-list" certain clients go through the tunnel. Just because sometimes it needs to, sometimes it don't.
For the wife to easy switch to, I told her to browse to the router on a port. That puts her laptop on that list for a few hours. And as usual ..... they want more ;)
There is an "add IP to list" but no "remove IP from list" (using a second list won't do)
Any ideas 'simulate' an remove ip from list function ??
//Tonny
Re: portknock
That's problematic. You could add another list to override the first one. Address in first list enables routing to tunnel. Address in second list disables it, even though the address is still in first list too. It should be simple, just add addresses in second list with same timeout and change firewall rules a little.
But as soon as you'll need to re-enable routing to tunnel, before address in second list expires, it's back to the beginning, same problem. And there's no doubt that it will happen.
RouterOS needs ability to remove addresses from list, same way it allows to add them, that's the right solution.
But as soon as you'll need to re-enable routing to tunnel, before address in second list expires, it's back to the beginning, same problem. And there's no doubt that it will happen.
RouterOS needs ability to remove addresses from list, same way it allows to add them, that's the right solution.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
Re: portknock
To overcome the absence of action=remove-src-from-address-list, you can scheduled a script to run every second, which will scan the second address-list, and whenever it finds an item there, it will remove it, look for that item on the first list as well, and remove it from the first list. It is an awful workaround, but family relationships are very important 🙂
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: portknock
Thnx. At least I did not overlook some "easy" answer.
So, probably scripting it will be
So, probably scripting it will be
Re: portknock
Actually, that's not a bad solution. I tend to forget about scripting, because that thing hates me. ;) Plus doing things using scripts needs more resources than a built-in function.
But in this case, if you make the other list override the first one (so when address appears in there, it will have effect immediatelly), you can run the script much less frequently only for cleanup, to allow enabling VPN access again. And some delay there should not be a problem, because it won't happen too often that you'd disable it and then immediatelly re-enable.
But in this case, if you make the other list override the first one (so when address appears in there, it will have effect immediatelly), you can run the script much less frequently only for cleanup, to allow enabling VPN access again. And some delay there should not be a problem, because it won't happen too often that you'd disable it and then immediatelly re-enable.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
Re: portknock
It almost sounds as if you've never been married 😉it won't happen too often that you'd disable it and then immediatelly re-enable.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Who is online
Users browsing this forum: ramirez and 203 guests