Community discussions

MikroTik App
 
tonny
newbie
Topic Author
Posts: 42
Joined: Fri Oct 09, 2015 10:50 am

portknock

Wed Jan 13, 2021 7:10 pm

Hi,
I use a VPN service, and based upon a named list in "ip firewall address-list" certain clients go through the tunnel. Just because sometimes it needs to, sometimes it don't.
For the wife to easy switch to, I told her to browse to the router on a port. That puts her laptop on that list for a few hours. And as usual ..... they want more ;)
There is an "add IP to list" but no "remove IP from list" (using a second list won't do)

Any ideas 'simulate' an remove ip from list function ??

//Tonny
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: portknock

Thu Jan 14, 2021 3:23 am

That's problematic. You could add another list to override the first one. Address in first list enables routing to tunnel. Address in second list disables it, even though the address is still in first list too. It should be simple, just add addresses in second list with same timeout and change firewall rules a little.

But as soon as you'll need to re-enable routing to tunnel, before address in second list expires, it's back to the beginning, same problem. And there's no doubt that it will happen.

RouterOS needs ability to remove addresses from list, same way it allows to add them, that's the right solution.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: portknock

Thu Jan 14, 2021 9:43 am

To overcome the absence of action=remove-src-from-address-list, you can scheduled a script to run every second, which will scan the second address-list, and whenever it finds an item there, it will remove it, look for that item on the first list as well, and remove it from the first list. It is an awful workaround, but family relationships are very important 🙂
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tonny
newbie
Topic Author
Posts: 42
Joined: Fri Oct 09, 2015 10:50 am

Re: portknock

Thu Jan 14, 2021 4:26 pm

Thnx. At least I did not overlook some "easy" answer.
So, probably scripting it will be
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: portknock

Thu Jan 14, 2021 9:57 pm

Actually, that's not a bad solution. I tend to forget about scripting, because that thing hates me. ;) Plus doing things using scripts needs more resources than a built-in function.

But in this case, if you make the other list override the first one (so when address appears in there, it will have effect immediatelly), you can run the script much less frequently only for cleanup, to allow enabling VPN access again. And some delay there should not be a problem, because it won't happen too often that you'd disable it and then immediatelly re-enable.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: portknock

Thu Jan 14, 2021 10:06 pm

it won't happen too often that you'd disable it and then immediatelly re-enable.
It almost sounds as if you've never been married 😉
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: ramirez and 203 guests