Community discussions

MikroTik App
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

6.48.6 looses Interface list setting for VPN?

Wed Dec 07, 2022 3:06 pm

Hello, not sure if this is by design, but RB1100AH on 6.48.6 is loosing setting under interface lists for VPN setting.

I have defined a l2tp-connection1 as an interface under PPP, and when I define it under interface list, it is lost - upon reconnection I think.


Is this by design? I use it for the next firewall filter:
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" \
    disabled=no dst-address-list=not_in_internet in-interface-list="[INTERNAL LANS + WIFI]" log=yes log-prefix=!public_from_LAN out-interface-list=\
    "![INTERNAL LANS + WIFI]"
Any help appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 6.48.6 looses Interface list setting for VPN?

Wed Dec 07, 2022 3:48 pm

Not enough info........
Show
a interface list
b. interface list members

Also your discussion and example are not in sync for example, you talk about pppoe and vpn but none is identified in the code block.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: 6.48.6 looses Interface list setting for VPN?

Wed Dec 07, 2022 4:56 pm

here they are:
(Also, the last two in members, shoudl show l2tp-connection1, but that one falls off after a day or so.
/interface list
add name="[INTERNET]"
add name="[LAN]"
add name="[INTERNAL LANS]"
add name="[INTERNAL LANS + WIFI]"






/interface list member
add interface=ether1-WAN list="[INTERNET]"
add interface=INTERNAL list="[LAN]"
add interface=LAN list="[INTERNAL LANS]"
add interface=SURVEILANCE list="[INTERNAL LANS]"
add interface=INTERNAL list="[INTERNAL LANS + WIFI]"
add interface=SURVEILANCE list="[INTERNAL LANS + WIFI]"
add interface=WAREHOUSE-WIFI list="[INTERNAL LANS + WIFI]"
add interface=INTERNAL-WIFI list="[INTERNAL LANS + WIFI]"
add interface=GUESTS-WIFI list="[INTERNAL LANS + WIFI]"
add list="[LAN]"
add list="[INTERNAL LANS + WIFI]"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 6.48.6 looses Interface list setting for VPN?

Wed Dec 07, 2022 5:31 pm

Those are not list members should be removed.
L2TP as far as I know cannot be interface list members............. ( not an interface per se, wireguard can be however )


/interface list member
add interface=ether1-WAN list="[INTERNET]"
add interface=INTERNAL list="[LAN]"
add interface=LAN list="[INTERNAL LANS]"
add interface=SURVEILANCE list="[INTERNAL LANS]"
add interface=INTERNAL list="[INTERNAL LANS + WIFI]"
add interface=SURVEILANCE list="[INTERNAL LANS + WIFI]"
add interface=WAREHOUSE-WIFI list="[INTERNAL LANS + WIFI]"
add interface=INTERNAL-WIFI list="[INTERNAL LANS + WIFI]"
add interface=GUESTS-WIFI list="[INTERNAL LANS + WIFI]"
add list="[LAN]"
add list="[INTERNAL LANS + WIFI]"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 6.48.6 looses Interface list setting for VPN?

Thu Dec 08, 2022 12:22 am

Is it client or server? But in both cases, if you "defined L2TP interface", i.e. you definitely added something, it's either client interface that must be there, or optional "L2TP Server Binding", and both should be usable. What wouldn't work is the dynamic interface created for client on server when you don't define the mentioned binding interface.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: 6.48.6 looses Interface list setting for VPN?

Fri Dec 09, 2022 11:00 am

Ok, so I was digging a bit - if I make a profile per connection, I would be able to have a script run on connection up. Then I would add:
/interface list member add interface=<l2tp-1> list="[LAN]
Would this work?

And on link down, I would have to remove it. However, I can't find the command to do it,
/interface list member remove interface=<l2tp-1> list="[LAN]"
Doesn't work

What troubles me is that is the point when the mikrotik removes L2tp from member list. If it happens instantly, maybe the linkdown option is not good. maybe I should make another list just for VPN, and at start delete that list in full, and then add the interface into the list (new). Then I suppose it would work?
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: 6.48.6 looses Interface list setting for VPN?

Fri Dec 09, 2022 11:03 am

Is it client or server? But in both cases, if you "defined L2TP interface", i.e. you definitely added something, it's either client interface that must be there, or optional "L2TP Server Binding", and both should be usable. What wouldn't work is the dynamic interface created for client on server when you don't define the mentioned binding interface.
It is on the server. When I set it manually, all is fine, but upon re-connection it falls down. So I am pondering howto circumvent it...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: 6.48.6 looses Interface list setting for VPN?

Fri Dec 09, 2022 1:47 pm

And on link down, I would have to remove it. However, I can't find the command to do it,

Try
/interface list member
remove [ find list="[LAN]" interface=<l2tp-1> ]
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 6.48.6 looses Interface list setting for VPN?  [SOLVED]

Fri Dec 09, 2022 7:02 pm

You can create static interface for user and that one won't disappear:
/interface l2tp-server
add name=<interface name> user=<user name>
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: 6.48.6 looses Interface list setting for VPN?

Wed Dec 14, 2022 12:01 pm

Thanks, will try both solutions today after work hours.
We had some other issues that I had to urgently fix, sorry for the pause!
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: 6.48.6 looses Interface list setting for VPN?

Fri Dec 30, 2022 11:53 am

You can create static interface for user and that one won't disappear:
/interface l2tp-server
add name=<interface name> user=<user name>
This worked. I also got reply from Emil from support who noted that I should make a profile for the specific user and lock use only-one flag:
/ppp profile set <usersprofile> only-one=yes
In the end, all is left is to add the interface:
/interface list member add interface=staticbind list=l2tpin

I am sorry for late response, and thanks a lot to both for help. - I've had some servers down which had to be fixed before I could focus on this. Sometimes I wonder is IT a wise job choice... Not much sleep I get.

As for the removal code:
/interface list member remove [ find list="[LAN]" interface=<l2tp-1> ]
It works great. Thanks!

(In essence, these would be two solutions for the same problem. One awkward and one proper.)

EDIT:

Hm... This solved - how would I filter dynamic inbound connections? Say from remote users?

Who is online

Users browsing this forum: JDF and 94 guests