I have 3 vlans.
v1
v2
v3

I want certain PPP / secret (accounts) to only have access to certain vlans.
At the moment, any VPN user has access to all vlans.

For example:

VPN user1 can ONLY access v1
VPN user2 can ONLY access v2
VPN user3 can access both v1 and v2

Is this possible?

You can do that at both L3 (IP subnet) level, using src-address(-list) and dst-address(-list) in the /ip firewall rules, and using in-interface(-list) and out-interface(-list) at L2 (LAN/VLAN) level, or use L2 for source and L3 for destination or vice versa.

The source (the L2TP client) can be identified by an IP address or by interface name. If you create a separate /ip pool for each category of L2TP clients and use the name of that pool as a value of the /ppp secret remote-address (or of /ppp profile remote-address) for /ppp secret of clients belonging this category, they may get dynamically assigned addresses but you can still refer to the address range matching the one used in that pool using src-address in the rule.

Another possibility is to create a static interface name and link it to a particular /ppp secret. This is a 1:1 mapping so you cannot assign the same static interface name to multiple users as the interfaces are tunnel ones.

So assuming you have users a1, a2 in privilege group A, user b1 in privilege group B and VLANs 10,20,30 accessible via interfaces /interface vlan named vlan-10, vlan-20, vlan-30 where privilege group A can access VLANs 10 and 30 and privilege group B can access VLANs 10 and 20, you could do it e.g. the following way:
These firewall rules have to be placed at correct position in the chain and they assume that you have a tight firewall with "a drop everything" rule in the end of the chain preceded by rules constituting intended action=accept exceptions from it. If you have a default hAP/hEX firewall which only filters traffic coming from WAN but lets traffic between LANs flow freely, you have to consider whether you want to invert the logic of the rules above (i.e. say "users from pg_A must not get to vlan-20 whereas users from pg-B must not get to vlan-30") or whether to invert the logic of the firewall from default accept to default drop.

Great info, thanks for that

Should DNS resolution from the vpn client be working with this config? At the moment it is not, I can ping by IP but that’s it .?

DNS resoltion should work if you want it to work

But there are many factors which affect whether it will work or not for the particular client and DNS server.

You can let the L2TP client keep using the DNS servers it uses normally, or you can set the dns-server item in /ppp secret or /ppp profile to make the client use the server(s) stated there while the L2TP connection is up.

Depending on whether the client uses DNS servers in the internet (regardless how it got their addresses) or DNS servers in your private network, you have to set appropriate firewall rules permitting access to these servers or to the DNS service port regardless the destination address.

If the Mikrotik itself acts as a DNS server for the L2TP clients, you need permissive rules at a proper position in /ip firewall filter chain=input:
If the L2TP clients use something else than Mikrotik itself as DNS servers, you need a permissive rule at a proper position in /ip firewall filter chain=forward:

Ahh, I see now where my failure is from your post. I totally missed it from my view. I do have DNS blocking rules in my firewall on the input chain. That seems like it would make sense.

However, I have 3 ppp profiles for my vpn clients. One for admins allowing all access, which is on the same subnet as the admin vlan.. And this profile works perfectly for DNS and everything, etc.. Then the other 2 ppp profiles are for users in vlan A and users in vlan B, neither of these profiles are resolving any DNS, they both ping fine to the IPs exclusive in each vlan. The only difference between these 2 ppp profiles and the admin profile ( which works flawlessly ) is they are NOT on the same net equal to each vlan for which they belong..

For ex; vlan A is on 192.168.1.0/24 and the ppp profile for vlan A is on 192.168.2.0/24

Thoughts?

1. check your firewall rules one more time
2. if 1. fails to reveal the root cause, follow the suggestion in my automatic signature (exporting just the firewall rules is not enough)

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however -
does not work on mine (version 6.44.5). It appears you can only assign an ip pool in the remote-address in a ppp profile.
Gives an error
Works OK.

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however -

Code: Select all

/ppp secret
set [find name=a1] remote-address=pg_A
set [find name=a2] remote-address=pg_A
set [find name=b1] remote-address=pg_B

does not work on mine (version 6.44.5). It appears you can only assign an ip pool in the remote-address in a ppp profile.

Code: Select all

 /ppp secret set [find name=net1-remote] remote-address=net1-vpn-pool
invalid value for argument remote-address

Gives an error

Code: Select all

/ppp profile add name=testme remote-address=net1-vpn-pool

Works OK.

Have not tested, but you are doing one in "profile" and the other command in "secret", so there is big difference between command that works and one that doesn't
Try with:
/ppp profile set [find where name="net1-remote"] remote-address=net1-vpn-pool

I'm trying to solve the same problem as in OP, and I have this question:
This will make sure that this user will always get this IP address. If it logins from two different boxes he will get the same IP on both, which obviously is a problem. How can this be solved?
The goal here is that the user is able to use the connection even if he forgot to disconnect at a previous location, not to allow simultaneous connections (but that would work for me too).


In addition I noticed that the following from the answer above does not work:
The last line does not accept a range and require a single ip address. The above gives a error: "invalid value for argument remote-address"

Hello, I have the opposite issue, how can I have a VPN user access all VLAN?

thanks

I have 3 vlans.
v1
v2
v3

I want certain PPP / secret (accounts) to only have access to certain vlans.
At the moment, any VPN user has access to all vlans.

For example:

VPN user1 can ONLY access v1
VPN user2 can ONLY access v2
VPN user3 can access both v1 and v2

Is this possible?

Hello, I have the opposite issue, how can I have a VPN user access all VLAN?

It all depends on the firewall and routing setup. Post the export of your configuration to get a more useful advice.