I've created a little facility for my home dial-in VPN system that addresses the issue you stated.
1) When a client successfuly connects to VPN server (meaning it's a valid user), a script is triggered that adds source address to whitelist.
PPP/Profiles/
name of L2TP profile you are using/Scripts ("On Up" field):
/system script run vpn-on_connect
This is the source of
vpn-on_connect script (variables are global so you can easily debug them in System/Script/Environment):
:delay delay-time=3
:global l2tpCount [interface l2tp-server print count-only]
:if ($l2tpCount != 0) do {
:foreach i in=[/interface l2tp-server find] do={
:global clientNameL2TP [/interface l2tp-server get $i name]
:global clientAddrL2TP [/interface l2tp-server get $i client-address]
/ip firewall address-list add list=vpn_whitelist address=$clientAddrL2TP comment=$clientNameL2TP
}
}
2) Firewall rules handle the rest of the logistics.
- Create "WAN" interface list
- Make sure you have known IP addresses in the "allowed_access" list. Apart from manually adding entries, the above script will automatically add known IPs to vpn whitelist
- Adjust timers to your liking and paste this to your router (with my rules clients have a chance to try to connect 3x in 10 minutes):
/ip firewall filter
add action=accept chain=forward comment="optimize: forward" connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="optimize: input" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="access control: wan" in-interface-list=WAN jump-target=input-access
add action=drop chain=input-access src-address-list=vpn_blacklist
add action=accept chain=input-access src-address-list=allowed_access
add action=accept chain=input-access protocol=icmp
add action=jump chain=input-access dst-port=500,1701,4500 jump-target=input-vpn protocol=udp
add action=jump chain=input-access dst-port=1723 jump-target=input-vpn protocol=tcp
add action=accept chain=input-vpn src-address-list=vpn_whitelist
add action=add-src-to-address-list address-list=vpn_blacklist address-list-timeout=none-dynamic chain=input-vpn log-prefix=added_to_blacklist src-address-list=vpn_stage3
add action=add-src-to-address-list address-list=vpn_stage3 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage2
add action=add-src-to-address-list address-list=vpn_stage2 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage1
add action=add-src-to-address-list address-list=vpn_stage1 address-list-timeout=none-dynamic chain=input-vpn
add action=accept chain=input-vpn
add action=drop chain=input-access
