请教 获取vpn认证失败的ip地址
如果vpn拨入认证失败,就把这个ip加入黑名单一分钟。。
请问,获取拨入ip地址
用计费的话可以很轻松的实现并且进行统计
本帖最后由 cspm333 于 2020-12-14 21:23 编辑
將連線ip抓到temp裡:
/ip firewall mangle
add action=jump chain=input connection-state=new dst-port=1723,443,1194 in-interface-list=WAN jump-target=vpn-point protocol=tcp
add action=jump chain=input connection-state=new dst-port=1701,500,4500 in-interface-list=WAN jump-target=vpn-point protocol=udp
add action=return chain=vpn-point src-address-list=VPN
add action=add-src-to-address-list address-list=temp address-list-timeout=2m chain= vpn-point src-address-list=!temp
profile:有連線的從temp移除,並置入VPN
:do {/ip firewall address-list add list=VPN comment=mobile address=$"caller-id" timeout=1d} on-error={}
:do {/ip firewall address-list remove } on-error={}
帳號綁定profile:VPN
未在接觸後1分鐘內完成連線的遠端,停止1分鐘後才能繼續。
/ip firewall raw
add action=drop chain=prerouting src-address-list=Scanners
驗證script:
:global vpn
:local connected
:local scanners 0
:foreach i in=$connected do={
:if (<0:1:0) do={
:do {/ip firewall address-list add list=Scanners address= timeout=1m} on-error={}
/ip firewall address-list remove $i ; :set scanners ($scanners+1)
}
}
:if ([:len $connected]>$scanners) do={:set vpn ($vpn-1)}
排程,每分鐘檢查一次:
:global vpn
:if ([:typeof $vpn]!="num") do={:set vpn 0}
:local check byte]
:if ($vpn!=$check) do={:set vpn $check ; /system script run vpn-server}
这个工作应该让RADIUS来做,不应该让接入路由器承担这个压力
页:
[1]