/ip route remove [find comment="VPN route for $user"] Add the remote IP to an address list for firewall rules (e.g., allow only authenticated users).
/ip firewall address-list add address=$remote-address list="ppp-active" timeout=1d comment=$user
| Variable | Description | |----------|-------------| | $user | PPP username | | $caller-id | Remote endpoint address (for PPTP/L2TP, often client’s public IP) | | $interface | Interface name (e.g., <pppoe-out1> , <l2tp-in2> ) | | $local-address | Local IP assigned to the tunnel | | $remote-address | Remote IP assigned to the client | | $pool-name | IP pool used (if any) | Example 1: Auto Bandwidth Limiting for PPPoE Users Apply different bandwidth limits based on username pattern. mikrotik ppp profile script
/queue simple remove [find name="queue-$user"] Add a route to client’s LAN behind a PPP client (useful for site-to-site VPN).
:log info "PPP DOWN: $user disconnected from $interface" You can call external systems (e.g., RADIUS, webhook, billing server) using /tool fetch . /ip route remove [find comment="VPN route for $user"]
/ip route add dst-address=192.168.100.0/24 gateway=$remote-address comment="VPN route for $user"
/ip firewall address-list remove [find list="ppp-active" address=$remote-address] Log user connections with timestamps. :log info "PPP DOWN: $user disconnected from $interface"
Here’s a practical piece covering MikroTik PPP profile scripting, including common use cases, script examples, and explanation. MikroTik RouterOS allows you to attach scripts to PPP profiles (for PPTP, L2TP, PPPoE, SSTP, etc.). These scripts run when a PPP session starts ( on-up ) or terminates ( on-down ), enabling dynamic control over user sessions, bandwidth management, routing, and logging. 1. Script Basics in PPP Profile Navigate to: PPP → Profiles → <your profile> → Scripts
:log info "PPP UP: $user logged in from $caller-id on $interface, remote IP $remote-address"
:if ([:find $user "vip"] = 0) do= /queue simple add name="queue-$user" target=$interface max-limit=100M/100M else= /queue simple add name="queue-$user" target=$interface max-limit=20M/5M