Why in ROS 7 is it not possible to edit or delete (disable) dynamic objects, such as hotspot nat rules in firewall ?
I’m having problems with smart TVs on my network if the DNS forwarding rule is left as it is.
Changing it or turning it off helped me, but in the 7th version it is not possible to do this.
Yes it’s annoying, for eg. UPnP dynamic NAT rules can be left after power loss on device or software did not shut down gracefully, etc… I have scheduled cleanup script that checks if device is up by performing arp ping to host ip in dynamic NAT rule and when removing dynamic rules was allowed script was just removed rule(s) for host(s) which is/are down, but now I must check if all hosts are down which created these rules and disable/enable UPnP to clear them which can lead that some can stay long there because some other host is up.
Not sure what is the reason why MT disallowed removing dynamic rules in ROS but it would be great to bring that again for easier cleanup by automation or manual removal.
Due to the lack of ability to edit dynamic rules, I cannot upgrade to version 7 
Don’t know how to tag @MikrotikSupport here.
But I want to join the claims too. If we can’t edit/remove the dynamic entities(objects) - then at least let us be able to disable them. To be able to create our own, suiting our configs.
Context matters here. While uPnP ones are not cleaned up is different problem than hotspot generated firewall rules and different still from connected routes, BTH, VPNs, etc.
For example OP’s hotspot rules are not changeable since the rules change based on setting under /ip/hotspot, which is how you edit what goes into the hotspot’s dynamic firewall rules. And if /ip/hotspot config doesn’t allow what you need, you can add your own “static” rule before the hotspot chain gets invoked to exempt some host.
But generally speaking “edit dynamic object” is same disabling the feature that’s creating the dynamic behavior, and adding your static config instead. Practically speaking, since RouterOS is creating the dynamic config internally, you run into needing to resolve what the user “edited” vs what some ROS feature’s config want to “dynamically” configure – does RouterOS override your change or leave it as is after a reboot?
I just struggle with the use case, since if you want static config then do not use a feature that creates dynamic config. Not always possible, but allowing edit of dynamic config isn’t the answer. For hotspot, the TV can be whitelisted etc. Or uPnP, it’s whole function is to add dynamic dst-nat’s since you may not want to add them statically (now they should get cleaned up, but that’s seems like bug…). Or even BTH, you can use normal WG instead of you don’t want dynamic config items.
i.e.
What specific ones are you talking about?
ok, @Amm0 - let me be more specific. In my particular case I’m talking about hotspot. And yes, I don’t want(don’t need) some of the dynamically created Firewall/NAT rules the way they were created. It doesn’t matter, if I don’t need them at all or if I just need to make some changes to them - I can’t do that either way.
Here’s an example of what I’m talking of:
How should I change the hotspot config to change/disable, for example, DNS redirect?
Also, I need to be able to modify or to “remove and create” a queue rules created by hotspot(basically - I need to simply rename it).
You may ask: “Why do one may even need that?” - the answer is simple: RouterOS still doesn’t support Radius CoA/PoD for IPoE users(or, maybe I’m wrong? - then I’ll be very grateful for pointing me the right away to the documentation, where it described) - thus I need to use some workarounds, like hotspot, to have at least some ability to control the users from another “system”(billing system, actually).
Those rules are there to make the hotspot work.
Why you need hotspot?
If you don’t need the hotspot, disable it.
If you not need the hotspot just for the tv, set it bypassed on hotspot ip bindings.
Are you trying to peel potatoes with a pencil?
You’re using the wrong tool…
@rextended - please, checkout the updates to my previous comment
Are you trying to peel potatoes with a pencil?
You’re using the wrong tool…
- yep, that’s kinda looks like that, but for now I don’t have another options(or maybe something changed and I don’t know about that? - despite the fact I’m trying to follow the changelogs pretty carefully)
the same you…
Given what you added (on post #6), I’d better remove myself from this discussion…
@rextended - kheem - so, am I wrong about CoA/PoD for IPoE users?
Dynamic rules are called dynamic for a reason, if you want a specific rule then make a static rule with your specific parameters.
Dynamic rules not being removed should be reported to support and fixed.
Do you mean not being removed after switching off the feature which created them(like after switching off hotspot)?
It is useless to continue on this plan, for 3 reasons:
The first is that in your case you use the wrong tools and try to modify something that is used for something else to do something that you do in the wrong way;
The second is that dynamic rules are dynamic, assigning them other values or disabling/enabling them while they exist is absurd,
precisely because they are dynamic.
To have them created as you want, you must act on the tool that creates them.
But you still have to use the right tools to do the things they were created to do;
You can’t use a tool to do something different to what it was created, and then complain that it doesn’t work.
Yes, if you switch on something that creates the dynamic rules, then those rules must be removed after the feature gets disabled.
Just the answer the question,
You should be able to have static filter rule in chain=forward BEFORE the dynamic DNS redirect rule that action=accept the DNS traffic. Hotspot enter their dynamic rules via action=jump, so you’re free to add static config BEFORE the initial jump.
I do understand the frustration: you can see the config you want to change (e.g. mine be /ip/dhcp-client should be able add check-gateway= to it’s dynamic default route, but can’t)…
Perhaps there is a valid feature request here to be able to disable DNS redirection in /ip/hotspot? Similar goes with queue names and queue settings, although again you add a queue that applies to hotspot subnet statically before the dynamic ones there too. But “right” way to control dynamic rules is via the feature config that causes them.
Thus the feature request here is NOT “edit dynamic object”, rather adding a new setting to some feature.
Since this thread topic about dynamic rules in general I will just mention UPnP dynamic rules, above conversation is mainly about hotspot rules and this is not related.
For UPnP dynamic rules cleanup it’s not convenient as mentioned in #2. Is it possible to make exception only for UPnP dynamic rules to allow removal (not edit) manually? Removing such rules doesn’t affect UPnP service functionality in general, just such port is no longer open and when is done manually this means it done on purpose for some reason, like cleanup.
I understand that. But I DON’T NEED that redirect at all. I want to remove it totally, either by disabling or removing the rule. And I can’t.
And I need to be able to edit queue records. And I can’t.
And then I’ve been told that I’m using the wrong tool, like I’m not understanding that from the very beginning - but what options do I have, if I want to use ROS 7 device as a NAS(Network Access Server)/BRAS in my network? I’m totally aware of that I’m hammering nails with a toaster - but for now, in my circumstances, it’s the best solution I’ve ended up with, regarding the ROS devices at all.
And it totally broken now.
Yeah /ip/hotspot is one, but there is also Dot1X, generally combined with a RADIUS server (either their user manager or 3rd party). But toaster with nails, true, it not something like PacketFence/et’al.
FWIW, the DNS redirect is how web page get redirected to cause the auth page to display, so “disabling” dynamic rule may cause hotspot to not work… Now on modern devices that support capport DHCP settings, the DNS redirect may not be necessary IF you knew all devices support.
But I might have said “filter” rule but I think it’s the dynamic NAT rules you’d want to avoid. So something like this may be what’s needed… but you’d need to test it yourself and/or adapt the approach to what your trying to avoid:
/ip firewall nat
add action=accept chain=hotspot dst-port=53 protocol=udp place-before=0
add action=accept chain=hotspot dst-port=53 protocol=tcp place-before=0
Critical is the placement, they need to be before the dynamic action=redirect NAT rules (place-before=0 does that at CLI, but winbox/webfig, you need to drag-drop it rules at top).
Thanks for the advise, @Amm0
I thought about that already. Will try to figure out something with placing the unneeded(and harmful for my config) hotspot rules below my own manually created. Except that I have a couple of hundreds of NAT rules and dozens filter rules. And that’s not very convenient to move all that stuff up and down, even using winbox…