Add to Address List

danihill · June 8, 2020, 2:05pm

Good afternoon all,

I have a small project and am looking for a way to add a clients IP address to the IP-Firewall-Address List.

The best way for me would be that the clients goes to our client area on our website and clicks on a link and there current IP address is added to the address list.

Has anybody got any ideas of how we could do this?

Thanks all.

DH

danihill · June 8, 2020, 2:28pm

Seen some people who have put a file on a router and when a client accesses this file it adds their IP address to the address list.

merlinthemagic7 · June 8, 2020, 3:06pm

You need an intermediate service to make it safe. e.g. click fires off ajax to a server that performs the addition to the ACL.

If you dont mind exposing the address of your router:

/ip firewall mangle
add action=add-src-to-address-list address-list=knockKnock address-list-timeout=1d chain=prerouting dst-port=8900 protocol=tcp

Then have the following link in the HTML (assuming your router is on 10.10.10.10)

<a href="http://10.10.10.10:8900/">Click me to let me in </a>

danihill · June 8, 2020, 3:31pm

Great thank you it works perfect.

Regards

DH

pe1chl · June 8, 2020, 4:41pm

Of course it still is extremely unsafe as those systems that scan all the internet on many different ports will hit your “magic port” and then add themselves to the addresslist, possibly your next step is to grant them more privileges e.g. logon to the router.

Jotne · June 9, 2020, 5:43am

Agree with pe1chl

Scanning all ports will hit the one port that opens all.

I have done the following.
You need to knock three port in correct order withing certain time limit.
If you try one port that is not part of the knock or is not open for a service, you will be added to a black list for 24 hours, so you does not see any ports open.

jvanhambelgium · June 9, 2020, 6:29am

…you can call it quick & dirty but you can also call it plainly insecure…
Is this something to be deployed in the public Internet ?

As a minimum, your website should parse the client-IP headers (eg. X-Forwarder-For, HTTP_Client_IP) and extract this IP address!
Then your webserver/appserver should apply some formatting and talk to the Mikrotik API (eg. through PHP) to add that client-IP to a certain ACL on the Mikrotik.
(eg. http://forum.mikrotik.com/t/help-cant-add-on-ip-firewall-address-list-with-php-api/36546/1)