Allowing Windows Update through firewall

RouterOS General
1

Hello I am using a hAP ac2 running ROS 7.16.1,

I want to block all outgoing and incoming traffic except TeamViewer, Windows update and Windows time.
I have been able to allow TeamViewer through using some domains and ports, but I cant seem to allow the windows update and time sync to communicate.

Here are the rules I’m using to allow/drop connections :

 
 1 X  ;;; ALLOW WIN & TW
      chain=forward action=accept protocol=tcp src-address=10.10.10.0/24 
      dst-address-list=whiy dst-port=80,443 log=yes 
      log-prefix="ALLOW WIN & TW" 

 3 X  ;;; ALLOW TW ONLY
      chain=forward action=accept protocol=tcp src-address=10.10.10.0/24 
      dst-port=5938 log=yes log-prefix="ALLOW TW" 

 4 X  ;;; ALLOW back
      chain=forward action=accept protocol=tcp dst-address=10.10.10.0/24 
      src-port=5938 log=yes log-prefix="ACCEPT BACK" 

 5 X  ;;; ALLOW BACK 2
      chain=forward action=accept dst-address=10.10.10.0/24 
      src-address-list=whiy log=yes log-prefix="ALLOW BACK 2" 

6 X  ;;; DISABLE REST
      chain=forward action=drop log=yes log-prefix="DROPPED"

Here are the addresses in the address list, i got them from different forums, they suggest using wildcards but I wasn’t able to add them like that.

0   list=whiy address=windowsupdate.microsoft.com 
     creation-time=2024-12-09 09:12:25 dynamic=no 

 1   list=whiy address=download.windowsupdate.com 
     creation-time=2024-12-09 09:13:02 dynamic=no 

 2   list=whiy address=wustat.windows.com creation-time=2024-12-09 09:13:12 
     dynamic=no 

 3   list=whiy address=ntservicepack.microsoft.com 
     creation-time=2024-12-09 09:13:19 dynamic=no 

 4   list=whiy address=go.microsoft.com creation-time=2024-12-09 09:13:28 
     dynamic=no 

 5   list=whiy address=dl.delivery.mp.microsoft.com 
     creation-time=2024-12-09 09:13:34 dynamic=no 

 6   list=whiy address=support.teamviewer.com creation-time=2024-12-09 09:57:03 
     dynamic=no 

 7   list=whiy address=mail.teamviewer.com creation-time=2024-12-09 09:57:15 
     dynamic=no 

 8   list=whiy address=teamviewer.com creation-time=2024-12-09 09:57:26 dynamic=n>

 9   list=whiy address=login.teamviewer.com creation-time=2024-12-09 10:11:03 
     dynamic=no 

10   list=whiy address=web.teamviewer.com creation-time=2024-12-09 10:11:10 
     dynamic=no 

11   list=whiy address=api.teamviewer.com creation-time=2024-12-09 10:11:17 
     dynamic=no 

12   list=whiy address=update.teamviewer.com creation-time=2024-12-09 10:11:24 
     dynamic=no 

13   list=whiy address=backend.teamviewer.com creation-time=2024-12-09 10:11:30 
     dynamic=no 

14   list=whiy address=router.teamviewer.com creation-time=2024-12-09 10:11:46 
     dynamic=no 

15   list=whiy address=update.microsoft.com creation-time=2024-12-09 13:56:08 
     dynamic=no 

16   list=whiy address=windowsupdate.com creation-time=2024-12-09 13:56:29 
     dynamic=no 

17   list=whiy address=download.microsoft.com creation-time=2024-12-09 13:57:06 
     dynamic=no 

18   list=whiy address=catalog.update.microsoft.com 
     creation-time=2024-12-09 13:57:21 dynamic=no 

19   list=whiy address=smartscreen.microsoft.com creation-time=2024-12-09 13:57:4>
     dynamic=no 

20   list=whiy address=wdcp.microsoft.com creation-time=2024-12-09 13:57:53 
     dynamic=no 

21   list=whiy address=au.download.windowsupdate.com 
     creation-time=2024-12-09 13:58:10 dynamic=no 

22   list=whiy address=time.windows.com creation-time=2024-12-09 14:21:35 
     dynamic=no 

23 D ;;; api.teamviewer.com
     list=whiy address=108.142.187.111 creation-time=2024-12-09 14:52:53 
     dynamic=yes 

24 D ;;; web.teamviewer.com
     list=whiy address=52.233.254.206 creation-time=2024-12-09 14:52:53 
     dynamic=yes 

25 D ;;; teamviewer.com
     list=whiy address=52.223.21.92 creation-time=2024-12-09 14:52:53 
     dynamic=yes 

26 D ;;; router.teamviewer.com
     list=whiy address=34.141.162.59 creation-time=2024-12-09 14:52:53 
     dynamic=yes 

27   list=whiy address=cd.office.net creation-time=2024-12-13 11:30:52 dynamic=no 

28   list=whiy address=office.net creation-time=2024-12-13 11:30:59 dynamic=no 

29   list=whiy address=officecdn.microsoft.com creation-time=2024-12-13 11:31:12 
     dynamic=no 

30   list=whiy address=officecdn.microsoft.com.edgesuite.net 
     creation-time=2024-12-13 11:31:22 dynamic=no 

31   list=whiy address=data.microsoft.com creation-time=2024-12-13 11:31:32 
     dynamic=no 

32   list=whiy address=delivery.mp.microsoft.com creation-time=2024-12-13 11:33:0>
     dynamic=no 

33   list=whiy address=metaservices.microsoft.com 
     creation-time=2024-12-13 11:33:20 dynamic=no 

34 D ;;; support.teamviewer.com
     list=whiy address=3.68.8.183 creation-time=2024-12-14 06:10:28 dynamic=yes 

35 D ;;; support.teamviewer.com
     list=whiy address=3.121.171.214 creation-time=2024-12-14 10:21:39 
     dynamic=yes 

36 D ;;; support.teamviewer.com
     list=whiy address=52.28.174.219 creation-time=2024-12-14 14:44:49 
     dynamic=yes 

37 D ;;; login.teamviewer.com
     list=whiy address=52.169.21.22 creation-time=2024-12-17 13:53:14 
     dynamic=yes 

38 D ;;; time.windows.com
     list=whiy address=104.40.149.189 creation-time=2024-12-18 13:29:13 
     dynamic=yes 

39 D ;;; officecdn.microsoft.com
     list=whiy address=199.232.214.172 creation-time=2024-12-18 13:32:56 
     dynamic=yes 

40 D ;;; officecdn.microsoft.com
     list=whiy address=199.232.210.172 creation-time=2024-12-18 13:32:56 
     dynamic=yes 

41 D ;;; update.microsoft.com
     list=whiy address=20.109.209.108 creation-time=2024-12-18 13:33:11 
     dynamic=yes 

42 D ;;; catalog.update.microsoft.com
     list=whiy address=4.175.87.136 creation-time=2024-12-18 13:35:48 
     dynamic=yes 

43 D ;;; ntservicepack.microsoft.com
     list=whiy address=20.72.235.82 creation-time=2024-12-18 13:37:38 
     dynamic=yes 

44 D ;;; smartscreen.microsoft.com
     list=whiy address=4.209.164.61 creation-time=2024-12-18 13:40:08 
     dynamic=yes 

45 D ;;; officecdn.microsoft.com.edgesuite.net
     list=whiy address=104.83.4.98 creation-time=2024-12-18 13:40:16 dynamic=yes 

46 D ;;; officecdn.microsoft.com.edgesuite.net
     list=whiy address=104.83.4.91 creation-time=2024-12-18 13:40:16 dynamic=yes 

47 D ;;; go.microsoft.com
     list=whiy address=23.203.126.57 creation-time=2024-12-18 13:40:16 
     dynamic=yes 

48 D ;;; download.microsoft.com
     list=whiy address=23.203.125.112 creation-time=2024-12-18 13:40:20 
     dynamic=yes 

49 D ;;; download.windowsupdate.com
     list=whiy address=217.20.58.99 creation-time=2024-12-18 13:40:48 
     dynamic=yes 

50 D ;;; download.windowsupdate.com
     list=whiy address=217.20.58.101 creation-time=2024-12-18 13:40:48 
     dynamic=yes 

51 D ;;; download.windowsupdate.com
     list=whiy address=217.20.58.100 creation-time=2024-12-18 13:40:48 
     dynamic=yes 

52 D ;;; download.windowsupdate.com
     list=whiy address=217.20.58.98 creation-time=2024-12-18 13:40:48 
     dynamic=yes 

53 D ;;; download.windowsupdate.com
     list=whiy address=217.20.57.24 creation-time=2024-12-18 13:40:48 
     dynamic=yes 

54 D ;;; wdcp.microsoft.com
     list=whiy address=20.8.190.137 creation-time=2024-12-18 13:40:50 
     dynamic=yes

Would a better way be to use layer 7, if so how would i add all of these domains?
Thank you.

2

What does it matter to you if your time is synchronized and Windows is up to date, if the rest of the world is cut off?

3

I have a server that only needs be able to have access to updates, time sync and TeamViewer. The server hosts services that don’t need to access the internet. Please stay on the subject, Thanks.

4

Without my question, these details would not have come out.

Well it’s very simple, configure the server to allow only the windows update and teamviewer services to connect to the public network.

Easy and clear, and in the RIGHT place to do that.

Right?

5

Yes, i need to do that through the Mikrotik Firewall, and i have tried with those rules but i cna only let TeamViewer through, when i check the logs it seems the updates and time go through other IPs that the address list wasnt able to resolve. I have attached some of them.

[attachment=0]Screenshot 2025-02-03 144510.png[/attachment

Using Windows Firewall isnt an option. To allow windows updates to have access to the public network i have to let it, I have tried searching for other domains windows uses for updates but to no avail. It still somehow manages to communicate through different IPs and remains blocked, at first it tries to connect so atleast some are allowed but not all.
Screenshot 2025-02-03 144510.png

6

Mikrotik is a router that also has a firewall, but there are products specifically created to do what you ask; for example the FortiGate Next-Generation Firewall (NGFW), to block/allow windows updates you do not have to manually enter every single IP address or Microsoft URL, it takes care of it.