Cannot get address list created automatically

ouyuan · January 2, 2022, 11:33am

Hello there,
my RouterOS is v7.1.1
I am trying to create a dynamic ip list with action add-dst-to-address-list, but cannot get the address list created, even cannot see any log about it. Below is the command line I used. It works in my old router (RouterOS v6.48.4).

/ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp address-list=discord_ips address-list-timeout=30d dst-port=443 log=yes log-prefix=“%%IPLIST-I-” tls-host=discord.com comment=“Dynamically create ip list: discord_ips - discordapp.net” place-before=1

Please advise.
Thanks,

Ou

ConnyMercier · January 2, 2022, 1:30pm

I did some quick test …
It seams the “place-before” argument isn`t ALWAYS working in 7.1.1

probably just a bug…

ouyuan · January 2, 2022, 1:42pm

place-before works for me.

The rule created by the command is supposed to automatically created an address list “discord_ips” when user accesses to discord.com, but it didn’t.

I downgrade RouterOS to v6.46.8, it still doesn’t create address list. Not sure if it is hardware or firmware related.

My router is hAP ac3 Wireless Dual-Band Router.
Router Model: RBD53iG-5HacD2HnD

ConnyMercier · January 2, 2022, 1:55pm

jan/02/2022 14:53:16 by RouterOS 7.1.1

model = RBD25G-5HPacQD2HPnD

ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp address-list=discord_ips address-list-timeout=30d dst-port=443 log=yes log-prefix="%%IPLIST-I-" tls-host=*discord.com* comment="Dynamically create ip list: discord_ips - discordapp.net"

It works without a problem.

ouyuan · January 2, 2022, 2:27pm

It works on my old router: model number: RBD52G-5HacD2HnD, but not new one.

sindy · January 2, 2022, 3:26pm

The issue needs to be narrowed down to a particular item (a single match condition or the add-dst-to-address-list operation itself).

So place an action=passthrough rule with same match conditions before the action=add-dst-to-address-list one, and see whether it counts. If it doesn’t, remove one of the match conditions and check again; if nothing changes, put that match condition back and remove another one.

ouyuan · January 2, 2022, 3:53pm

Thanks, Sindy.
Added passthrough rule before the forward rule with same condition, there was still no traffic pass the rule. Then, I remove “TLS Host” condition, the traffic went through the rule.
So “TLS Host” condition doesn’t work like before. It is either a bug, or some other combinations are required.

sindy · January 2, 2022, 4:12pm

Or the discord client uses some other port than 443, or it uses TLS1.3 so the tls-host is not present in the packet… packet sniffing to your help here. It may or may not be related to 7.1.

ouyuan · January 2, 2022, 4:25pm

The problem is still outstanding even I downgraded the OS to v6.48.5. Let’s say it is no V7.1 related.
By the way, I removed dst port, there is still no traffic went through the rule.

[admin@MikroTik] > /ip f f print
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; Dynamically create ip list: discord_ips - discord.com
chain=forward action=passthrough protocol=tcp log=yes log-prefix=“%%IPLIST-I-” tls-host=discord.com

2 ;;; Dynamically create ip list: discord_ips - discord.com
chain=forward action=add-dst-to-address-list protocol=tcp address-list=discord_ips address-list-timeout=4w2d
dst-port=443 log=yes log-prefix=“%%IPLIST-I-” tls-host=discord.com

ConnyMercier · January 2, 2022, 4:31pm

How do you test your Rules ?
Did you try opening a Web-Browser and entering www.discord.com?

ouyuan · January 2, 2022, 4:34pm

Yes, that is how I am testing it.

ConnyMercier · January 2, 2022, 4:41pm

Is it possible to Post your Config ?
(/export hide-sensitive file=anynameyouwish)

I am not able to reproduce your Problem in my LAB
As soon as I add your Firewall-Rule, the Address-List gets populated,
as soon as i open the Browser and enter discord.com

ouyuan · January 2, 2022, 4:54pm

Thanks, here is the dump.

# jan/02/2022 11:50:11 by RouterOS 6.48.5
# software id = DKSE-JYW3
#
# model = RBD53iG-5HacD2HnD
# serial number = F3550F029581
/interface bridge
add admin-mac=DC:2C:4E:03:55:2A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-03512E wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Os-Man-Thus wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=discord regexp="^.+(discord.com).*\$"
/ip pool
add name=dhcp ranges=192.168.66.100-192.168.66.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=\
    192.168.66.0
add address=192.168.88.32/8 interface=ether1 network=192.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.66.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=forward comment=\
    "Dynamically create ip list: discord_ips - discord.com" log=yes \
    log-prefix=%%IPLIST-I- protocol=tcp tls-host=*discord.com*
add action=add-dst-to-address-list address-list=discord_ips \
    address-list-timeout=4w2d chain=forward comment=\
    "Dynamically create ip list: discord_ips - discord.com" dst-port=443 log=\
    yes log-prefix=%%IPLIST-I- protocol=tcp tls-host=*discord.com*
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.1
/system clock
set time-zone-name=America/Toronto
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out

ConnyMercier · January 2, 2022, 5:12pm

Your Config is…let say Unique =)

Problem 1:
You have created a Bridge and assigned your Interfaces to the LAN.
But for some reason you have assigned IP-Address and in turn DHCP-Server to a “Slave” Interface.

This can create Problems

Wrong:

/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=192.168.66.0

Problem 2:
You assigned your Ether1 (WAN) a Static IP 192.168.88.32/8 AND DHCP-Client

This can create Problems as well.

The /8 Network-Range is wrong and can make problem in your config

ConnyMercier · January 2, 2022, 5:22pm

Do you need help to rectify the Config?

ouyuan · January 2, 2022, 5:38pm

Your Config is…let say Unique =)

Problem 1:
You have created a Bridge and assigned your Interfaces to the LAN.
But for some reason you have assigned IP-Address and in turn DHCP-Server to a “Slave” Interface.

This can create Problems

Wrong:
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=192.168.66.0
Problem 2:
You assigned your Ether1 (WAN) a Static IP 192.168.88.32/8 AND DHCP-Client

This can create Problems as well.

The /8 Network-Range is wrong and can make problem in your config

Mikrotik hap ac3 is my 2nd level router behind the ISP router.

ouyuan · January 2, 2022, 5:39pm

That will be great.

Thanks in advance.

ConnyMercier · January 2, 2022, 6:02pm

If you enter this in a CLI, it should rectify your Setup

/ip address set [find address="192.168.66.1/24"] interface=bridge
/ip address set [find address="192.168.88.32/8"] address="192.168.88.32/24"
/ip dhcp-client disable [find interface=ether1]

ouyuan · January 2, 2022, 6:22pm

If you enter this in a CLI, it should rectify your Setup

/ip address set [find address="192.168.66.1/24"] interface=bridge
/ip address set [find address="192.168.88.32/8"] address="192.168.88.32/24"
/ip dhcp-client disable [find interface=ether1]

Thanks, ConnyMercier

It has been patched.

There is still no traffic goes through :
1 ;;; Dynamically create ip list: discord_ips - discord.com
chain=forward action=passthrough protocol=tcp log=yes log-prefix=“%%IPLIST-I-” tls-host=discord.com

ConnyMercier · January 2, 2022, 6:24pm

Can you please Post the latest Config ?
(/export hide-sensitive file=anynameyouwish)