Hi. I have a Mikrotik RouterBoard RB751.
Connection to isp - adsl. ip/gw/dns - static. I have 15 external ip-adresses.
I need to setup changing (circullary) of ip-adresses on wan (from my list ..*.66-80), 1 ip for 30 minutes, after that the next etc.
How can i realize it?
I’m curious. Why do you want to do this?
It’s offer of the client. He think, that is more secure. (someone setup router, said, that he setup changing ip-addr on wan port, after that password of router was lost.) I reset router and setup it from scratch.
Can you help me?
This does not make the router more secure and I can see it breaking connections when an IP changes. Best thing to do is disable any unused services and build a strict firewall.
I know it. But is it possible setup router this way? Sometimes it was very hard to explain right way to people.
Any suggestions?
As i understood, i need write a script.
Yep write a script that changes the address every 30 minutes. You could use if statements to say if the IP is x.x.x.x change to y.y.y.y and so on.
I don’t have time to write it right now. But you should be able to figure it out with this.
Thanks. I’ll try make it by myself, but if you have time, your help would be helpful.
You can also setup a series of NAT rules that use the time firewall matcher. A bit easier than scripting it.
Hmm. Can you wrote an example?
You can certainly change the outbound NAT on a times basis but unless you also remove the IP from the interface the router itself will still be available on all those IPs.
From a security angle this smells like an attempt at “security through obscurity” which is a thoroughly discredited approach. If the customer doesn’t have some other unstated goal in mind then the effort involved in doing this would be far better spent on normal security hardening of the router.
/ip firewall nat
add action=src-nat chain=srcnat disabled=no out-interface=ether1 time=0s-59m59s,sun,mon,tue,wed,thu,fri,sat to-addresses=1.1.1.2
add action=src-nat chain=srcnat disabled=no out-interface=ether1 time=1h-1h59m59s,sun,mon,tue,wed,thu,fri,sat to-addresses=1.1.1.3
This would rotate the IP every time period every day. You could setup corresponding filter rules that would block communication from or two those IP addresses at a given time as well. But as has been mentioned before, the better thing would be to just setup a proper firewall ruleset for him. It will be easier to deal with and more secure. Especially considering that it takes all of 5 minutes a lot of the time before some bot tries logging into your router over SSH when you connect it to the internet.
THanks. I fix error in adress and all work good.