Dynamic Firewall Address-List

jibanes · May 29, 2023, 1:29am

Hello,

I have an interface on my router, ether1, which runs a dhcp client, and my ISP assigns it a public ip address, here 33.44.55.66.

I have a Firewall Address list that looks like this:
/ip firewall address-list
add address=33.44.55.66 list=unexpected-src-address-hitting-ISP

This address-list is used in a few places, one of them is to block traffic coming FROM “my” IP@ provided by my ISP.

Is it possible to have this address-list entry automatically updated, in the event ether1 gets a new ip address from my ISP?

I’m running 7.9.1

thank you for looking!

own3r1138 · May 29, 2023, 2:38am

Enable the DDNS and use the record as an entry in your address list.

/ip cloud set ddns-enabled=yes
/ip firewall address-list
add address=33445566.sn.mynetname.net list="unexpected-src-address-hitting-ISP"

jibanes · May 29, 2023, 3:06am

QQ: How frequently are the firewall rules refreshed, meaning, I doubt the dns lookup happens everytime, how long is it cached for?

own3r1138 · May 29, 2023, 3:56am

Check the cached record ttl.

jibanes · May 29, 2023, 4:09am

thanks, looks like 1mn here.

nichky · May 29, 2023, 4:18am

pretty sure that by default is not specificated

jibanes · May 29, 2023, 4:46am

Maybe /ip/cloud set ddns-update-interval=1m ?

own3r1138 · May 29, 2023, 5:41am

Perhaps you could also use a script if the IP address changes too frequently. You can set an interval as you like.

:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list
add address=$currentIP list="unexpected-src-address-hitting-ISP"

jibanes · May 29, 2023, 2:53pm

In which case you would also have to remove the old one?
How do you set the crontab?

own3r1138 · May 29, 2023, 3:24pm

In which case you would also have to remove the old one?

Sorry, my mistake. I didn’t think about this part.

How do you set the crontab?

.

/system scheduler add name=ip-list interval=00:00:15 on-event="script-name OR simply paste the below script"

.

:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list set [find where list="unexpected-src-address-hitting-ISP"] address=$currentIP

jibanes · May 29, 2023, 3:27pm

I am not sure this would work because I have a lot of entries with the name “unexpected-src-address-hitting-ISP”, they include things like rfc1918 ranges, etc.

One possibility is to add another Firewall Raw rule associated to a new name?

own3r1138 · May 29, 2023, 3:33pm

Can you separate the list=name?
Because I can not create more complex scripts. W8 on that. :d

I rather not mess with your firewall. I don’t feel comfortable enough for that.
You need to set a unique comment for this entry in your list=unexpected-src-address-hitting-ISP.

:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list set [find where comment="dhcp-client-address"] address=$currentIP

jibanes · May 29, 2023, 3:45pm

I just set another name it works great, many thanks!

own3r1138 · May 29, 2023, 3:49pm

Good, you’re welcome.