Examples:
Firewall rules (low prio, since Addresslists can be used)
Local Address for tunnels (Required for IPSec encrypted tunnels)
I know those things are scriptable (I’m doing it atm, but it’d be really nice to have this builtin)
+1
There’s also this recent request (pretty much the same). http://forum.mikrotik.com/t/feature-request-dns-names-in-ipsec/110407/1
since 6.41rc11 ipsec peers do support dns FQDNs.
As I mentioned before, I see some utility in an “address table” feature which could assign names to addresses (both single addresses and subnets)
and use those in all places where a literal address is now mandatory (firewall, tunnel endpoints, IPsec, etc etc).
The entry in the address table could then have a fixed value, or it could refer to a DHCP client, a PPP client, etc to obtain the current address.
Maybe a special case could be that the address table refers to DNS for updating the current value of the address, much like DNS entries in firewall address lists.
However, I think there should not be too much reliance on DNS. There should at least be some kind of cache, e.g. the address table.
When DNS is not available, the previous address should continue to be used.
this could keep the config tidy, i agree on that. i always construct my fw rules to employ src/dst address list on matching, but i do really miss the same functionality for specifying NAT (to-address) parameters. then my config would be totally consistent and one change in the “address-list” section would result a thorough update in all the affected rules. this may not be the best case for DNS, i admit.
and if it already came down to “object” approach, i could kill for port-list/port-group/protocol-group abstraction in the firewall…
say just like this:
/ip firewall port-group add name=smtp protocol=tcp port=25,465,583
/ip firewall address-list add name=internal_smtp_server address=192.168.1.25
/ip firewall nat add chain=dstnat in-interface=outside dst-port-list=smtp action=dst-nat to-address-list=internal_smtp_server
ok, “port-group” might not be the best name for it, but i think you get the idea…
This “port-group” functionality actually exists in the “ipset” Linux function that is used beneath “address-list”. It should be easy to add in the same way as address-list was added.
My proposed “address-table” if of course a lot more involved to add. It requires triggers when an address changes, e.g. reset of an IPsec connection or existing NAT connections,
so there is linkage both from the configured item to the address-table (as you expect) but also from the address-table back to the configured items (where is this entry used?).
That could be a lot more work to implement.