Hi,
I tried to find (or print) simple queue with target in network 202.0.0.0/8. Using Winbox, it`s easy to find using filter option like
But I can not do it using CLI (/queue simple print count where target in “202.0.0.0/8”). Please help me to do this. Based on this command, I will create my script that finds specific queues and creates those addresses in address-list. Basically firewall filter rule, that allows traffic if it is created in simple queue.
may be this can help you
foreach i in=[queue simple find ] do={
local ip [queue simple get value-name=target $i]
if ($ip ~“^202.*”) do={
/ip firewall address-list add list=allowed address=$ip}}
Hi c0d3rSh3ll,
Wonderful. Works perfect. Thank you.
Also I`m trying to implement script that if some one removes one of simple queues, the target IP of this queue should be removed from firewall address-list. Do you have a better idea to do it with less resource. My script and scheduler are below. This script eats huge resource because of checking every firewall address-list.
Scheduler that reads log periodically to determine simple queue changes.
:if ([:log find where time>([/sys clock get time]-61) message~"simple queue removed"]="") do={:noth
ing} else={/system script run acl-queue}
Script that checks every firewall address-list, if address doesn`t exist on simple queue then remove this entry from address-list.
:foreach li in=[/ip firewall address-list find where disabled=no] do={ \
:local addr [/ip firewall address-list get $li address]; \
:if ([:pick $addr ([:len $addr]-3) [:len $addr]]~"/") do={ \
:if ([/queue simple find where target=$addr disabled=no]="") do={ \
/ip firewall address-list remove [find where address=$addr]}} \
else={:local addr1 [($addr."/32")]; \
:if ([/queue simple find where target=$addr1 disabled=no]="") do={ \
/ip firewall address-list remove [find where address=$addr]}}
}
Basically my propose is synchronize simple queue and firewall access-list. If doesn`t add queue for X host then no network access for this X host.
Why do all this?
you can make AUTO dynamics address lists, withouth any script, simply add the name of address list on login interface…
It’s a feature already present on routeros from 3.x…
For example:
on any ppp-server, pppoe-server, pptp-server, sstp-server, l2tp-server and OVPN-server profile you can use the “address list” for put automatically and dynamically all the IP of client connected…
on hotspot you can set the address list on the default-user profile (and change that on RADIUS) all dynamically…
Where are coming out your simple queue entry?
If you want consider only the 202.0.0.0/8 interval, simply add this on firewall mangle / NAT / filter combined with address-list
Yes. You are right. If I use PPP or Hotspot, it`s very easy to do it. Unfortunately it works as Transparent bandwidth manager and Access controller for many different type of network. Basically routed network. I created static simple queues for each customer. I want that no packets can pass without creating simple queue manually. The provisioning staff manages only simple queue. Access control should be something dynamic based on simple queues.
I see a way to implement this with 3rd party management interface using API, that controls both access list and simple queues simultaneously. But I want to do it without any Non-Mikrotik equipment.
Any ideas?
I can suggest you:
- set comment for all the item on the specific address-list to “remove” (example: /ip firewall address-list set comment=“remove” [find where list=“sq-list”]);
2a) for each IP on queue 202.x.x.x remove or set another comment, (example: /ip firewall address-list set comment=“Present on Simple Queue” [find where list=“sq-list” and address=$IPfromSimpleQueue]);
2b) if the IP on queue 202.x.x.x are not present on addres-list, add it, (example: /ip firewall address-list add comment=“Present on Simple Queue” list=“sq-list” disabled=no address=$IPfromSimpleQueue]); - delete all remaining IPs on address list where “remove” still present (example: /ip firewall address-list reomve [find where list=“sq-list” and comment=“remove”]).