Find specific NAT rule

BassTeQ · January 14, 2021, 10:55pm

Hello, from the command line I need to be able to find a specific nat rule, any ideas on what I may be doing wrong?

[admin@MikroTik] > /ip firewall nat print [/ip firewall nat find dst-port="55882"]
expected end of command (line 1 column 24)

Thanks

Sob · January 14, 2021, 11:01pm

/ip firewall nat print where dst-port="55882"

BassTeQ · January 15, 2021, 3:06am

Thank you very much!

Jotne · January 15, 2021, 7:42am

To use it in a script, use find:

/ip firewall nat find where dst-port="55882"

To test it out and see what rune number it is:

:put [/ip firewall nat find where dst-port="55882"]

But in a script rule number changes, so to get the line:

:put [/ip firewall nat get [/ip firewall nat find where dst-port="55882"]]]

Or shorten some.

:put [/ip firewall nat get [find where dst-port="55882"]]]

:put is only used to show the output, you can store it to an variable or use it in a loop etc.

To only get one field of data, like the comments.

:put [/ip firewall nat get [find where dst-port="55882"] comment]]

anav · January 15, 2021, 12:30pm

That is a strange request.
Are you using winbox??

If so , just go to IP FIREWALL and select NAT.
Then if you dont have destination port showing on the columns, add it using the far right selector (typically shows ALL as default choice).
If you click on dst nat header in the column it will change to sequential order etc… quite easy to read…

BassTeQ · January 21, 2021, 2:55am

No I’m using the command via SSH from another server to GET and SET a specific firewall rule

How would I edit the to-ports field for a given rule, eg

/ip firewall nat set to-ports="12345" where comment="TEST RULE"

Thanks

Jotne · January 21, 2021, 3:18pm

You need to find the rule, then set the port, so

Set command

/ip firewall nat set "rule number" to-port=12345

To find the “rule number”

/ip firewall nat find where comment="TEST RULE"

So combined

/ip firewall nat set [/ip firewall nat find where comment="TEST RULE"] to-port=12345

This can be shorten some, since you already specify the path in the outer command.

/ip firewall nat set [find where comment="TEST RULE"] to-port=12345

BassTeQ · January 21, 2021, 11:59pm

Perfect thank you very much for your assistance!

shafiqrahman · May 20, 2021, 2:50pm

Is this argument corect?

:if ([/ip firewall nat get [find where comment=pihole_bypass] disabled]=yes) do={

Seems, like the only thread discussing nat get find

anav · May 20, 2021, 2:55pm

That is a strange request.
Are you using winbox??

No I’m using the command via SSH from another server to GET and SET a specific firewall rule

How would I edit the to-ports field for a given rule, eg
/ip firewall nat set to-ports="12345" where comment="TEST RULE"
Thanks

That is what a more properly worded question/requirement should look like.
We can only work with what is provided. Thanks for the clarification.

rextended · May 20, 2021, 4:00pm

what mess… :))

you want:

/ip fire nat
:if ( [get [find where comment="pihole_bypass"] disabled] = yes) do={
  :put "pihole_bypass disabled"
 } else={
  :put "pihole_bypass enabled"
 }

# *** or ***

/ip fire nat
:if ( [:len [find where comment="pihole_bypass" and disabled=yes] ] > 0) do={
  :put "all or a least one pihole_bypass disabled"
 } else={
  :put "all pihole_bypass enabled or none exist"
 }

shafiqrahman · May 20, 2021, 4:58pm

Thank you , @rextended for clearing out the mess again :)) :D, Actually, that line was a part of fallback script. I am still ironing out again

/ip fire nat
:if ( [get [find where comment="pihole_bypass"] disabled] = yes) do={
  :resolve google.com server=192.168.188.25;
  } on-error={
  :put "pihole_bypass enabled"
 } else={
  :resolve google.com server=192.168.188.25;
  :put "pihole_bypass disabled"
 }

Sorry for hijacking the thread

rextended · May 20, 2021, 9:53pm

Thank you , @rextended for clearing out the mess again :)) :D, Actually, that line was a part of fallback script. I am still ironing out again
/ip fire nat
:if ( [get [find where comment="pihole_bypass"] disabled] = yes) do={
  :resolve google.com server=192.168.188.25;
  } on-error={
  :put "pihole_bypass enabled"
 } else={
  :resolve google.com server=192.168.188.25;
  :put "pihole_bypass disabled"
 }
Sorry for hijacking the thread

mmm… I think I understand what you want obtain?

/ip fire nat
:if ( [get [find where comment="pihole_bypass"] disabled] = yes) do={
    :local noerror true
    :put "pihole_bypass is disabled, check if working"
    :do { :resolve google.com server=192.168.188.25
    } on-error={
        :put "unresolvable, pihole still disabled"
        :set $noerror false
    }
    :if ($noerror) do={
        :put "but now is working, enable pihole_bypass"
        set [find where comment="pihole_bypass"] disabled=no
    }
} else={
    :put "pihole_bypass is enabled, check if working"
    :do { :resolve google.com server=192.168.188.25
    } on-error={
        :put "but now do not work and I disable pihole_bypass"
        set [find where comment="pihole_bypass"] disabled=yes
    }
}

shafiqrahman · May 21, 2021, 2:52am

Kinda, but still not working. The script should enable some NAT rule when pihole is down, and disable it when it is up again. ref:http://forum.mikrotik.com/t/mikrotik-pihole-unbound/148772/18 For some weird reason scheduler doing nothing. But, the script was nice though, thank you
Update: Solved my issue

:local piholeDown [/ip firewall nat print count-only where comment~"pihole_bypass" && disabled]
:local piholeDNS "192.168.188.25"
:local testDomain "www.google.com"

:if ($piholeDown > 0 ) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip firewall nat enable [find comment=pihole_bypass];
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip firewall nat disable [find comment=pihole_bypass];
    } on-error={}
}