I would like to generate an address list and block 2 of 3 internal networks from accessing pointclickcare.com. I found a script here called “Block access to specific websites” and modified it a little but it seams to be adding a bunch of random (or at least I can’t see a pattern) to the address list. http://wiki.mikrotik.com/wiki/Manual:Scripting-examples
Either I messed something up or I saw a note a ways down below the script that says “Other scripts known to work with latest v3.x”. Are these scripts not intended for RouterOS6? I don’t fully understand RouterOS scripting yet, this is my first attempt.
Here’s the current version of my script after tweaking it a few times.
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
# :put $cacheName;
:if ([:find $cacheName "pointclickcare"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
# :put $tmpAddress;
# if address list is empty do not check
:if ( [/ip firewall address-list find list="PCCAddresses" ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=PCCAddresses comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find list="PCCAddresses"] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=PCCAddresses comment=$cacheName;
}
}
}
}
On the new 6.36 ROS you can add hostnames to the address lists and it will refresh the IP of the hostname when the DNS TTL expires.
You could add the networks you wish to restrict to an address list and then add the hostnames of PCC that you wish to block to another address list.
Then block the traffic to PCC from the restricted networks in a forward rule. Just make sure and remember that the firewall is processed from top down so make sure you place it above any rule that may allow the traffic and bypass your rule.
Thanks, that looks very helpful, and I look forward to using that feature, but I try to stick to the bugfix releases just to make sure I run into as few problems as possible. I would like to implement this for them sooner than the new bugfix release if possible. If you or anyone else has any thoughts on how to make the script work or a different solution with the current bugfix release I’d be very interested.
Create address list, add address to the list, set the FQDN as the comment for each entry in that list.
Add as many addresses as you need.
Run the script as often as you need and it will change the IP of each of the addresses in that list to the resolved IP of the comment field. So just put the FQDN in the comment field. Example: comment=“login.pointclickcare.com”
:foreach a in=[/ip firewall address-list find list="Address-List-Name"] do={
/ip firewall address-list set $a address=[:resolve [/ip firewall address-list get $a comment]]
}
That looks interesting. Tommorrow I was going to implement with 2 different DNS servers (1 for each network) and set pointclickcare.com to 127.0.0.1 on one DNS server, but I like that idea better. I’ll test it out.