The Mikrotik RB411U based router is connected to the Internet via a ppp-out1 connection to a mobile cellular operator and has a white static IP X.X.X.X. An external device is connected to the RS232 port of the Mikrotik RB411U and using for remote port access to port P.P.P.P.
This scenario allows you to have access to external device at RS232 from one only remote IP Y.Y.Y.Y → X.X.X.X:P.P.P.P
Is it possible to restrict access to remote RS232 port query for two IP addresses only - {Y. Y. Y. Y, Z. Z. Z. Z} → X.X.X.X:P.P.P.P ?
Where Y. Y. Y. Y - main IP, Z. Z. Z. Z - backup IP, in case of failure of the main IP.
The input field for “/port remote-access” does not allow entering multiple addresses list, only one IP address or 0.0.0.0/0 or any other subnet S.S.S.S/mask.
IP address Y.Y.Y.Y and Z.Z.Z.Z to much differs for include in one subnet as S.S.S.S/mask.
Is it possible use built-in firewall for limit access as in the example {Y.Y.Y.Y,Z.Z.Z.Z} → X.X.X.X:P.P.P.P ?
Yes, the approach is correct, however there is a typo and an possibly a misunderstanding of the firewall concept:
you’ve named the address list ip_whitelist but you refer to it as to an ip_white_list (underscore between white and list) in the rule
you’ve shown either one rule too much or at least one rule too few. If you wanted to illustrate only the permissive rule, the “accept established or related” is the one too much; if it is your complete set of rules in chain input of table filter, there is at least a “drop the rest of what came in via WAN” missing (but probably more, as you may need more exeptions from this “drop the rest of what came in via WAN” rule, e.g. SSH access to the router itself from another set of addresses. The thing is that in RouterOS, packets that do not match any rule are accepted.
So the complete set of rules should look somehow like this: chain=input connection-state=established,related,untracked action=accept comment=“this is the essence of a stateful firewall”
chain=input connection-state=invalid action=drop comment=“this is in the defaut firewall, not sure what it actually does except breaking GRE”
chain=input src-address-list=ip_whitelist protocol=tcp dst-port=PPPP in-interface=ppp-out1 action=accept comment=“allow TCP connection to serial port from listed IPs via WAN”
chain=input src-address-list=authorized_ssh protocol=tcp dst-port=22 in-interface=ppp-out1 action=accept comment=“allow SSH connections from listed IPs via WAN”
chain=input in-interface=ppp-out1 action=drop comment="drop the rest of inbound connection attempts via WAN
Will this configuration provide access only for Y. Y. Y. Y and Z. Z. Z. Z on X. X. X. X:P. P. P. P and block all other IP?
Also, as far as I know, there is a restriction since RS232 is a resource that is exclusively used - if the connection from the address Y. Y. Y. Y is active at this time, access for Z. Z. Z. Z will be denied until the old connection is broken. Is this true?
Yes. If the connection eventually hangs (because the network connection breaks for some time, and during that time, the client terminates the session but the FIN or RST packets do not reach the 411), you have to disable and re-enable the row in /port remote-access to clean up the stalled TCP connection.