I need to create a NAT rule to allow RDP connections ( port 3389 ) for an internal Windows server.
For security reasons, I would like to restrict which external IPs can use this NAT rule. The issue is that one of this external IP is dynamic although it has a no-ip hostname.
How can I set a dynamic source address in NAT? Setting the hostname doesn’t work, since it will only resolve it once.
You can use an address-list to define which sources are permitted to reach the RDP service, and add/remove the dynamic address as it changes.
You could make a script that periodically removes the dynamic entry and looks up the current value (if it has a dyndns name, for instance) and adds the result to the address-list.
And one personal “best practice” fact I’d like to add-
It’s generally best practice to set the pinhole regardless of source/destination/security criteria - and then use a filter rule to enforce the security itself. It keeps the logical functions in their proper place.
Another option would be to configure a set of rules for port knocking. There are lots of threads on here and entries in the wiki on that subject, so it shouldn’t be hard to google up a how-to for this.
Thank you. Using an address list worked and was pretty simple. After creating the address list, I created a script that is scheduled to run every 5 minutes:
:do { /ip firewall address-list add list=allowed_address address=[:resolv example.no-ip.org] } on-error={}