The firewall blocks everything except the addresses in the dynamic list.
It doesn’t work quite right though.
ping debian.org
From 192.168.99.1 (192.168.99.1) icmp_seq=1 Destination Net Unreachable
64 bytes from 151.101.2.132 (151.101.2.132): icmp_seq=2 ttl=55 time=6.46 ms
As you can see the first request is blocked.
Which means that somebody configured it to do that.
So do you want us to start the guessing game? Otherwise post full config for review.
Again, the problem is that it does not do what it is configured to do Sherlock.
So do you want us to start the guessing game? Otherwise post full config for review.
I mean, what else am I possibly missing? I already spelled out everything there is to know apparently. But please tell me what did I fail to mention that’s so important if you are so clever? I am interested to learn.
Or you can tell me how my config is responsible for the bug I encountered last time.
And I asked you to show us how it’s configured, Watson.
I don’t follow problems of any particular users so I don’t know which bug you allegedly “encountered the last time” so I don’t know how it should relate to the firewall blocking your traffic.
Okay let me get to the point. When I ping debian.org, the first request is indeed blocked by the firewall despite the REJECT rule coming after the ACCEPT rule, meaning the address still has not been added to the dynamic list until the second request.
It probably sends answer to client first, and client is “too quick” to use it, even before router manages to add it to list. It would be simple way how to implement it, deal with DNS request and response as usual, don’t do anything special, just add request for address list to some queue, and another process can handle it asynchronously. Otherwise DNS process itself would have to handle address list.
Just a guess, you’d have to ask MikroTik how they do it. And if it’s like this, only they can fix/change it.
Thanks. I’ll wait a bit to see if more people want to comment before contacting Mikrotik.
Another thing… When you add a “New DNS Static Entry”, is it normal that the “Address list” field remains empty at all times and you have to manually type your list?
Well, it would be more user friendly if it offered existing lists (same as when you add address to address list manually). But I don’t remember if it was ever there. I guess not, the whole option is relatively new, they probably just made first version that does something and that’s it.
I vaguely remember it was auto-populating previously, like all other address list inputs I have come across in RouterOS so far.
How are other people’s devices behaving?