I setup and manage a large # of routers and use address lists A LOT to simplify management. The one place I cant use address lists is in the web proxy. Would be hella nice to have it in there.
Also we should have the option to use FQDN’s in address lists. It’ll be a lot easier us to manage white and black lists.
You can do that already. Have a scheduled task that resolves names to ips. I can understand why it cant be done on the fly. Every single packet that traversed the firewall would have 1 hit to the DNS server associated with it. Not feasible.
You could create proxy rules via address-lists using local-port in proxy. This will give the effect of using a separate proxy rules per address-list.
First, create filter → nat rules:
/ip firewall nat add chain=dstnat src-address-list=AddressList1 action=redirect to-ports=6001
/ip firewall nat add chain=dstnat src-address-list=AddressList2 action=redirect to-ports=6002
/ip firewall nat add chain=dstnat src-address-list=AddressList3 action=redirect to-ports=6003
Next, create proxy rules:
[code]
/ip proxy set port="6000,6001,6002,6003"
/ip proxy access set local-port=6000 action=allow
/ip proxy access set local-port=6001 path="<path1>" action=allow
/ip proxy access set local-port=6001 path="<path2>" action=allow
/ip proxy access set local-port=6001 action=deny
/ip proxy access set local-port=6002 path="<path1>" action=deny
/ip proxy access set local-port=6002 path="<path2>" action=allow
/ip proxy access set local-port=6002 path="" action=deny redirect-to="<redirect path>"
/ip proxy access set local-port=6003 path="<path1>" action=deny
/ip proxy access set local-port=6003 path="<path2>" action=deny
/ip proxy access set local-port=6003 action=deny redirect-to="<redirect path>"
Thats neat, didnt know you could do it that way, but that isnt what I was talking about. I dont use transparent proxy for a lot of the networks. Some networks in the same range would have different clients with different access requirements. Some protocols are non-proxiables, so there are filter rules for them, acting on address lists, others are proxy rules using hostnames. When I add filter rules to 100ish routers, I add them in batch using address lists, even though the IP addresses might be different site to site, they are already configured. Right now, for proxy rules, I have to add unique rules site to site.
roadracer96,
I think I understand. So this was a request for a specific feature be directly implemented rather then using the suggested workarounds (as you might already be using them)?
Your best bet would probably be to email support [at] mikrotik [dot] com and add an request entry to http://wiki.mikrotik.com/wiki/MikroTik_RouterOS/v4/Feature_Requests (if it’s not already there).