I’m trying to set up a script that transfers data (IP address, src mac address and comment) from “DHCP Leases” table to “Firewall Filter Rules” table (same mentioned data). Is there a way of directly transferring entries with certain fields set where I want (leased ip → src addr)? Previously I have successfully transfered all my client data using a script that reads a file where fields in lines are delimited with something. So I think that I can certainly do this again, but it would involve reverse procedure which stores entries from DHCP table to a file in the first place.
Unfortunately I do believe that it would once again take half of my day trying to get this script working, since I don’t do scripts very often. Maybe someone has had some similar experience or could give some useful tips. Without breaking a sweat of course, it’s too hot already
There used to be an option under DHCP that automatically added IPs that were handed out as a lease to a firewall address list - if you can find that, that would be even easier depending on what you’re trying to do.
Thanks fewi, the script you provided worked just as I wanted. And your suggested solution of automatically adding leased IPs to firewall address list does not suit me actually, because I accept forwards for ip/src-mac pairs in filter table. Managing all those entries won’t be very hard, because I am already working on RouterOS API for controlling them from my own web management system. I think your mentioned way of automatically adding leased IPs to addr list applies to hot-spot configurations. It acts that way as far as I remember.
Yes, Hotspots can do that - the same option is mentioned for DHCP in the change log of 4.x but at some point was apparently removed again.
Is you goal to ensure that a specific IP address is only used by the MAC address that was assigned that IP by the DHCP server? You can achieve the same effect easier by turning off dynamic ARP on the interface and having the DHCP server add ARP entries on lease handout. Of course you’d also have to add everything else that is static, but that would still be one time only without the need for a script or the API.
Well that script was required only once for me. I did set lots of DHCP static leases at first, so then I needed to add ip/src-mac pairs for them in firewall. I need to provide Internet access only to a specific IP addresses that originate from specified source mac. Since now, any modifications will be minor ones, done manually or via RouterOS API. I haven’t decided about that yet..
I still think that’s easier to do with dynamic ARP turned off on the interface and static DHCP leases that automatically add static ARP entries. Then when a customer changes IP/MAC or you add remove customers, all you do is edit the static lease table - no need for anything else, it just falls into place.
I’m not sure if I understood everything right. You are referring that I disable dynamic ARP table learning in /interfaces/ethernet for my local interface and build ARP table from static entries all myself? If so, wouldn’t I need to do triple job also? Managing these entries in ARP table, DHCP leases table and Firewall Filter table altogether? Or you’re suggesting to drop firewall filtering at all, providing static ARP ensures enough protection?
Another approach, that I believe you are suggesting is to enable ‘Add static ARP for DHCP leases’ in DHCP configuration, which then simplifies everything a bit. And to allow forward for everything in a subnet that comes from a DHCP.
That is exactly what I am suggesting. You turn off dynamic ARP on the interface. Without an ARP entry for an IP, the router cannot send traffic back to an IP address behind an interface, so effectively that IP is dead. Then you turn on “Add static ARP entry for DHCP leases”, and whenever the DHCP server hands out a lease it will add an ARP entry - now that IP address can pass traffic through the router. You also don’t create an IP pools, but instead create static leases only, mapping MAC addresses to IP addresses.
Now only certain MAC addresses can get a specific IP via a DHCP lease, and only when they have an active DHCP lease can they pass traffic through the router because the router simply cannot possibly send traffic back to them without the ARP entry created by the act of getting a DHCP lease in the first place.
No need for firewall rules in that scenario, and management is simplified to adding static DHCP leases, mapping MACs to IP addresses in only one spot.
Thanks for the idea fewi. I have successfully adopted it and I shall see how it works practically. But keep in mind that you cannot completely disable ARP for the interface, because you then also would have to add static arp entry for router’s MAC/IP pair in client computers. Instead of disabling I did set ARP to reply-only mode. That way it only replies to everything that is listed in its local ARP table, no mater static or dynamic.
