Unable to work out command to find specific property set

RouterOS General
1

I’m trying to work out a command to only list NAT rules with a dst-address that is actually set. I can’t seem to work out what command will do that.

Here’s a dump of my session. Anyone able to help?




[admin@Thundercat] /ip firewall nat> print where dst-address=99.99.99.88     
Flags: X - disabled, I - invalid, D - dynamic 
[admin@Thundercat] /ip firewall nat> print where dst-address!=""           
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 

 2    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 3    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no 
      log-prefix="" 

 4    ;;; NAT SSH
      chain=dstnat action=dst-nat to-addresses=192.168.0.233 to-ports=22 protocol=tcp dst-address=99.99.99.88 dst-port=23 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address="" 
Flags: X - disabled, I - invalid, D - dynamic 
[admin@Thundercat] /ip firewall nat> print where dst-address!="" && chain=dstnat
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 1    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 

 2    ;;; NAT SSH
      chain=dstnat action=dst-nat to-addresses=192.168.0.233 to-ports=22 protocol=tcp dst-address=99.99.99.88 dst-port=23 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address!="" && chain=dstnat
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 1    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address!="0.0.0.0/0" && chain=dstnat 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 1    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address!="0.0.0.0/0"                
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 

 2    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 3    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address!=0.0.0.0/0  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 

 2    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 3    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address!=         
syntax error (line 1 column 26)
[admin@Thundercat] /ip firewall nat> print where dst-address!=""
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 

 2    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 3    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where [dst-address = ""] 
syntax error (line 1 column 26)
[admin@Thundercat] /ip firewall nat> print where dst-address not ""     
Flags: X - disabled, I - invalid, D - dynamic 
[admin@Thundercat] /ip firewall nat> print where dst-address not = ""
Flags: X - disabled, I - invalid, D - dynamic 
[admin@Thundercat] /ip firewall nat> print where dst-address~"^\$"   
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where !dst-address~"^\$"
Flags: X - disabled, I - invalid, D - dynamic 
[admin@Thundercat] /ip firewall nat> print where !dst-address~"^"  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where !dst-address~"" 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where dst-address~"" 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Hairpin NAT HTTP
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 out-interface=FiberOp-bridge dst-port=80 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=FiberOp-VLAN log=no log-prefix="" 

 2    ;;; NAT HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp dst-address=99.99.99.88 dst-port=80 log=no log-prefix="" 

 3    ;;; NAT VNC
      chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=5900 protocol=tcp dst-address=99.99.99.88 dst-port=5900 log=no log-prefix="" 
[admin@Thundercat] /ip firewall nat> print where "dst-address"."" = ""         
Flags: X - disabled, I - invalid, D - dynamic
2

I don’t have the code to hand, but you might be best using a for loop and running :typeof dst-address

3

Try with.. .. where dst-address~“99.99.99.88”