Update IP Address-List by DNS lookup

bakergt · April 5, 2015, 11:51am

Hi guys, i’m fariley new to Mikrotik routers, but when i have a need for something, i try and work it out.

The story goes, we have our client routers locked down (as they should be) i have my work IP ranges listed in IP Lists to allow remote management. This works a treat. Each range has its own list, called up by the advanced src-address list.

The problem is when trying to work on these from my home office. Home office has a Dynamic IP address (by choice) but i need to be able to connect into the client routers.

I have spent a few hours tonight trying to work this one out, but i just cant get there.

What i really want is;

The ability to search the Address Lists for “Dynamic Remote IPs” there might be 2-3 of these
Then look up the DNS address for these lists. One way i can think of is having the DNS name in the comment. This would allow the script to scale.

Then to check if the address listed is the same as the resoled address, if not, update it.

Like so

There will be other lists, so it needs to select by name

Im able to get as far as

:global “listname” Dynamic Remote IPs
/ip firewall address-list print where list=$listname

But trying to select the IP address from this is causing me issues.

I’m not a good scripter at all, but i can work out enough things to get by, but this one is getting me.

Thanks in advance!

Alan

evince · April 21, 2015, 9:05am

Hello,

Take a look at this post : http://forum.mikrotik.com/t/ddns-address-in-firewall-address-list-solved/74860/1

Bests Reards,

bakergt · April 21, 2015, 10:25am

Thanks heaps!

ZeroByte · April 21, 2015, 11:08am

You could also implement a port knocking scheme in your firewall. Your situation is exactly what it’s best built to handle.

essentially - you make a rule that looks for a packet on some port - 909
new packet to tcp:909 → add src IP to list kock1 timeout=3 seconds
new packet to udp:1616 src-address-list=knock1 → add src IP to knock2 timeout=3 seconds
new packet to tcp:401 src-address-list=knock2 → add src IP to your whitelist with timeout = 15 minutes

AFter that, for 15 minutes you’ll be able to make new connections from your current IP. You could make the timeout longer if your IP is relatively stable…
They make port knock programs for windows, MAC, and Linux, so sending the packet sequence isn’t hard.

Remember - you still must authenticate to whatever service is now unblocked - so this doesn’t undermine the service’s security. It just keeps it blocked for general purposes.

bakergt · April 21, 2015, 11:17am

Wow, that’s a mad way of getting in, but super secure! I’ll look more into that tomorrow. It’s the kind of thing I can have setup on work laptops to allow access in from anywhere, but still be super secure.

ZeroByte:

bakergt:

Thanks heaps!

You could also implement a port knocking scheme in your firewall. Your situation is exactly what it’s best built to handle.

essentially - you make a rule that looks for a packet on some port - 909
new packet to tcp:909 → add src IP to list kock1 timeout=3 seconds
new packet to udp:1616 src-address-list=knock1 → add src IP to knock2 timeout=3 seconds
new packet to tcp:401 src-address-list=knock2 → add src IP to your whitelist with timeout = 15 minutes

AFter that, for 15 minutes you’ll be able to make new connections from your current IP. You could make the timeout longer if your IP is relatively stable…
They make port knock programs for windows, MAC, and Linux, so sending the packet sequence isn’t hard.

Remember - you still must authenticate to whatever service is now unblocked - so this doesn’t undermine the service’s security. It just keeps it blocked for general purposes.