Use a variable as a firewall rule parameter

RouterOS Scripting
1

hi, i need to change, delete an create rules dynamically, it’s possible to use a variable as a firewall rule parameter, e.g.

:local wans; set wans 3;

/ip firewall mangle
:log info “Setting filters”;
add action=mark-connection chain=prerouting comment=“TEST RULE”
disabled=no dst-address-type=!local in-interface=local
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=
both-addresses:HERE THE VARIABLE $wans/2

2

Yes, it is possible example set ip address from variable

:global myIP 10.1.1.1
/ip firewall mangle add chain=input src-address=$myIP;

3

Thanks for your help,

in my specific case it doesn’t work. maybe cause i need to concatenate the both-addresses:with the variable? can you help me in this? i dont know much about scripting.

:local wans 3

/ip firewall mangle
:log info “Setting filters”;
add action=mark-connection chain=prerouting comment=“TEST RULE”
disabled=no dst-address-type=!local in-interface=local
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=
both-addresses:HERE THE VARIABLE $wans/2

4 
{
:local wans 3;
/ip firewall mangle
add chain=prerouting per-connection-classifier="both-addresses:$wans/2"
}
5 
[admin@rb750g] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
[admin@rb750g] /ip firewall mangle> :local wans "2"; add action=mark-connection chain=prerouting comment="TEST RULE" disabled=no dst-address-type=!local in-interface=ether4 new-connection-mark=wan3_conn passthrough=yes per-connection-classifier="both-addresses:$wans/2"
[admin@rb750g] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; TEST RULE
     chain=prerouting action=mark-connection new-connection-mark=wan3_conn 
     passthrough=yes dst-address-type=!local in-interface=ether4 
     per-connection-classifier=both-addresses:2/2 
[admin@rb750g] /ip firewall mangle>
6

ok, Thanks a lot, i will try this, i'm so hurry now but later i will post another command that its not working good, or maybe the problem is between the chair and te keyboard..

ok excuseme for post here because this is yet post in another threat but maybe here it's more appropiate because i really need to count the number of routes actives in order to convert in a variable to create a number of pcc rules needed to make the dynamic load balance.. thanks


Hi everybody, please can somebody tell me why ii i have this route lists

[admin@router-plaza] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1 1
1 A S 0.0.0.0/0 ether2 1
2 A S 0.0.0.0/0 vlan1-claudio1 1
3 X S ;;; claudio 1
0.0.0.0/0 192.168.201.1 1
4 A S 0.0.0.0/0 vlan2-claudio2 1
5 X S ;;; claudio 2
0.0.0.0/0 192.168.203.1 1
6 A S ;;; berloni
0.0.0.0/0 192.168.202.1 1
7 A S ;;; dubby
0.0.0.0/0 192.168.204.1 1
8 A S ;;; gelo 1
0.0.0.0/0 192.168.208.1 1
9 A S ;;; gelo 2
0.0.0.0/0 192.168.209.1 1
10 A S 0.0.0.0/0 192.168.207.1 1
11 A S 0.0.0.0/0 192.168.205.1 1
12 ADS 0.0.0.0/0 190.77.0.1 0
13 DS 0.0.0.0/0 190.205.128.1 1
14 S 0.0.0.0/0 192.168.209.1 2
15 DS 0.0.0.0/0 190.204.224.1 2
16 DS 0.0.0.0/0 200.84.128.1 3
17 ADC 190.77.0.0/19 190.77.18.216 ether1 0
18 ADC 190.204.224.0/19 190.204.227.183 vlan1-claudio1 0
19 ADC 190.205.128.0/19 190.205.138.128 ether2 0
20 A S 192.168.19.0/24 192.168.88.5 1
21 ADC 192.168.88.0/24 192.168.88.1 local 0
22 ADC 192.168.201.0/24 192.168.201.5 ether3 0
23 ADC 192.168.202.0/24 192.168.202.5 ether5 0
24 ADC 192.168.203.0/24 192.168.203.5 ether4 0
25 ADC 192.168.204.0/24 192.168.204.5 ether6 0
26 ADC 192.168.205.0/24 192.168.205.5 ether6 0
27 ADC 192.168.207.0/24 192.168.207.5 ether8 0
28 ADC 192.168.208.0/24 192.168.208.5 ether7 0
29 ADC 192.168.209.0/24 192.168.209.5 ether8 0
30 ADC 200.84.128.0/19 200.84.159.146 vlan2-claudio2 0

as you can see i have so many routes with dst-address 0.0.0.0/0
why this command just print an incomplete out?


[admin@router-plaza] > /ip route print where dst-address=0.0.0.0/0
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 190.77.0.1 0
1 DS 0.0.0.0/0 190.205.128.1 1
2 S 0.0.0.0/0 192.168.209.1 2
3 DS 0.0.0.0/0 190.204.224.1 2
4 DS 0.0.0.0/0 200.84.128.1 3

so why the command dont show me all the routes with 0.0.0.0/0 as dst-address, i need to count this in order to make a choice, any help? thanks

i really need to count the number of routes actives in order to convert in a variable to create a number of pcc rules needed to make the dynamic load balance.. thanks

7

So you need count of active routes?

/ip route print count-only where active
8

thanks everybody for your help, problem solved at.

http://forum.mikrotik.com/t/solved-script-to-recreate-the-load-balance-mangle-rules/36203/1