Community discussions

MikroTik App
 
ltwally
just joined
Topic Author
Posts: 8
Joined: Tue Jun 29, 2021 10:21 pm

Firewall DNS instead of IP address

Tue Jun 29, 2021 10:28 pm

Is it possible to use a DNS entry as the Source instead of an IP address?

Scenario: We're a small office, and would like to be able to remotely manage the router without a VPN or some service to remote onto a local computer. We do not want to open up the web admin port to the entire internet. Just a couple people's home systems. Those people are on consumer internet connections, without static IP addresses. But, we do have Dynamic DNS.

It was suggested that this would require scripting. However, I am very new to RouterOS, and was hoping that there would either be an easier way, or an example for this type of script that I could more or less drop-in-place.

Any help would be welcome.

Thank you in advance.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Firewall DNS instead of IP address

Wed Jun 30, 2021 3:17 pm

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Wed Jun 30, 2021 3:27 pm

Increase security slightly without too much effort:

Change default 80 port to any number between 40000 and 60000

Create a user group without any right
Create a new full user with serial number as username (can be read only if already logged or under the device).
Assign the full group to this new user
Create one random password like "p!2M4Q9iWs@pjdW45" and assign to new user
login with new user for see all is working
set the "empty" user group to admin
change the admin password with one like previous, BUT NOT THE SAME....

Now is more sicure without consider firewall.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall DNS instead of IP address

Wed Jun 30, 2021 5:09 pm

Hi rextended not quite understanding your explanation.
In fact its confusing.

To the OP, dont recommend non-vpn access to the router Especially being a WORK place router, just a bad idea all the way round.
If you want to be able to admin to the router, it should ONLY be one person not all persons with access, another bad idea.

You may want to consider leaving one generic not even a powerful PC up that is accessible 24.7 by team viewer for example.
There may be some sort of radius server in the mix for additional security........
From that PC then one could access the router via winbox for example.

I still dont feel comfortable recommending that to be honest but clearly you are looking for 'easier' than VPN.
A fairly easy solution is Wireguard VPN which is in the beta firmware but when released in mainstream its dirt quick to be able to access the router securely through VPN.
 
ltwally
just joined
Topic Author
Posts: 8
Joined: Tue Jun 29, 2021 10:21 pm

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 2:47 am

I appreciate all of your replies. However, I'm not certain any of them actually addressed the question:

Is it possible to add an ALLOW entry in the firewall that targets a DNS entry instead of an IP address? If so, how?

We are not looking to make a plethora of admins.
We do not want the entire internet to be able to even attempt to log into the Web Admin portal.

We just want to use a DNS entry in place of an IP address for a firewall rule. This would enable us to use Dynamic DNS so that select IT people working from home can easily access the Web Admin, without needing to remote to an office computer or use a VPN.

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:01 am

Ok,
you want to drive on the highway without knowing how to start the car.

We try to prevent you to create another zombie network.

Is it possible to add an ALLOW entry in the firewall that targets a DNS entry instead of an IP address?

NO
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:05 am

Is it possible to add an ALLOW entry in the firewall that targets a DNS entry instead of an IP address? If so, how?
You can, but it's weird. To do it, make an entry of the DNS name in Address Lists and give it some name. Then, use that address list in your firewall rule.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:17 am

@Cablenut9 NO, can't, still impossible to add DNS entry on firewall filter. You can only suggest ANOTHER WAY
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:19 am

@Cablenut9 NO, can't, still impossible to add DNS entry on firewall filter. You can only suggest ANOTHER WAY
How is this possible if I have a 200 entry list with DoH domains?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:23 am

First: as request before, please do not quote uselessy,

Second: have you really read my reply? The 200 entries are directly on firewall filter (not the IP but the DNS) or on address-list?
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:40 am

There's obviously no way to add it directly to the firewall filter, but address lists have the same exact functionality with an extra step.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 3:42 am

Now is clear for all without any doubt, thanks.

If are you interested WHY, is simple:
The firewall must process at max speed the packets,
checking everitime the DNS entry is a loss of time,
better have separate address-lists elaborated from different process,
ready-to-use.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall DNS instead of IP address

Sun Jul 04, 2021 2:26 pm

The agressive poster is again playing up.
But obviously it is easy to do in RouterOS. He just doesn't know it, and that is when he gets offensive and agressive.

For the original poster:
Go to the IP Firewall menu tab Address lists.
Add a rule, enter a name (e.g. admins) and in the address field enter the dynamic DNS name of an admin.
Repeat that for every admin you want to add (using the same name every time).
When you do that, you will see in the displayed items that the name is expanded to an address using a DNS lookup.
This is a dynamic process which is repeated automatically. When the address tied to the dynamic DNS name changes, so will the displayed address in this list.
The DNS query is repeated in an interval determined by the TTL of the DNS name.

Now, go to the IP Firewall rules tab.
Add a new allow rule as you desire (e.g. some allowed new traffic from internet), and instead of a src.address use the src.address list item found on the Advanced tab.
All traffic will be matched against the address list you select, which will the one you created above.
That will work in the way you intend it to work.

It is also possible to do this with 200 entries (i.e. 200 different DNS names in the list). It has some overhead but on today's routers it works OK.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Mon Jul 05, 2021 2:37 am

The agressive poster is again playing up.
If I am truly an "agressive poster" it does not indicate intelligence to provoke me. No?

Is it possible to add an ALLOW entry in the firewall that targets a DNS entry instead of an IP address?
But obviously it is easy to do in RouterOS
No matter what you say, it still can not be done actually on any stable or long-term version, and any argument is useless.
Using address-list is another method, one alternative, another way, call it whathever you want, but the reply to that question is still NO.
Last edited by rextended on Mon Jul 05, 2021 3:09 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall DNS instead of IP address

Mon Jul 05, 2021 3:10 am

For the original poster:
Less novels, more concrete examples.

Put thie rules at 1st ans 2nd place on top of the "drop all" input rule, if you have one (i hope)
on example Public IP is 4.5.6.7 and obviously must be replaced with your Public IP on where you want activate the webfig,
the 3 remote ddns are sitea-ddns.mysite.ext, siteb-ddns.mysite.ext and sitec-ddns.mysite.ext, you can add how many you want
/ip firewall address-list
add list=allowed-remote-dns-to-webservice address=sitea-ddns.mysite.ext
add list=allowed-remote-dns-to-webservice address=siteb-ddns.mysite.ext
add list=allowed-remote-dns-to-webservice address=sitec-ddns.mysite.ext
/ip firewall filter
add action=accept chain=input dst-address=4.5.6.7 dst-port=80,443 protocol=tcp src-address-list=allowed-remote-dns-to-webservice
add action=drop chain=input dst-address=4.5.6.7 dst-port=80,443 protocol=tcp 

Who is online

Users browsing this forum: No registered users and 19 guests