Community discussions

 
dtouzeau
just joined
Topic Author
Posts: 7
Joined: Thu Oct 23, 2014 8:25 pm

address list with negative entries

Sat Oct 25, 2014 1:06 pm

i cannot add negative entries in address list behavior.
/ip firewall address-list add list=MyNet address=192.168.1.0/24
/ip firewall address-list add list=MyNet address=!192.168.1.155/32
value of address must have ip address before '/'
I would like to create this kind of rule
Match rule for the network 192.168.1.0/24 but not for 192.168.1.155 and not for 192.168.1.156 and not for 192.168.1.157
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark routing to Artica proxy" dst-port=80 new-routing-mark=to-artica-proxy protocol=tcp src-address-list=MyNet
 
User avatar
Ibersystems
Forum Guru
Forum Guru
Posts: 1681
Joined: Wed Apr 12, 2006 12:29 am
Location: Cabrils, Barcelona - Spain
Contact:

Re: address list with negative entries

Sat Oct 25, 2014 1:09 pm

I cant try it now here, but I think you have to make a new address list with the IPS or networks you want to avoid access and later you can add two filter rules. Play with the Tick before the address list in the filter rule. (Negative with the tick)
Martín
martinruiz at ibersystems.es
Experto en redes WiFi y enlaces WiFi.

Facebook: @Ibersystems
Twitter: @Ibersystems

Certified in Traffic Shaping, Wireless, Internetworking, Routing and User Management.
MTCTCE - MTCWE - MTCINE - MTCUME - MTCRE
 
dtouzeau
just joined
Topic Author
Posts: 7
Joined: Thu Oct 23, 2014 8:25 pm

Re: address list with negative entries

Sat Oct 25, 2014 2:23 pm

I have tried that but it doesn't work, the 192.168.0/24 rule take the hand

Strategy is to create a return rule before the mark rule.
/ip firewall address-list add list="to_proxy_list" address=192.168.1.0/24
/ip firewall address-list add list="to_direct" address=192.168.1.135/32
/ip route
add check-gateway=ping distance=1 gateway=172.16.24.2 routing-mark=to-artica-proxy
/ip firewall mangle
add action=return chain=prerouting comment="mark routing to direct" src-address-list=to_direct
add action=mark-routing chain=prerouting comment="mark routing to Artica proxy" dst-port=80 new-routing-mark=to-artica-proxy protocol=tcp src-address-list=to_proxy_list
 
dtouzeau
just joined
Topic Author
Posts: 7
Joined: Thu Oct 23, 2014 8:25 pm

Re: address list with negative entries

Sat Oct 25, 2014 2:31 pm

Sorry, i confirm that rules that i makes before "WORKS !!"

Who is online

Users browsing this forum: Majestic-12 [Bot] and 4 guests