Community discussions

 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 2:40 pm

I was thinking about how to use these more effectively and efficiently. I typically use an interface-list for WAN and MGMT but use firewall address-list for LAN segregation. Most of the time ether1 is the only interface in the WAN list so I am not sure what I am really saving. I suppose it is easier to think about?

My rudimentary understanding is that you can achieve similar things in the firewall but with interface-list you can specify an entire VLAN or physical interfaces. When using multiple VLANs perhaps this is easier to use rather than creating multiple FW address-lists. I also see others use the concept of trusted, untrused, internet_only, etc.. in their interface-lists which all seem like a valid approaches depending on your use case.

Do you create an interface-list for your LAN and use that as opposed to in or addition to firewall address-list? In general terms, how are you using these in your firewalls?
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 900
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 5:09 pm

I too do similar with my setup.
Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways.
I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes both will suit and sometimes only one will match.

In general lists require less processing power in that you then don't have to make multiple rules for different ranges/interfaces checking the same things.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1040
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 6:32 pm

I use a mixture of both.

As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc
MTCNA, MTCTCE, MTCRE & MTCINE
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 6:34 pm

I too do similar with my setup.
Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways.
I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes both will suit and sometimes only one will match.

In general lists require less processing power in that you then don't have to make multiple rules for different ranges/interfaces checking the same things.
Thanks for your reply Steveocee!
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 6:38 pm

I use a mixture of both.

As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc
Thanks CZFan - the granular part makes good sense. Never thought of it like that. I am still getting my head wrapped around the Zone concept. Trusted and untrused seem like they could be foggy definitions. I assume trusted means allows to communicate? I was thinking about using trusted out list to simplify the firewall rule for allowing bunch of VLANs out in one rule, but I don't think that is way trusted is mean in the typical definition.

Thanks again.
 
mkx
Forum Guru
Forum Guru
Posts: 1019
Joined: Thu Mar 03, 2016 10:23 pm

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 7:29 pm

You can't compare similar named interface lists on different routers as the real meaning is entirely dependent on firewall rules. So you can name lists in the way which is most meaningfull to you. Default config knows about LAN and WAN lists, so I would expect most users to stick to this scheme.
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1040
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Interface-list VS firewall address-list best practices and approach?

Thu Dec 06, 2018 11:49 pm

Some Examples, but must use what makes sense to you,i.e.
Trusted Zone = LAN Zone
Untrusted Zone = WAN / Internet Zone
Semi Trusted Zone = DMZ Zone
etc
MTCNA, MTCTCE, MTCRE & MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 1128
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Interface-list VS firewall address-list best practices and approach?

Fri Dec 07, 2018 12:18 am

Its worthwhile stating that one can make up numerous Interface Lists (subset1, newlist23, etc) but the options for each list is fixed at interfaces.
Valid entries are: WAN entries, LAN entries, dynamic entries, or No entries
They are applied as an Inclusion Entry or an Exclulsion entry.

So there is indeed some flexibility to create interface lists as arguments in rules where its deemed to be efficient.
Some really cool examples would be great and I know Ive read some in the past but obviously none at the tip of my tongue........

I can think of possibly using interface lists to control which interfaces are source natted to specific WANIPs, and thus possibly routing as well??
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 900
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Interface-list VS firewall address-list best practices and approach?

Fri Dec 07, 2018 10:29 am

Its worthwhile stating that one can make up numerous Interface Lists (subset1, newlist23, etc) but the options for each list is fixed at interfaces.
Valid entries are: WAN entries, LAN entries, dynamic entries, or No entries
They are applied as an Inclusion Entry or an Exclulsion entry.

So there is indeed some flexibility to create interface lists as arguments in rules where its deemed to be efficient.
Some really cool examples would be great and I know Ive read some in the past but obviously none at the tip of my tongue........

I can think of possibly using interface lists to control which interfaces are source natted to specific WANIPs, and thus possibly routing as well??
That is not my experience. Interface lists can be applied as and how and where you want. What context are you using this in?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials

Who is online

Users browsing this forum: cdiedrich, petertosh, ssxp, tnakir and 17 guests