Community discussions

 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

port forwarding Source DDNS

Tue Jul 30, 2019 2:08 am

I want to use a ddns address instead of a IP address for port forward source address in firewall NAT,
when I use a ddns address it converts it to an IP but it never updates it to the current IP address
 
anav
Forum Guru
Forum Guru
Posts: 3116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding Source DDNS

Tue Jul 30, 2019 7:40 pm

I think its very possible if you use the mikrotik cloud version, not sure how to accomplish via dyndns org or similar???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Tue Jul 30, 2019 8:15 pm

I'm talking about using in the port forwarding were you can restrict source IP addresses that can connect instead of using an IP address I want to use an FQDN
 
anav
Forum Guru
Forum Guru
Posts: 3116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding Source DDNS

Tue Jul 30, 2019 11:11 pm

Hmm, I restrict by IP address, not sure about FQDN?.
I believe exact hostnames are allowed in address lists.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Tue Jul 30, 2019 11:30 pm

when I use a FQDN in address lists when I click okay it resolves it to a IP address but it never updates it
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: port forwarding Source DDNS

Wed Jul 31, 2019 12:00 am

This works:
/ip firewall address-list
add address=www.example.net list=allowed_ip
... unless you have very old RouterOS.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 12:10 am

everything is up to date how do I do that in winbox do I have to run commands can you give me a step-by-step
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: port forwarding Source DDNS

Wed Jul 31, 2019 12:40 am

The same works in WinBox too. Go to Address List tab, add new item, put name of list in "Name" field, FQDN in "Address", click OK and that's it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 12:53 am

when I do that and I click okay and then click edit it displays the IP address of the FQDN, the question is if the FQDN IP address changes will the IP address update, because when I did it on the NAT page Source IP address FQDN it never updated the IP
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: port forwarding Source DDNS

Wed Jul 31, 2019 2:00 am

Are you sure you're trying to use address list?
address-list-fqdn.png
You do not have the required permissions to view the files attached to this post.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 2:47 am

I'm talking about this menu exactly the second picture with the arrow will the IP address under the FQDN update from time to time when the IP address changes because when you do it from NAT menu Source address and when you use over there a FQDN it fills in the IP address automatically but it never updates when the FQDN changes IP
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: port forwarding Source DDNS  [SOLVED]

Wed Jul 31, 2019 3:28 am

But that's the thing, you can't use FQDNs with individual firewall rules, it doesn't work there. You need to create address list and then use that instead. So instead of using src-address=<FQDN>, you make a list and use src-address-list=<list name>.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 3:40 am

I just tested fqdn in address list and i change the IP and it updated instantly thanks for all your help
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 3:51 am

since my ISP on the source IP location has a long lease time and turning off the modem doesn't give me a new IP I couldn't test it to see if it will update the IP but I found an app that I can manually update the IP in my DDNS account and the second I did it address list updated the ip of the FQDN I needed to make sure that this works because accounting uses it every week to make payroll
 
anav
Forum Guru
Forum Guru
Posts: 3116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding Source DDNS

Wed Jul 31, 2019 4:08 am

Nice feature if the source address changes (not static)!
Best to have outside sources vpn in but not always possible.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 4:21 am

they are a outside bookkeeping firm only needing access to one employee fingerprint machine and they have their own IT so I don't have access to the client machine to setup a VPN they just punch in our static public IP with the device port in the fingerprint server software so I just restrict the port forwarding to their DDNS since they are on a dynamic IP
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: port forwarding Source DDNS

Wed Jul 31, 2019 5:46 am

Two things:

How fast it updates depends on record's TTL. DDNS probably uses something short. You can check it e.g. here: https://mxtoolbox.com/DNSLookup.aspx

It's up to you to decide how sensitive stuff we're talking about, but employee fingerprint machine sounds like something that would deserve better security, VPN would be much better choice. This source address based solution protects again random people on internet, but not against more serious attacker (e.g. someone who could get in your ISP's network), and does not prevent anyone on the way between you and the other party from seeing all data flowing between you.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ComputerGuy
just joined
Topic Author
Posts: 10
Joined: Tue Jul 30, 2019 1:50 am

Re: port forwarding Source DDNS

Wed Jul 31, 2019 6:06 am

it's nothing that serious just a bunch of punch in and out logs but I'm looking into VPN
 
anav
Forum Guru
Forum Guru
Posts: 3116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding Source DDNS

Wed Jul 31, 2019 6:01 pm

it's nothing that serious just a bunch of punch in and out logs but I'm looking into VPN
That depends......
If the information is valuable in of itself it should be protected. If fingerprints are involved and they were mine I would be really keen on better security.
If the logging information was valuable ditto (in other words, I dont get paid because the logs were hacked and dont exist I would be really keen on better security)
If the devices themselves and the information were hacked and destroyed, how long would this affect company business...... What would the real costs be??

I think you start to see the drift of the discussion, what one perceives and what actual value there is when considering actual outcomes of hacking may seriously differ......

Be it for $$ value hacking or malicious destructive hacking (for any business) VPN is the right path.
I personally recommend IKEv2 as recently and so eloquently described in a practical presentation.
https://mum.mikrotik.com/presentations/ ... 543676.pdf
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: MSN [Bot] and 108 guests