-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Suggestion: Address lists in proxy
I setup and manage a large # of routers and use address lists A LOT to simplify management. The one place I cant use address lists is in the web proxy. Would be hella nice to have it in there.
Re: Suggestion: Address lists in proxy
Also we should have the option to use FQDN's in address lists. It'll be a lot easier us to manage white and black lists.
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Suggestion: Address lists in proxy
You can do that already. Have a scheduled task that resolves names to ips. I can understand why it cant be done on the fly. Every single packet that traversed the firewall would have 1 hit to the DNS server associated with it. Not feasible.
Re: Suggestion: Address lists in proxy
You could create proxy rules via address-lists using local-port in proxy. This will give the effect of using a separate proxy rules per address-list.
First, create filter -> nat rules:
First, create filter -> nat rules:
Code: Select all
/ip firewall nat add chain=dstnat src-address-list=AddressList1 action=redirect to-ports=6001
/ip firewall nat add chain=dstnat src-address-list=AddressList2 action=redirect to-ports=6002
/ip firewall nat add chain=dstnat src-address-list=AddressList3 action=redirect to-ports=6003
Next, create proxy rules:
[code]
/ip proxy set port="6000,6001,6002,6003"
/ip proxy access set local-port=6000 action=allow
/ip proxy access set local-port=6001 path="<path1>" action=allow
/ip proxy access set local-port=6001 path="<path2>" action=allow
/ip proxy access set local-port=6001 action=deny
/ip proxy access set local-port=6002 path="<path1>" action=deny
/ip proxy access set local-port=6002 path="<path2>" action=allow
/ip proxy access set local-port=6002 path="" action=deny redirect-to="<redirect path>"
/ip proxy access set local-port=6003 path="<path1>" action=deny
/ip proxy access set local-port=6003 path="<path2>" action=deny
/ip proxy access set local-port=6003 action=deny redirect-to="<redirect path>"
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Suggestion: Address lists in proxy
Thats neat, didnt know you could do it that way, but that isnt what I was talking about. I dont use transparent proxy for a lot of the networks. Some networks in the same range would have different clients with different access requirements. Some protocols are non-proxiables, so there are filter rules for them, acting on address lists, others are proxy rules using hostnames. When I add filter rules to 100ish routers, I add them in batch using address lists, even though the IP addresses might be different site to site, they are already configured. Right now, for proxy rules, I have to add unique rules site to site.
Re: Suggestion: Address lists in proxy
roadracer96,
I think I understand. So this was a request for a specific feature be directly implemented rather then using the suggested workarounds (as you might already be using them)?
Your best bet would probably be to email support [at] mikrotik [dot] com and add an request entry to http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests (if it's not already there).
I think I understand. So this was a request for a specific feature be directly implemented rather then using the suggested workarounds (as you might already be using them)?
Your best bet would probably be to email support [at] mikrotik [dot] com and add an request entry to http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests (if it's not already there).
Who is online
Users browsing this forum: Bing [Bot], maldridge and 89 guests