Goodevening everyone,

I work for an IT company in Amsterdam, we manage over 200 mikrotik firewall at our clients premises. I am currently busy with an ISP/IP address migration for roughly most of our clients. During the migration we are also looking at the device health (primarily RB450(G)'s), filter rules etc.

Since our own HQ IP address is also changing we have to add an extra IP address to all of the input rules for Winbox. We use this to manage our clients devices over the internet. Since we are going through all of these devices, now would be the time to not simply add an additional IP to the address list but make it smarter. Is there a way we can config a specific address list to looks external for a list of IP adresses? Perhaps a txt file on our webserver of something in a DNS entry? This would make my job a lot easier should we ever need to change our IP adresses.

Hope one of the members here have a view on a possible solution?

Thanks,

Alex

If you put the list on a well-known password-protected ssl-protected URL and use fetch to pull that to flash, then use the contents to generate the address list.

Another idea would be in stead of making these hundreds of devices sync a list with scripts and such - configure them all to make a VPN connection to a host by name in DNS, and then put the VPN on a mgmt vrf and put a vrf default GW though the tunnel. Block all management access on the wan interface, but allow it all through the VPN.

You can also implement port knocking in case the automation fails for any reason.

If you put the list on a well-known password-protected ssl-protected URL and use fetch to pull that to flash, then use the contents to generate the address list..

ZeroByte, thanks. I will give this a try.

You can also implement port knocking in case the automation fails for any reason.

Thanks jarda, This can be a very interesting fall-back. Do you have experience with this technique?

If you make a rule which looks for an unusual packet with very specific qualities - new tcp w/ SYN and RST set, specific port number src / dst, specific size, etc - something you never see in the wild.... Then add the src IP to an address list with a 60 second timeout.

The protected service(s) have a firewall rule which blocks sources not in the src-list.

You could even make 2 or 3 different knocks required - first knock puts src in a phase 1 list with a 2 second timeout, phase 2 knock requires src to be in phase 1 list, etc...

You could even put time of day rules, or make the successful knock open the service 2 hours later for 5 minutes ("allow" list 2hr 5min timeout, wait list 2hr timeout, allow port for src in allow list AND !block list

Exactly as zerobyte wrote. You can prepare whatever very complex port knocking procedure. But It can be much simplier. You could just call port 34567 and within 20 seconds the port 65432 and it could add your ip to whitelist that allows whatever you need.

It's like a combination lock.