Community discussions

MikroTik App
 
incipience
just joined
Topic Author
Posts: 6
Joined: Mon Aug 31, 2015 9:15 pm

API and IP Access

Thu Apr 29, 2021 12:37 pm

I am an out-of-box thinker, and what I am asking may not follow the norm, so bear with me, please.

Scenario (working)

Client A has a server behind a NAT router on a Dynamic DNS. We create an SSTP VPN from the Clients Router to our CCR, and with a little bit of routing magic we use one of our fixed IPs on the CCR end and assign that to the client's server, and everything works as expected, you can access the server via our FIXED IP.

The scenario now changes.

Client A: now wants to limit access to the server, preferably IP-based, but, the IP addresses connecting to the server will be Dynamic. As the visitor to the webserver will be coming to our fixed ip for access we can add the Dynamic IP address manually each time and allow access. But we want to put that burden on to Client A, the thought process is to have a secure webpage, on a hosted web server that can send API commands to our CHR, When Client A logs in, they will be met with a page that says "Your IP address is xx.xx.xx.xx would you like to give this access to the Client A server? or would you like to manually set one" This should be time-limited so Client can choose how long to give access for.

My question is can this be done over the API directly, if so, can you point me in the direction of best practice
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: API and IP Access

Thu Apr 29, 2021 2:06 pm

Solution 1) resolve ddns host and put on routerboard rule (all by scheduler), directly the new IP.
:global resolvedip [:resolve forum.mikrotik.com]
/ip firewall nat
set [find where action=dst-nat and chain=dstnat and dst-port="443" and protocol="tcp" and to-addresses=192.168.0.1 to-ports="443"] dst-address=$resolvedip
DO NOT REMOVE " on both 443 and tcp


Solution 2) put ddns host name on firewall access-list, and in rule use access-list name.
The access list mantain and update host entry on DNS expiration read on ddns A record. (if too much: /ip dns set cache-max-ttl=1h)
/ip firewall address-list
add address=forum.mikrotik.com list=resolvedip
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=resolvedip dst-port=443 protocol=tcp to-addresses=192.168.0.1 to-ports=443
 
incipience
just joined
Topic Author
Posts: 6
Joined: Mon Aug 31, 2015 9:15 pm

Re: API and IP Access

Thu Apr 29, 2021 9:55 pm

This is a good start for me.

I could pass the "resolvedip" variable from a PHP form without the need for setting up DDNS. I will look to see if I can create a script to clear the address list after a set time.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: API and IP Access  [SOLVED]

Thu Apr 29, 2021 10:34 pm

how to pass or read variables, just an example, but if you use php.... ;)

1) from mikrotik to server:
:global variablename "test"
:global variablevalue ":)"

/tool fetch http-method=get keep-result=no url=("https://api.mysite.rex/rex.php?action=send&".$variablename."=".$variablevalue)


2) from server to mikrotik
:global variablename "readthis"
:global varvalue ([/tool fetch url=("https://api.mysite.rex/rex.php?action=receive&varname=".$variablename) output=user as-value]->"data")
:put ($variablename." = ".$varvalue)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: API and IP Access

Thu Apr 29, 2021 10:46 pm

create temporary entry on address list, for example after 1h:
/ip fire add add address=1.0.1.0 list=nameoflist timeout=1h

Who is online

Users browsing this forum: No registered users and 22 guests