Community discussions

MikroTik App
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Fetching interface IP addresses for use on firewall address list

Tue Nov 15, 2022 11:50 am

I have a unique use case whereby I have a firewall list called “interface” and in this list, all the IP addresses found in IP>Address or IPv6's are put into the list in respective firewalls.

How do I dynamically do this with scripting? Fetch IP>Address, compare with existing list on firewall, then remove what's not in the IP>address but is in the firewall list and then add whatever is missing.

By removing only old ones, it helps keeping Flash disk healthy since it won't perform redundant writes.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Fetching interface IP addresses for use on firewall address list

Wed Nov 16, 2022 12:51 pm

You can add it as dynamic, and the NAND/Flash is not used, the IP are not keeped on reboot, not backuppped or exported, and max timeout before the item is auto-deleted is 35 weeks.

For IPv4, on the example is excluded on purpose pppoe clients and ether3
/ip firewall address-list
set [find where list="interface_IPs"] comment="*** DELETE-ME ****"
:foreach item in=[/ip address find where (!(interface~"pppoe|ether3"))] do={
    :local ifip [/ip address get $item address]
    :set   ifip [:pick $ifip 0 [:find $ifip "/" -1]]
    :if ([:typeof [:toip $ifip]] = "ip") do={
        :if ([:len [find where list="interface_IPs" and (($ifip in address) or (address=$ifip))]] = 0) do={
            add list="interface_IPs" address=$ifip timeout=35w
        } else={
            set [find where list="interface_IPs" and (($ifip in address) or (address=$ifip))] comment=""
        }
    }
}
remove [find where list="interface_IPs" and comment="*** DELETE-ME ****"]

For IPv6, on the example is excluded on purpose pppoe clients and ether3
/ipv6 firewall address-list
set [find where list="interface_IPs"] comment="*** DELETE-ME ****"
:foreach item in=[/ipv6 address find where (!(interface~"pppoe|ether3"))] do={
    :local ifip [/ipv6 address get $item address]
    :set   ifip [:pick $ifip 0 [:find $ifip "/" -1]]
    :if ([:typeof [:toip6 $ifip]] = "ip6") do={
        :if ([:len [find where list="interface_IPs" and (($ifip in address) or (address=$ifip))]] = 0) do={
            add list="interface_IPs" address=$ifip timeout=35w
        } else={
            set [find where list="interface_IPs" and (($ifip in address) or (address=$ifip))] comment=""
        }
    }
}
remove [find where list="interface_IPs" and comment="*** DELETE-ME ****"]

For ppp clients is better to use address-list on ppp profile,
because the entry on specified address-list is added dynamically (= no NAND or Flash used and is never backupped or exported)
when the user log in and is remved automatically when user logoff or the router reboot.
Last edited by rextended on Wed Nov 16, 2022 1:01 pm, edited 2 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Fetching interface IP addresses for use on firewall address list

Wed Nov 16, 2022 12:58 pm

Note that aside from how you could do that, there is also kind of a pre-existing list for that.
When you match on "destination address type" and select "local", your firewall rule will match traffic towards the local addresses of the router.
(dst-address-type=local in the command line interface)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Fetching interface IP addresses for use on firewall address list  [SOLVED]

Wed Nov 16, 2022 1:08 pm

The check can be done on various points:
/ip firewall raw
add action=add-dst-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=prerouting dst-address-type=local
add action=add-src-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=output src-address-type=local

/ip firewall filter
add action=add-dst-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=input dst-address-type=local
add action=add-src-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=output src-address-type=local

/ip firewall nat
add action=add-dst-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=dstnat dst-address-type=local
add action=add-src-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=srcnat src-address-type=local

/ip firewall mangle
add action=add-dst-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=prerouting dst-address-type=local
add action=add-dst-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=input dst-address-type=local
add action=add-src-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=output src-address-type=local
add action=add-src-to-address-list address-list=interface_IPs address-list-timeout=none-dynamic chain=postrouting src-address-type=local
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Fetching interface IP addresses for use on firewall address list

Wed Nov 16, 2022 4:52 pm

Ah, crap, totally forgot about address type matcher in iptables. Yeah, there's no need for a script at all then. I will just use the matcher = local and call it a day.

Who is online

Users browsing this forum: mbezuidenhout, rano, UkRainUa and 18 guests