Code: Select all
/ip firewall address-list
add address=officeX.example.com list=whitelist
And RouterOS will resolve the FQDN name (every X minutes) to a IP address and add it to the address list as a "dynamic" item (actually static, ie not lost on reboot).
If the FQDN address resolves to a new address that IP will be added to the list and the old IP item will be retained.
Together or separately this enables you to do poor man's "VPN" to ironclad firewall by allowing only traffic in from predefined DynDNS clients. (comparable with port knocking but doesn't require any client functionality whatsoever.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow trusted IP" src-address-list=whitelist
Now you might want to expire the old addresses, so the newly created list items would inherit an expiration (timeout) value (just like they inherit the resolved IP address).
Code: Select all
/ip firewall address-list
add address=officeX.example.com list=whitelist timeout=3d00:00:00
however this doesn't work as hoped (does however work as expected), this will resolve the IP address and add it as a new static address list item but now the FQDN item starts to expire, resulting in 3 days that no new resolvings will be made as the FQDN item has expired and removed (deleted) while the resolved IP address item(s) is retained.
In comparison, this does produce self expiring items (so the functionality is namely there):
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list=blacklist address-list-timeout=3d chain=input comment="Blacklist most commonly scanned ports" \
dst-port=20,21-23,25,53,110-111,135,139,143 in-interface=WAN protocol=tcp
Please note that there are critical benefits from generating new address list IP items when the resolution changes, instead of overwriting a single item, and with expiration we could control this depending wether we want a short "single item" list or a long "history" list of items.
Also note that expiring items are lost on RouterOS reboot which isn't all that proper since they are literally defined to expire later.
https://wiki.mikrotik.com/wiki/Use_host ... wall_rules
https://wiki.mikrotik.com/wiki/Manual:I ... dress_list
viewtopic.php?t=124921