Hi,

I want to make NAT rule to translate private IP address to dynamic FQDN.
Wanted to ask if this is possible?

You can see in the picture that i have Nat rule to translate it to public IP, but that IP changes over time.
Right now I would have to go to Nat rule and change it manually, but i would like that it could be automatic.

I have filter rules with dynamic object in Address List working and wanted to do something similar with Nat rule.

Please explain situation in more words (and less configuration details). There are other ways to match packets for particular DST-NAT rule, but it's hard to tell which one (if any) is the best without seeing full picture.

I have situation similar to this one in the picture.
From my PC I can not access mikrotik B using its FQDN because this traffic would go through my FW and we cant have this. (Why is long and complicated story)
I cant make PBR or dynamic route either on this FW and the only way as i can see is to try to access mikrotik B from my PC using some private IP address (lets call it 10.10.2.10).

When i browse 10.10.2.10 I arrive at mikrotik A and want to translate here private address 10.10.2.10 to cc210e7yyyyy.sn.mynetname.net and arrive at destination with source IP of cc210e7xxxxx.sn.mynetname.net.

I have two NAT rules on Mikrotik A

add action=dst-nat chain=dstnat comment=Danilovgrad dst-address=10.10.2.10 src-address-list=Admins to-addresses=46.33.214.x // translates dst address from private to public
add action=masquerade chain=srcnat out-interface=pppoe-out1 // translates source private to Its public interface

As we have almost daily changes of our public IPs on mikrotiks I would want to set first NAT rule to translate to fqdn of mikrotik B instead of static IP of 46.33.214.x.
Right now i have to go to mikrotik's A NAT rules and change value manually.

I have filter rules on mikrotik B public IP where i allow input traffic from mikrotik A (Here i can use dynamic address list object which changes automatically )

Thanks

It is possible to use address lists in firewall filter rules, in NAT secrion as well. They are found under /ip firewall address-list. It is possible to add FQDN to address list. It is supposed to resolve FQDN again after TTL expires. Then use src-address-list instead of src-address or dst-address-list instead of dst-address in your firewall rules.

However, it doesn't seem to be possible to use address-list instead of to-address.

Perhaps an idea: run some kind of tunnel between both mikrotiks. I personally use IPIP tunnel, you can use any other IPsec tunnel (or wireguard in ROS v7). When configuring IPIP tunnel, it's possible to use FQDN in field "remote-address" (or IP address obviously), it's also possible to construct firewall rules (for chain=input) to only allow IPIP tunnel (IPIP uses IPsec under the hood, so firewall rules for IPsec apply).
You would use that tunnel to directly route traffic between private subnets (without any NAT ... but can be subject to firewall rules).

Obviously when IP address (on either end) changes, it will take a while for connectivity to re-establish ... because every DNS record has a TTL. For A records *.sn.mynetname.net TTL is set to 60 seconds, which is then order of magnitude of expected downtime.

Ok, thanks for information.

I already have an IPsec tunnel between Mikrotuk B and firewall on the picture (Its CP)
CP creates VPN domain and puts inside also a public peer address of every Ipsec neighbor.
Therefore does not allow me to connect to mikrotik via public IP but i can access it via inside private Ip address.

This is some kind of workaround to access it via public IP in case there is something wrong with the tunnel and cant access it normally (It is not a frequent issue).
I am not sure if creating new tunnel is worthwhile in mine situation.

Thanks

Probably it's not worth adding another tunnel for backup admin access.

Another idea: configure port knocking. This way you add another layer of security (the one trying to connect has to know correct port knocking sequence) and then you can afford to open ssh access on a non-standard port without limiting it to src-address. And you can connect from anywhere (even if you go for skiing holidays to Colorado some day, I guess you won't go for summer holidays to Spain since Croatia has much nicer beaches ). If you don't envision connecting from random networks, then you can limit connectivity to your ISP address space only. That should protect you from Chineze, Russian and American hackers.

Hi,

Thanks for that idea.
I was not aware that this existed.

I would not mind going to Spain at all .


I solved my problem, used a script that resolves fqdn of mikrotik B and sets that ip to to-addresses field in specific Nat rule.
I scheduled that script to run every 5 minutes and seems to be working.

Thanks