Mon Jan 16, 2023 11:36 am
It is possible to use address lists in firewall filter rules, in NAT secrion as well. They are found under /ip firewall address-list. It is possible to add FQDN to address list. It is supposed to resolve FQDN again after TTL expires. Then use src-address-list instead of src-address or dst-address-list instead of dst-address in your firewall rules.
However, it doesn't seem to be possible to use address-list instead of to-address.
Perhaps an idea: run some kind of tunnel between both mikrotiks. I personally use IPIP tunnel, you can use any other IPsec tunnel (or wireguard in ROS v7). When configuring IPIP tunnel, it's possible to use FQDN in field "remote-address" (or IP address obviously), it's also possible to construct firewall rules (for chain=input) to only allow IPIP tunnel (IPIP uses IPsec under the hood, so firewall rules for IPsec apply).
You would use that tunnel to directly route traffic between private subnets (without any NAT ... but can be subject to firewall rules).
Obviously when IP address (on either end) changes, it will take a while for connectivity to re-establish ... because every DNS record has a TTL. For A records *.sn.mynetname.net TTL is set to 60 seconds, which is then order of magnitude of expected downtime.