Community discussions

MikroTik App
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Dynamic Firewall Address-List

Mon May 29, 2023 4:29 am

Hello,

I have an interface on my router, ether1, which runs a dhcp client, and my ISP assigns it a public ip address, here 33.44.55.66.

I have a Firewall Address list that looks like this:
/ip firewall address-list
add address=33.44.55.66 list=unexpected-src-address-hitting-ISP

This address-list is used in a few places, one of them is to block traffic coming FROM "my" IP@ provided by my ISP.

Is it possible to have this address-list entry automatically updated, in the event ether1 gets a new ip address from my ISP?

I'm running 7.9.1

thank you for looking!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List  [SOLVED]

Mon May 29, 2023 5:38 am

Enable the DDNS and use the record as an entry in your address list.
/ip cloud set ddns-enabled=yes
/ip firewall address-list
add address=33445566.sn.mynetname.net list="unexpected-src-address-hitting-ISP"
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:06 am

QQ: How frequently are the firewall rules refreshed, meaning, I doubt the dns lookup happens everytime, how long is it cached for?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:56 am

Check the cached record ttl.
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 7:09 am

thanks, looks like 1mn here.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Dynamic Firewall Address-List

Mon May 29, 2023 7:18 am

pretty sure that by default is not specificated
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 7:46 am

Maybe /ip/cloud set ddns-update-interval=1m ?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List

Mon May 29, 2023 8:41 am

Perhaps you could also use a script if the IP address changes too frequently. You can set an interval as you like.
:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list
add address=$currentIP list="unexpected-src-address-hitting-ISP"
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 5:53 pm

In which case you would also have to remove the old one?
How do you set the crontab?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:24 pm

In which case you would also have to remove the old one?
Sorry, my mistake. I didn't think about this part.
How do you set the crontab?
.

/system scheduler add name=ip-list interval=00:00:15 on-event="script-name OR simply paste the below script"

.
:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list set [find where list="unexpected-src-address-hitting-ISP"] address=$currentIP
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:27 pm

I am not sure this would work because I have a lot of entries with the name "unexpected-src-address-hitting-ISP", they include things like rfc1918 ranges, etc.
addresses.png
One possibility is to add another Firewall Raw rule associated to a new name?
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:33 pm

Can you separate the list=name?
Because I can not create more complex scripts. :D W8 on that. :d

I rather not mess with your firewall. I don't feel comfortable enough for that.
You need to set a unique comment for this entry in your list=unexpected-src-address-hitting-ISP.
:local currentIP [/ip dhcp-client get [find interface=ether1] value-name=address]
/ip firewall address-list set [find where comment="dhcp-client-address"] address=$currentIP
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:45 pm

I just set another name it works great, many thanks!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Dynamic Firewall Address-List

Mon May 29, 2023 6:49 pm

Good, you're welcome.

Who is online

Users browsing this forum: Bing [Bot], miks, Semrush [Bot] and 73 guests