Tiernan's Comms Closet

Geek, Programmer, Photographer, network egineer…

RouterOS Using Host names in Firewall Rules

As a follow-up to yesterday’s post on RouterOS Blocking Machine access to all but one IP, I thought I would show how to add extra IPs to that list, without having a shedload of firewall filters.

  • First things first, get your list of IPs you allow access to. In my case, I just did an NSLOOKUP on the name and got the IPs.
  • Create an “Address List” in RouterOS. This can be done on the Web Interface by going to IP / Firewall / Address List and clicking Add. I had none previously, so I created a new rule, naming it ExpressVPN (the lads I use for VPN access) and added the first address.
  • this is where things get interesting. for extra IP (for ExpressVPN, I have 4) you create a new address with the SAME name, but different IP.
  • in your firewall rule, you should have either an src address or a dst address. in my case, I had both, but this was a change for the dst address. I removed the address from the rule, and I added it as a dst address list entry. If you have multiple address lists, you will see them here.

to do this at the command prompt:

this will block any traffic, other than the IPs in the expressVPN address list, for the machine 192.168.0.123.

---

This site is hosted on my own ASN on AS204994. More details about that over there. I also use Vultr for transit services and HostUs for LIR Services. Check them out. You can also check some of the gear I use on a daily basis over on kit.co/tiernano. Looking for a Backup Option? Check out Backblaze and get a month free.


Leave a Reply

Your email address will not be published. Required fields are marked *