As a follow-up to yesterday’s post on RouterOS Blocking Machine access to all but one IP, I thought I would show how to add extra IPs to that list, without having a shedload of firewall filters.
- First things first, get your list of IPs you allow access to. In my case, I just did an NSLOOKUP on the name and got the IPs.
- Create an “Address List” in RouterOS. This can be done on the Web Interface by going to IP / Firewall / Address List and clicking Add. I had none previously, so I created a new rule, naming it ExpressVPN (the lads I use for VPN access) and added the first address.
- this is where things get interesting. for extra IP (for ExpressVPN, I have 4) you create a new address with the SAME name, but different IP.
- in your firewall rule, you should have either an src address or a dst address. in my case, I had both, but this was a change for the dst address. I removed the address from the rule, and I added it as a dst address list entry. If you have multiple address lists, you will see them here.
to do this at the command prompt:
this will block any traffic, other than the IPs in the expressVPN address list, for the machine 192.168.0.123.