Tiernan's Comms Closet

Geek, Programmer, Photographer, network egineer…

Currently Viewing Posts Tagged routeros

RouterOS Using Host names in Firewall Rules

As a follow-up to yesterday’s post on RouterOS Blocking Machine access to all but one IP, I thought I would show how to add extra IPs to that list, without having a shedload of firewall filters.

  • First things first, get your list of IPs you allow access to. In my case, I just did an NSLOOKUP on the name and got the IPs.
  • Create an “Address List” in RouterOS. This can be done on the Web Interface by going to IP / Firewall / Address List and clicking Add. I had none previously, so I created a new rule, naming it ExpressVPN (the lads I use for VPN access) and added the first address.
  • this is where things get interesting. for extra IP (for ExpressVPN, I have 4) you create a new address with the SAME name, but different IP.
  • in your firewall rule, you should have either an src address or a dst address. in my case, I had both, but this was a change for the dst address. I removed the address from the rule, and I added it as a dst address list entry. If you have multiple address lists, you will see them here.

to do this at the command prompt:

this will block any traffic, other than the IPs in the expressVPN address list, for the machine

RouterOS Blocking Machine access to all but one IP

So, I have a machine on my network, which should be only connecting to the internet through a VPN. I needed to tell my RouterOS box to block all access, except to this said IP address… The following should do the trick… YMMV

this will drop any packets from the srcaddress (IP address) that are not for the destination dstaddress (IP address). in my case, dstaddress is the VPN server I want to connect to. So, in theory, all packets should just go through the VPN and not leak out into the rest of the network… again, still testing this so be careful!