In Firewall, some rules may need to be implemented for more than one interface. In such cases, instead of creating a separate firewall rule for each interface, Mikrotik offers us the
Interface-List architecture as a solution in both the Firewall and similar fields.
So what does this feature give us?
First, each firewall rule plays an important role in the
RAM/CPU relationship. On this side, when you need to write the same rule for 5 different interfaces, a job that can be checked 5 times can be written and controlled at once.
As an example, let’s examine the Firewall rule below.
According to the scenario, we have 5 ADSL Modems (
PPPoE Client) on our device and we want to prevent UDP: 53,123 (DNS and NTP) requests for each ADSL Modem. at the same time, we want to define masquerade for outbound traffic through these DSL ports.
Normally our rule should be as follows.
Names of interfaces: ADSL_1, ADSL_2, ADSL_3, ADSL_4, ADSL_5;
/ip firewall filter
add chain=input in-interface=ADSL_1 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_2 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_3 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_4 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_5 dst-port=53,123 action=drop
/ip firewall nat
add chain=src-nat out-interface=ADSL_1 action=masquerade
add chain=src-nat out-interface=ADSL_2 action=masquerade
add chain=src-nat out-interface=ADSL_3 action=masquerade
add chain=src-nat out-interface=ADSL_4 action=masquerade
add chain=src-nat out-interface=ADSL_5 action=masquerade
This will create an obstacle to managing each line and as a workload for the processor. Instead, with an example such as the following, the process would be more useful in both management and
/interface list add name=WAN
/interface list member
add interface=ADSL_1 list=WAN
add interface=ADSL_2 list=WAN
add interface=ADSL_3 list=WAN
add interface=ADSL_4 list=WAN
add interface=ADSL_5 list=WAN
/ip firewall filter add chain=input in-interface-list=WAN dst-port=53,123 action=drop
/ip firewall nat add chain=src-nat out-interface-list=WAN action=masquerade
Based on this application, you can change your scenarios as you like.
I hope it has been a useful article.