How to Use Mikrotik Interface List

Posted on 23 September 201915 September 2019 by fadıl

In Firewall, some rules may need to be implemented for more than one interface. In such cases, instead of creating a separate firewall rule for each interface, Mikrotik offers us the Interface-List architecture as a solution in both the Firewall and similar fields.

So what does this feature give us?

First, each firewall rule plays an important role in the RAM/CPU relationship. On this side, when you need to write the same rule for 5 different interfaces, a job that can be checked 5 times can be written and controlled at once.

As an example, let’s examine the Firewall rule below.

According to the scenario, we have 5 ADSL Modems (PPPoE Client) on our device and we want to prevent UDP: 53,123 (DNS and NTP) requests for each ADSL Modem. at the same time, we want to define masquerade for outbound traffic through these DSL ports.

Normally our rule should be as follows.
Names of interfaces: ADSL_1, ADSL_2, ADSL_3, ADSL_4, ADSL_5;

/ip firewall filter 
add chain=input in-interface=ADSL_1 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_2 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_3 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_4 dst-port=53,123 action=drop
add chain=input in-interface=ADSL_5 dst-port=53,123 action=drop
/ip firewall nat 
add chain=src-nat out-interface=ADSL_1  action=masquerade
add chain=src-nat out-interface=ADSL_2  action=masquerade
add chain=src-nat out-interface=ADSL_3  action=masquerade
add chain=src-nat out-interface=ADSL_4  action=masquerade
add chain=src-nat out-interface=ADSL_5  action=masquerade

/ip firewall filter

add chain=input in-interface=ADSL_1 dst-port=53,123 action=drop

add chain=input in-interface=ADSL_2 dst-port=53,123 action=drop

add chain=input in-interface=ADSL_3 dst-port=53,123 action=drop

add chain=input in-interface=ADSL_4 dst-port=53,123 action=drop

add chain=input in-interface=ADSL_5 dst-port=53,123 action=drop

/ip firewall nat

add chain=src-nat out-interface=ADSL_1 action=masquerade

add chain=src-nat out-interface=ADSL_2 action=masquerade

add chain=src-nat out-interface=ADSL_3 action=masquerade

add chain=src-nat out-interface=ADSL_4 action=masquerade

add chain=src-nat out-interface=ADSL_5 action=masquerade

This will create an obstacle to managing each line and as a workload for the processor. Instead, with an example such as the following, the process would be more useful in both management and CPU/RAM relationship.

/interface list add name=WAN
/interface list member
add interface=ADSL_1 list=WAN
add interface=ADSL_2 list=WAN
add interface=ADSL_3 list=WAN
add interface=ADSL_4 list=WAN
add interface=ADSL_5 list=WAN
 
/ip firewall filter  add chain=input in-interface-list=WAN dst-port=53,123 action=drop
/ip firewall nat add chain=src-nat out-interface-list=WAN  action=masquerade

/interface list add name=WAN

/interface list member

add interface=ADSL_1 list=WAN

add interface=ADSL_2 list=WAN

add interface=ADSL_3 list=WAN

add interface=ADSL_4 list=WAN

add interface=ADSL_5 list=WAN

/ip firewall filter add chain=input in-interface-list=WAN dst-port=53,123 action=drop

/ip firewall nat add chain=src-nat out-interface-list=WAN action=masquerade

Based on this application, you can change your scenarios as you like.

I hope it has been a useful article.

So what does this feature give us?

Leave a Reply Cancel reply