How to Use Mikrotik Interface List
In Firewall, some rules may need to be implemented for more than one interface. In such cases, instead of creating a separate firewall rule for each interface, Mikrotik offers us the Interface-List
architecture as a solution in both the Firewall and similar fields.
So what does this feature give us?
First, each firewall rule plays an important role in the RAM/CPU
relationship. On this side, when you need to write the same rule for 5 different interfaces, a job that can be checked 5 times can be written and controlled at once.
As an example, let’s examine the Firewall rule below.
According to the scenario, we have 5 ADSL Modems (PPPoE Client
) on our device and we want to prevent UDP: 53,123 (DNS and NTP) requests for each ADSL Modem. at the same time, we want to define masquerade for outbound traffic through these DSL ports.
Normally our rule should be as follows.
Names of interfaces: ADSL_1, ADSL_2, ADSL_3, ADSL_4, ADSL_5;
1 2 3 4 5 6 7 8 9 10 11 12 | /ip firewall filter add chain=input in-interface=ADSL_1 dst-port=53,123 action=drop add chain=input in-interface=ADSL_2 dst-port=53,123 action=drop add chain=input in-interface=ADSL_3 dst-port=53,123 action=drop add chain=input in-interface=ADSL_4 dst-port=53,123 action=drop add chain=input in-interface=ADSL_5 dst-port=53,123 action=drop /ip firewall nat add chain=src-nat out-interface=ADSL_1 action=masquerade add chain=src-nat out-interface=ADSL_2 action=masquerade add chain=src-nat out-interface=ADSL_3 action=masquerade add chain=src-nat out-interface=ADSL_4 action=masquerade add chain=src-nat out-interface=ADSL_5 action=masquerade |
This will create an obstacle to managing each line and as a workload for the processor. Instead, with an example such as the following, the process would be more useful in both management and CPU/RAM
relationship.
1 2 3 4 5 6 7 8 9 10 | /interface list add name=WAN /interface list member add interface=ADSL_1 list=WAN add interface=ADSL_2 list=WAN add interface=ADSL_3 list=WAN add interface=ADSL_4 list=WAN add interface=ADSL_5 list=WAN /ip firewall filter add chain=input in-interface-list=WAN dst-port=53,123 action=drop /ip firewall nat add chain=src-nat out-interface-list=WAN action=masquerade |
Based on this application, you can change your scenarios as you like.
I hope it has been a useful article.