The Mirotik address-list allows for the grouping of two or more users, using the source or destination address as the factor. This allows rules to be applied to a group instead of individual IPs, thereby reducing the number of rules that an administrator can configure for each user in the group. Address-lists can be used in the firewall rule, mangle rule, queue tree, etc. An address-list can be created manually of dynamically. In this post, we will look at how to create an address-list using both manual and dynamic methods.
Using the manual method creates an address-list and populates it with the IP addresses of users that belong to that address list. An administrator can create multiple address-lists, each containing the IP addresses of users in that address list. Any rule, whether firewall, mangle rule, or queue applied to such address list will be binding on individual members of the list. For example, on a network of 30 users with a 4Mbps internet subscription, an administrator can create three address lists named Directors, managers, and others. Each address list will contain the IP addresses of its members. The admin can then configure a queue for each address list instead of each user. This will greatly reduce entries in the queue table as well as reduce the work load on the admin and the processor overhead on the router.
To create an address-list click oncIP>>Firewall>>Address List, enter a name for the address list, typecin the user’s IP, click on apply and OK. Repeat the steps above to add morecusers to the group but instead of typing in the groupcname, click on the arrowcbeside name and choose the name entered earlier. If you are creating anothercaddress list, then you need to type in the group name.
Using this method is easy and straight forward but there are situations where the source address is not the criteria for deciding who should belong to an address list. For example, we can use a layer7 rule to deny users torrent access by adding their IPs to an address-list and then enforcing a rule to deny internet access to anyone whose IP address is found in that address-list. You can set a time limit after which a user’s address will be removed from the address list so that they can have internet access again. Trust me, once users become aware that they will be denied access to the internet once they make use of torrent or visit a prohibited website, they won’t try it. Apart from access denial, it provides information on the identity of those visiting such sites.
To create a dynamic address list, first use a layer7 rule to define the service that will serve as a deciding factor on whose address gets added to the address list or not. Click on IP>>Firewall>>Layer7 Protocols. Give it a name and paste code in as shown below. The rule below is for those visiting Youtube.
Next, click on IP>>Firewall>Filter>>add>>chain=forward>>in interface=LAN>>advance>>Layer7 Protocols=Youtube(the one created in step one above)>>Action=add src to address list>>name of adress list=Offenders. Code below:
The code set a time limit of 2 hours for addresses help in the address list called offenders.
Now you can use another filter rule to deny internet access to members of the address list called offenders. As long as a user’s IP remains in that address list for the 2-hour duration specified by the admin, that user will have no internet access. See code below:
Ip firewall filter
add chain=forward action=drop src-address-list=Offenders log=no log-prefix=””
The rule simply drops all packets from users in the address-list called offenders.
Thanks for reading till the end. Please subscribe to my channel on YouTube, like on Facebook and follow on Twitter.
Ashioma Michael, a BSc (Computer Science)., MTCNA, CCNA, and CCNP holder with many years of industry-proven experience in network design, implementation and optimization. He has tutored and guided many professionals towards obtaining their Cisco certifications. Mike works as a senior network engineer with one of the leading internet service providers in West Africa.