[HOW-TO] set up Mikrotik router firewall to pass AFC traffic only

Problem statement: AFC server located in cloud utilizes dynamic IP-addressing. ISP infrastructure management networks should not be accessible from Internet. Dynamic firewall rule fallowing DNS changes must be created.

Preconditions in this example:

  • MikroTik router in NAT mode.
  • MikroTik router configured as Default GW and DNS server for LAN devices.
  1. On MikroTik router create new event in System - Scheduler:
:local urls {"api.qcs.qualcomm.com"; "location.qcs.qualcomm.com"; "afcapi.qcs.qualcomm.com"; "afcapi.canada.qcs.qualcomm.com"}
/ip firewall address-list remove [find list=qualcomm-afc]

:foreach url in=$urls do={
	#force the dns entries to be cached
	:do {
    	:resolve $url;
	} on-error={
    	:log error "dns resolve failure [ ip - resolve ip ]"
	}

	:foreach dnsRecord in=[/ip dns cache all find where (name=$url)] do={
        	:local newAddress [/ip dns cache all get $dnsRecord data];
        	:do {
            	/ip firewall address-list add list=qualcomm-afc address=$newAddress comment=$url;
        	} on-error={
            	:log error "error when adding ip to list: $newAddress"
        	}
    	}
	}
  1. Create new Firewall rule to allow traffic from your network to IP addresses in list “qualcomm-afc”:
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=443 dst-address-list=qualcomm-afc comment="Allow traffic to AFC IPs"
2 Likes

FYI on Mikrotik you do not have to create an event or script to resolve DNS entries. You just add the DNS name to the firewall address-list and the router will check and update it regularly.

3 Likes

@terintamel could you post an example of this by chance?

Hello @DigitalMan2020,

I think terintamel meant this way:

ip/firewall/address-list/add list=qualcomm address=api.qcs.qualcomm.com

We have found that in the latest RoS version it is supported.

2 Likes