[HOW-TO] set up Mikrotik router firewall to pass AFC traffic only

Problem statement: AFC server located in cloud utilizes dynamic IP-addressing. ISP infrastructure management networks should not be accessible from Internet. Dynamic firewall rule fallowing DNS changes must be created.

Preconditions in this example:

  • MikroTik router in NAT mode.
  • MikroTik router configured as Default GW and DNS server for LAN devices.
  1. On MikroTik router create new event in System - Scheduler:
:local urls {"api.qcs.qualcomm.com"; "location.qcs.qualcomm.com"; "afcapi.qcs.qualcomm.com"; "afcapi.canada.qcs.qualcomm.com"}
/ip firewall address-list remove [find list=qualcomm-afc]

:foreach url in=$urls do={
	#force the dns entries to be cached
	:do {
    	:resolve $url;
	} on-error={
    	:log error "dns resolve failure [ ip - resolve ip ]"

	:foreach dnsRecord in=[/ip dns cache all find where (name=$url)] do={
        	:local newAddress [/ip dns cache all get $dnsRecord data];
        	:do {
            	/ip firewall address-list add list=qualcomm-afc address=$newAddress comment=$url;
        	} on-error={
            	:log error "error when adding ip to list: $newAddress"
  1. Create new Firewall rule to allow traffic from your network to IP addresses in list “qualcomm-afc”:
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=443 dst-address-list=qualcomm-afc comment="Allow traffic to AFC IPs"

FYI on Mikrotik you do not have to create an event or script to resolve DNS entries. You just add the DNS name to the firewall address-list and the router will check and update it regularly.


@terintamel could you post an example of this by chance?

Hello @DigitalMan2020,

I think terintamel meant this way:

ip/firewall/address-list/add list=qualcomm address=api.qcs.qualcomm.com

We have found that in the latest RoS version it is supported.