I would really love to see an option added to the various /ip filter XX commands (FW,NAT,MANGLE), that allows you set a timeout= to disable option (ie a countdown). Exactly like we currently have on dynamic IP address-list entries.
We often will have to make a quick/temporary FW or NAT rule for a customer (or a remote admin) , and rather than needing to remember to go back and disable the temporary rule, this would be a much easier/better solution. (as myself or other admins may forget to go back and disable/delete the temporary rule, when dealing with 100s of mikrotiks in field).
Example:
A customer needs a temporary dst-nat rule (and maybe FW also) added so that they can remote access VNC to a local network device, while they are traveling out of town only for a weekend.
So we would need to add a dst-nat action=netmap rule with src-address=(IP of their hotel). (and maybe also a FW accept rule).
We would only want this to be enabled for the 3 days customer is out of town, so we would set the "timeout=3d 00:00:00" and at the end of 3d, ROS would disable (or delete?) the rule.
Persistence across router reboots would be nice, but is not a requirement for this. (even if timeout starts over, after a reboot, this is still better than relying on a human to remember to winbox/ssh back into this router, and disable the rule).
Ofcourse there are other, more complicated, ways to accomplish this now (but above is just one example of how a timeout= option on FW/NAT/MANGLE rules could be helpful).
thanks!
Feature Request: Countdown TIMER on FW / NAT rules
Last edited by jo2jo on Mon Jun 03, 2019 12:33 am, edited 1 time in total.
Re: Feature Request: Countdown TIMER on FW / NAT rules
+1
Even if it's possible to match rules on an adress list with one IP with timeout to get a similar result it is quite cluttered.
Even if it's possible to match rules on an adress list with one IP with timeout to get a similar result it is quite cluttered.
Re: Feature Request: Countdown TIMER on FW / NAT rules
agreed, this above is one of the "rough" work-arounds i was referring to.+1
Even if it's possible to match rules on an adress list with one IP with timeout to get a similar result it is quite cluttered.
but ofcourse this can only be taken so far (as compared to being able to put a countdown on actual ip filter/nat/mangle rules, directly). And it is a bit more cluttered/unorganized as you cited.
tks for reply / +1 . hopefully MT hears us.