Mangle Rules blocked my DNS IP

rantwb · Thu Oct 24, 2024 4:49 am

Hi All,
Long time reader, first time poster.
My network is running fine. I successfully implemented Layer7 protocol to block tiktok access in my home network. Wanted to explore using Mangle rules to identify tiktok ip addresses and block access using firewall rules with address list. Now, the address list generated by the Mangle rules lists my DNS address and even the router itself, bringing the entire network down.

In the YT tutorials, no one seems to have their DNS servers picked up by the mangle rules. I'm wondering if mine was picked up because I forced traffic to my defined DNS servers (so that my kid doesn't bypass blocked sites).

How do I get myself out of this? Please help. Thank you.

# 2024-10-23 23:30:56 by RouterOS 7.16.1
# software id = **ELIDED**
#
# model = RB5009UG+S+
# serial number = **ELIDED**
/interface bridge
add comment="Guest Bridge" name="Bridge GuestVLAN" port-cost-mode=short
add comment=defconf name=MasterBridge port-cost-mode=short

/interface ethernet
set [ find default-name=ether1 ] comment="2.5G WAN Port" name="ether1 WAN"

/interface vlan
add comment="VLAN Setup for Guest Network" interface=MasterBridge name=\
    GuestVLAN vlan-id=99

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=10.0.0.11-10.0.0.248
add name=GuestPool ranges=192.168.0.2-192.168.0.250

/ip dhcp-server
add address-pool=dhcp interface=MasterBridge lease-time=1d name=HomeDHCP
add address-pool=GuestPool interface="Bridge GuestVLAN" lease-time=2h name=\
    "Guest DHCP"

/ip smb users
set [ find default=yes ] disabled=yes

/interface bridge port
add bridge=MasterBridge comment=defconf interface=ether2 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether3 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether4 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether5 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether6 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether7 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=ether8 internal-path-cost=\
    10 path-cost=10
add bridge=MasterBridge comment=defconf interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge="Bridge GuestVLAN" comment="Join Guest VLAN to Guest Bridge" \
    ingress-filtering=no interface=GuestVLAN internal-path-cost=10 path-cost=\
    10 trusted=yes

/ip firewall connection tracking
set udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=MasterBridge comment="Home Network UNTAGGED" untagged="MasterBridge\
    ,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1" vlan-ids=\
    ""
add bridge="Bridge GuestVLAN" comment="Guest LAN Tagging" tagged=GuestVLAN \
    vlan-ids=99

/interface list member
add comment=defconf interface=MasterBridge list=LAN
add comment=defconf interface="ether1 WAN" list=WAN
add comment="Guest Bridge definition for LAN" interface="Bridge GuestVLAN" \
    list=LAN

/ip address
add address=10.0.0.1/24 comment=defconf interface=MasterBridge network=\
    10.0.0.0
add address=192.168.0.1/24 comment="IP Range for Guest Network" interface=\
    "Bridge GuestVLAN" network=192.168.0.0

/ip dhcp-client
add comment=defconf interface="ether1 WAN" use-peer-dns=no

/ip dhcp-server network
add address=10.0.0.0/24 comment="Home network" dns-server=10.0.0.1 gateway=\
    10.0.0.1 netmask=24
add address=192.168.0.0/24 comment="Guest network definitions" dns-server=\
    10.0.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes cache-size=104857KiB servers=\
    94.140.14.15,94.140.15.16 use-doh-server=\
    https://family.adguard-dns.com/dns-query verify-doh-cert=yes

/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan type=A

/ip firewall address-list
add address=10.0.0.2-10.0.0.254 list="Home IP"
add address=192.168.0.2-192.168.0.250 list="Guest IP"
add address=23.47.190.216 list=Blocked_IP
add address=184.87.193.92 list=Blocked_IP
add address=184.87.193.97 list=Blocked_IP
add address=23.47.190.208 list=Blocked_IP
add address=23.52.171.208 list=Blocked_IP
add address=184.87.193.72 list=Blocked_IP
add address=23.54.155.171 list=Blocked_IP
add address=23.52.171.226 list=Blocked_IP
add address=2.19.198.248 list=Blocked_IP
add address=94.140.15.15 list=Blocked_IP
add address=94.140.14.14 list=Blocked_IP
add address=94.140.14.15 list=Blocked_IP
add address=10.0.0.1 list=Blocked_IP
add address=96.17.180.45 list=Blocked_IP
add address=23.47.190.162 list=Blocked_IP
add address=23.45.207.199 list=Blocked_IP


/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="RT: Drop TCP (DNS) from outside WAN" \
    dst-port=53 in-interface="ether1 WAN" protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="RT: Drop UDP (DNS) from outside WAN" \
    dst-port=53 in-interface="ether1 WAN" protocol=udp src-address=0.0.0.0/0
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=reject chain=input comment="RT: Stop traffic to Blocked_IP" \
    disabled=yes dst-address-list=Blocked_IP reject-with=\
    icmp-network-unreachable
add action=reject chain=forward comment=\
    "RT: Blocked users from Internet [based on Firewall:Address list]" \
    reject-with=icmp-network-unreachable src-address-list="Blocked users"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "RT: allow Guest LAN to 10.0.0.249 [printer]" dst-address=10.0.0.249 \
    in-interface-list=LAN
add action=accept chain=forward comment="RT: Accept Guest to WAN Interface" \
    out-interface-list=WAN src-address-list="Guest IP"
add action=accept chain=forward comment="RT: Accept HomeLAN to WAN interface" \
    out-interface-list=WAN src-address-list="Home IP"
add action=accept chain=forward comment="RT: Port forwarding" \
    connection-nat-state=dstnat
add action=reject chain=forward comment=\
    "RT: Unconditional drop/reject rule at the end of forward chain" \
    reject-with=icmp-network-unreachable

/ip firewall mangle
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=tiktok content=\
    tiktok src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=tiktokv \
    content=tiktokv src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=tiktokcdn \
    content=tiktokcdn src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=byteoversea \
    content=.byteoversea.com src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=ibyteimg \
    content=.ibyteimg.com src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=ibytedtos \
    content=.ibytedtos.com src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=myqcloud \
    content=.myqcloud.com src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=ttwstatic \
    content=ttwstatic src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=musical.ly \
    content=.musical.ly src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=zhiliaoapp \
    content=zhiliaoapp src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=bytecdn \
    content=bytecdn src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=byted.org \
    content=.byted.org src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=footprint \
    content=.footprint.net src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=wsdvs content=\
    .wsdvs.com src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=worldfcdn \
    content=worldfcdn src-address=10.0.0.0/24
add action=add-dst-to-address-list address-list=Blocked_IP \
    address-list-timeout=none-static chain=prerouting comment=musemuse \
    content=.musemuse.cn src-address=10.0.0.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat comment=\
    "Allow Player2 PC to use alternative DNS" dst-port=53 protocol=tcp \
    src-address=10.0.0.5
add action=accept chain=dstnat comment=\
    "Allow Player2 PC to use alternative DNS" dst-port=53 protocol=udp \
    src-address=10.0.0.5
add action=dst-nat chain=dstnat comment=\
    "Transparent DNS - TCP side traffic to port 53" dst-port=53 protocol=tcp \
    to-addresses=94.140.15.16 to-ports=53
add action=dst-nat chain=dstnat comment=\
    "Transparent DNS - UDP side traffic to port 53" dst-port=53 protocol=udp \
    to-addresses=94.140.14.15 to-ports=53

/ip firewall raw
add action=drop chain=prerouting comment="Reject Blocked IP" disabled=yes \
    dst-address-list=Blocked_IP

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip route
add blackhole comment=\
    "Router does not answer LAN address from external [rule 1]" disabled=no \
    distance=1 dst-address=10.0.0.0/8 gateway="" routing-table=main \
    suppress-hw-offload=no
add blackhole comment=\
    "Router does not answer internal LAN address from external [rule 2]" \
    disabled=no distance=1 dst-address=192.168.0.0/16 gateway="" \
    routing-table=main suppress-hw-offload=no

mkx · Thu Oct 24, 2024 7:35 am

That's because your L7 firewall rule works on all kinds of traffic, including DNS requests. Controversely it may or may not work with majority of "infringing" traffic, which is encrypted HTTPS ... it only works with SSL abd TLS up to version 1.2 because these carry SNI (server name indication) unencrypted, with most recent TLS v1.3 it doesn't work any more.

rantwb · Thu Oct 24, 2024 8:01 am

Thank you for the insight.

Using Mangle rules, they picked up my router and dns servers as banned IP. bringing my whole netowrk down.
Anyway around that? Is my NAT tables causing it?

mkx · Thu Oct 24, 2024 8:37 am

My personal view: trying to selectively block certain contents (like TikTok) is becoming almost futile due to encryption everywhere ... and since trying to do it created quite some problems to you, I'd simply give up (and deal with users of "unwanted" services in other ways).

anav · Thu Oct 24, 2024 11:02 pm

Yup waste of time. Education is the winner.

rantwb · Fri Oct 25, 2024 1:20 am

Thank you for your time and input, @mkx @anav @tangent

KiwiBloke · Fri Oct 25, 2024 10:56 am

Maybe an external DNS service like OpenDNS might help? There are video sites we have blocked successfully using OpenDNS across the network, so maybe give it a go. It would mean that no-one on your network would be able to access TikTok though, unless you manually allowed it.

mkx · Fri Oct 25, 2024 1:15 pm

... no-one on your network would be able to access TikTok though, unless you manually allowed it.

Or if user uses device which uses own configuration for certain services, such as DNS over HTTPS towards app producers' favourite DoH provider (can be Web browser with DoH support and has DoH server address hard-coded).

We (the network admins) really have to understand that there are so many work arounds, bypassing our own configuration, that we can't take anything for granted. And the reason for those workarounds to exist are (also) some state-driven limitations (and we all know which states make extra effort to limit internet access for their citizens). And what we see is a by-product of efforts get around those limits. DoH is one thing, support for various VPN technologies on every gadget is another one.

Kentzo · Fri Oct 25, 2024 9:30 pm

I recommend administratively limit access to TikTok via Parental Control and similar mechanisms. Pretty much every OS has it one way or another.

rantwb · Mon Oct 28, 2024 2:49 am

Thank you for your inputs

Mangle Rules blocked my DNS IP

Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Re: Mangle Rules blocked my DNS IP

Who is online