Hi there.
I've got MT 4.3 on RB450G up and running. I need to restrict access to some social network sites. With layer-7 feature i've managed to achieve what need, but I want to minimize overhead of L7 usage so I want to ban this sites by IP first. The problem is that some host names have more than one IP address assigned to them and :resolve returns only first of this IPs. Any way to get other IPs? I've tried to add them all statically, but list changes from week to week =(
Thx.
Re: Some issues with resolve
proxy is not an option =(
question still open how to get other ip's for the host name not only first one
question still open how to get other ip's for the host name not only first one
Re: Some issues with resolve
Code: Select all
C:\Documents and Settings\Chups>nslookup google.com
Server: ns1.infolan.by
Address: 192.168.0.8
Non-authoritative answer:
Name: google.com
Addresses: 74.125.67.100, 74.125.45.100, 74.125.53.100
C:\Documents and Settings\Chups>Re: Some issues with resolve
yep with nslookup no problems
the question is how to do this on mikrotik inside a script using resolve or similar command
the question is how to do this on mikrotik inside a script using resolve or similar command
Re: Some issues with resolve
If you have DNS enabled on your RouterOS, the IP it resolves is the same IP the client will get for a given website. Keep in mind, many sites use many servers for a given domain, making it almost impossible to detect an IP, even if you had all IPs for a given domain. Ex. server1.domain.com, server2.domain.com, server3.domain.com.
The built-in web-proxy on RouterOS is a much better solution, as it let's you restrict *.domain.com.
The built-in web-proxy on RouterOS is a much better solution, as it let's you restrict *.domain.com.
Re: Some issues with resolve
so why proxy is not an option?
Re: Some issues with resolve
we have 2 ISP here so 2 possible routes for real traffic. Now it determines routing table for packet based on client IP address.so why proxy is not an option?
The problem is that I do not know how to split client traffic based on criteria mentioned above when using proxy.
Now my configuration looks like this:
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting comment="NAT Forward to ISP1" \
disabled=no new-routing-mark=isp1-rm \
passthrough=yes src-address-list=nat2isp1
add action=mark-routing chain=prerouting comment="NAT Forward to ISP2" \
disabled=no new-routing-mark=isp2-rm \
passthrough=yes src-address-list=nat2isp2
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=XConfig
add action=src-nat chain=srcnat comment="" disabled=no out-interface=MG routing-mark=isp2-rm to-addresses=xxx.xxx.xxx.xxx
Re: Some issues with resolve
even with proxy you can simply do any load-balancing scheme (for example, PCC-based)
Re: Some issues with resolve
it's not a load balancing just fixed ISP for fixed IPseven with proxy you can simply do any load-balancing scheme (for example, PCC-based)
Btw if I use proxy how router will see src|dst address? For NAT src address will be router's address or am I wrong?
Re: Some issues with resolve
yes, src-address will be router's address, and 'chain' will be 'output'
Re: Some issues with resolve
SO that's why proxy is not an option.
Still an open question WHY resolve could not return all IPs in list context and WHEN it will be implemented? =)
Still an open question WHY resolve could not return all IPs in list context and WHEN it will be implemented? =)
Re: Some issues with resolve
?..SO that's why proxy is not an option.