Direct specific content through VPN
Is there any way to route traffic by specific content through VPN? Not just by domains and/or IPs, but by content of the site?
Re: Direct specific content through VPN
Hey. It is better by IP addresses, because you deal with a router, not specific hardware. Content is a layer 7, so it can be done, but it's very hard to do on a CPU. You should google for topics "layer 7 filtering/marking on mikrotik".
Re: Direct specific content through VPN
Generally no. You need to be able to identify such content soon enough. It can work with something like udp dns packets, because you can see data immediately in first packet. But anything tcp starts with useless syn packet and any identifiable content comes only later, but it's too late.
Re: Direct specific content through VPN
You could mark based on TLS SNI.
Do this in the mangle pre-routing chain
like this (note the passthrough for the first rule):
Then have a route in the table that send packets with that routing mark out your vpn:
Do this in the mangle pre-routing chain
like this (note the passthrough for the first rule):
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment="First mark based on TLS SNI" connection-mark=no-mark new-connection-mark=RouteViaVPN passthrough=yes protocol=tcp tls-host=*facebook.com
add action=mark-routing chain=prerouting comment="Mark connections with mark RouterViaVPN with their own routing mark" connection-mark=RouteViaVPN new-routing-mark=RouteViaVPN pasthrough=no
Code: Select all
/ip routeCode: Select all
/ip route
add gateway=VPN routing-mark=RouteViaVPN
Re: Direct specific content through VPN
You can mark it and you can route it, but the problem is, start of the connection already went elsewhere.