Page 1 of 1
Direct specific content through VPN
Posted: Wed May 15, 2019 10:57 am
by matiaszon
Is there any way to route traffic by specific content through VPN? Not just by domains and/or IPs, but by content of the site?
Re: Direct specific content through VPN
Posted: Wed May 15, 2019 2:01 pm
by Anumrak
Hey. It is better by IP addresses, because you deal with a router, not specific hardware. Content is a layer 7, so it can be done, but it's very hard to do on a CPU. You should google for topics "layer 7 filtering/marking on mikrotik".
Re: Direct specific content through VPN
Posted: Wed May 15, 2019 2:21 pm
by Sob
Generally no. You need to be able to identify such content soon enough. It can work with something like udp dns packets, because you can see data immediately in first packet. But anything tcp starts with useless syn packet and any identifiable content comes only later, but it's too late.
Re: Direct specific content through VPN
Posted: Thu May 16, 2019 3:30 pm
by tslytsly
You could mark based on TLS SNI.
Do this in the mangle pre-routing chain
like this (note the passthrough for the first rule):
/ip firewall mangle
add action=mark-connection chain=prerouting comment="First mark based on TLS SNI" connection-mark=no-mark new-connection-mark=RouteViaVPN passthrough=yes protocol=tcp tls-host=*facebook.com
add action=mark-routing chain=prerouting comment="Mark connections with mark RouterViaVPN with their own routing mark" connection-mark=RouteViaVPN new-routing-mark=RouteViaVPN pasthrough=no
Then have a route in the
table that send packets with that routing mark out your vpn:
/ip route
add gateway=VPN routing-mark=RouteViaVPN
Re: Direct specific content through VPN
Posted: Thu May 16, 2019 6:29 pm
by Sob
You can mark it and you can route it, but the problem is, start of the connection already went elsewhere.