MikroTik

You can set DST port 8080 but this will work only with speedtest.net, all servers or OOKLA use port 8080.

It is not possible to make rules for someone else's router when they have not posted an export of their current configuration.

It is not possible to make rules for someone else's router when they have not posted an export of their current configuration.

nothing possible in mikrotik

Nothing impossible in mikrotik the problem sloved

solution :
replace youtube for any website or ip want

Nothing impossible in mikrotik the problem sloved

solution :
replace youtube for any website or ip want

Yes, THAT is not a problem. The problem is to make this work "for any speedtest" as you originally asked!
You cannot know the IP and not even the DNS name of every speedtest in advance. That is where it fails.

How does your solution work when you go to http://44.137.42.33/ ??
Or even when you go to http://speedtest.pi9noz.ampr.org/ which is the DNS name of that address?

@pe1chl

@telecomnetwork2022:
@pe1chl is absolutely right, and it is perfectly useless to contradict him,
it is impossible to know in advance all the names and all the IPs of the dozens of thousands of speedtests that exist.

Just for example, not all speedtest have speed and test on name:
speedsmart . net
fast . com
meter . net
etc.

And tag "speed" you can broken connection, for example for "speed pay", "fast pay", etc.

(and with TLS 1.3 any "TLS" rule is absolutely useless)

no connection will not broken just he go to another isp in mikrotik are thats right

no connection will not broken just he go to another isp in mikrotik are thats right

I do not want go on details, but, for example, simply the payment platform want the same IP,
if one of called subdomains or domain with other names is reached with the other IP,
for security reason can not be completed the payment.

it is impossible to know in advance all the names and all the IPs of the dozens of thousands of speedtests that exist.

it is impossible to know in advance all the names and all the IPs of the dozens of thousands of speedtests that exist.

...and the lists are constantly changing, the same site can very well have different IPs for each test done.

Ok, you don't like to get the point, I don't like to answer this again.

How does your solution work when you go to http://44.137.42.33/ ??
Or even when you go to http://speedtest.pi9noz.ampr.org/ which is the DNS name of that address?

Just Write *ampr* in TSL host and the rule will automaticly add all ips and domain to the new list

no connection will not broken just he go to another isp in mikrotik are thats right

Just Write *ampr* in TSL host and the rule will automaticly add all ips and domain to the new list

That will not work because this server does not use TLS. Furthermore, it would be unwarranted because the ampr.org domain contains many services and only a few speedtest servers.

It also is not clear why you want all this at all. It seems like you are bothered by the fact that the users reveal that your traffic is sometimes routed via ISP #2, that must be hidden from them.
However, what if they instead of a speedtest visit a "what is my IP" site? E.g. whatismyip.com. That will display the same (or even more) information.
Are you going to redirect those to ISP #1 as well? Where does it end?

no connection will not broken just he go to another isp in mikrotik are thats right

That is not really true, the first connection to any site that matches your criteria is likely to be broken. You cannot route a TCP connection that is already established halfway through.

oH ? Are you mean the server can route just one connection in same time ?

oH ? Are you mean the server can route just one connection in same time ?

No, what I mean is: when loadbalancing has initiated a connection via ISP #2 and you detect that using your TLS host rule, it is too late to reroute that to ISP #1.
Depending on how you do the rerouting, the connection will either fail or it will complete via ISP #2 (and only the next connection will be rerouted).

1. client sends TCP packet without payload, only meaningful thing is SYN flag
2. server sends reply without any payload. The only meaningful thing are SYN+ACK flags
3. client sends anotger packet. Most often is again without payload, only ACK flag. Sometimes this packet carries some payliad, but not often
4. client sends payload, which in TLS case carries SNI (in v1.2 and earlier it's plaintext, in v1.3 it's encrypted as well)
5. server sends TLS feedback
6. data exchange starts

No. The way TCP works (TLS is no exception) is this:

1. client sends TCP packet without payload, only meaningful thing is SYN flag
2. server sends reply without any payload. The only meaningful thing are SYN+ACK flags
3. client sends anotger packet. Most often is again without payload, only ACK flag. Sometimes this packet carries some payliad, but not often
4. client sends payload, which in TLS case carries SNI (in v1.2 and earlier it's plaintext, in v1.3 it's encrypted as well)
5. server sends TLS feedback
6. data exchange starts

So only in step #4 it's possible to re-route request via another ISP (if that's what you want) and that's waaay too late to "save" the connection ... and server will drop connection (because change in SRC address will be seen as invalid connection from the new SRC address). And this really doesn't depend on rule priority on router/firewall ...
If address list updating works as intended, the next connection attempt will be routed towards ISP#2 already in step #1 and connection will eventually succeed.

Thank for everybody What matters is that my issue has been resolved

Thank for everybody What matters is that my issue has been resolved

We don't think so. Either you had no issue at all, or it has not been (completely) resolved. Because that is impossible.