MikroTik

Community discussions
https://forum.mikrotik.com/

Drop them all, but allow some! How about Skype??

https://forum.mikrotik.com/viewtopic.php?t=26756

Page 1 of 1

Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 10:56 am
by yudigadget
I made simple configuration of internet access limitation at our client (tour & travel company).
So, the users can only access something that related to their job (browsing *limited*, YM and MSN).
They (div_ticketing) can browsing sites that already listed in list_ticketing.

But i have problem with Skype!!! I'm stuck with this about 6 hours...
I tried add skype server IP but too many, either with ports (skype doesn't use static port), then i test L7 protocol "skypetoskype" but i still can not open the Skype.

I think the key is Skype connection need established, then
2 ;;; Accept established connections
chain=forward action=accept connection-state=established
will allow others...

Any idea to solve this?

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow OpenDNS
chain=output action=accept dst-address=208.67.220.220

1 ;;; Allow OpenDNS
chain=output action=accept dst-address=208.67.222.222

2 ;;; Accept established connections
chain=forward action=accept connection-state=established

3 ;;; Accept related connections
chain=forward action=accept connection-state=related

4 ;;; Jump to services chain
chain=forward action=jump jump-target=services

5 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid

6 ;;; Drop everything else
chain=forward action=drop

7 ;;; DIV. TICKETING
chain=services action=accept src-address-list=div_ticketing dst-address-list=list_ticketing
dst-port=80,8080,3000,443 protocol=tcp

8 ;;; DIV. TICKETING - Allow YM
chain=services action=accept src-address-list=div_ticketing dst-address-list=list_YM

9 ;;; DIV. TICKETING - Allow MSN
chain=services action=accept src-address-list=div_ticketing dst-port=1863 protocol=tcp

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 10:58 am
by normis
I'm very surprised you managed to block skype in the first place :)

skype uses supernodes (other skype users nearby) to connect to the server, it also can look like SSL traffic, so it's very hard to track

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 11:26 am
by yudigadget
I'm very surprised you managed to block skype in the first place :)

skype uses supernodes (other skype users nearby) to connect to the server, it also can look like SSL traffic, so it's very hard to track
Yes normis, my plan is apply this configuration in emergency state. Sometime main internet connection at our client is down, so i must enable the 56K Dial-Up connection for backup connection and that very small bandwidth share to 20 users :shock: .
So i need to set the best internet access limitation, by limit some group of IP (division), specific IP, port, etc.

but i think nevermind.. 56K connection can not use for Skype connection right? hehe :lol:

I just want to know how to use L7 protocol in this case (knowledge reason).. so it will catch Skype first connection, then after that connection will established. Is that possible?

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 11:54 am
by mrz
You will not be able to block skype even with l7 rules, however you can mark skype connections and packets in mangle and add queue to prioritize other traffic leaving for skype lowest possible bandwidth.

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 3:37 pm
by hilton
You will not be able to block skype even with l7 rules, however you can mark skype connections and packets in mangle and add queue to prioritize other traffic leaving for skype lowest possible bandwidth.
Pray tell how would I do this please?

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 3:57 pm
by mrz
/ip firewall mangle
3 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypetoskype
4 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypeout
5 chain=forward action=mark-packet new-packet-mark=skype-pack passthrough=no connection-mark=skype

/queue simple
4 name="queue2" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=skype-pack direction=both priority=8 queue=default/default
limit-at=1000/1000 max-limit=1000/1000 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default

These rules are catching almost all chats and skype calls, but file transfers are not working with these rules.

As I said it is not possible to catch all skype traffic even with L7.
It is also possible that these rules will catch not only skype traffic packets.

Re: Drop them all, but allow some! How about Skype??

Posted: Wed Sep 24, 2008 4:00 pm
by hilton
thanks mrz, much appreciated.

Re: Drop them all, but allow some! How about Skype??

Posted: Thu Dec 06, 2018 10:33 pm
by grossman
/ip firewall mangle
3 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypetoskype
4 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypeout
5 chain=forward action=mark-packet new-packet-mark=skype-pack passthrough=no connection-mark=skype
Hello, how I can get the "skypetoskype" and "skypeout" marks?
Thanks
--
Mareg
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/