Page 1 of 1
Some issues with resolve
Posted: Fri Dec 04, 2009 12:16 pm
by anjey
Hi there.
I've got MT 4.3 on RB450G up and running. I need to restrict access to some social network sites. With layer-7 feature i've managed to achieve what need, but I want to minimize overhead of L7 usage so I want to ban this sites by IP first. The problem is that some host names have more than one IP address assigned to them and :resolve returns only first of this IPs. Any way to get other IPs? I've tried to add them all statically, but list changes from week to week =(
Thx.
Re: Some issues with resolve
Posted: Fri Dec 04, 2009 1:51 pm
by Chupaka
Re: Some issues with resolve
Posted: Fri Dec 04, 2009 3:39 pm
by anjey
proxy is not an option =(
question still open how to get other ip's for the host name not only first one
Re: Some issues with resolve
Posted: Fri Dec 04, 2009 3:55 pm
by Chupaka
C:\Documents and Settings\Chups>nslookup google.com
Server: ns1.infolan.by
Address: 192.168.0.8
Non-authoritative answer:
Name: google.com
Addresses: 74.125.67.100, 74.125.45.100, 74.125.53.100
C:\Documents and Settings\Chups>
Re: Some issues with resolve
Posted: Fri Dec 04, 2009 4:01 pm
by anjey
yep with nslookup no problems
the question is how to do this on mikrotik inside a script using resolve or similar command
Re: Some issues with resolve
Posted: Fri Dec 04, 2009 4:41 pm
by fewi
You cannot.
Re: Some issues with resolve
Posted: Sat Dec 05, 2009 12:19 am
by dssmiktik
If you have DNS enabled on your RouterOS, the IP it resolves is the same IP the client will get for a given website. Keep in mind, many sites use many servers for a given domain, making it almost impossible to detect an IP, even if you had all IPs for a given domain. Ex. server1.domain.com, server2.domain.com, server3.domain.com.
The built-in web-proxy on RouterOS is a much better solution, as it let's you restrict *.domain.com.
Re: Some issues with resolve
Posted: Sun Dec 06, 2009 2:07 am
by Chupaka
so why proxy is not an option?
Re: Some issues with resolve
Posted: Mon Dec 07, 2009 8:51 am
by anjey
so why proxy is not an option?
we have 2 ISP here so 2 possible routes for real traffic. Now it determines routing table for packet based on client IP address.
The problem is that I do not know how to split client traffic based on criteria mentioned above when using proxy.
Now my configuration looks like this:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="NAT Forward to ISP1" \
disabled=no new-routing-mark=isp1-rm \
passthrough=yes src-address-list=nat2isp1
add action=mark-routing chain=prerouting comment="NAT Forward to ISP2" \
disabled=no new-routing-mark=isp2-rm \
passthrough=yes src-address-list=nat2isp2
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=XConfig
add action=src-nat chain=srcnat comment="" disabled=no out-interface=MG routing-mark=isp2-rm to-addresses=xxx.xxx.xxx.xxx
Re: Some issues with resolve
Posted: Mon Dec 07, 2009 11:43 am
by Chupaka
even with proxy you can simply do any load-balancing scheme (for example, PCC-based)
Re: Some issues with resolve
Posted: Mon Dec 07, 2009 1:07 pm
by anjey
even with proxy you can simply do any load-balancing scheme (for example, PCC-based)
it's not a load balancing just fixed ISP for fixed IPs
Btw if I use proxy how router will see src|dst address? For NAT src address will be router's address or am I wrong?
Re: Some issues with resolve
Posted: Mon Dec 07, 2009 1:21 pm
by Chupaka
yes, src-address will be router's address, and 'chain' will be 'output'
Re: Some issues with resolve
Posted: Tue Dec 08, 2009 11:53 pm
by anjey
SO that's why proxy is not an option.
Still an open question WHY resolve could not return all IPs in list context and WHEN it will be implemented? =)
Re: Some issues with resolve
Posted: Wed Dec 09, 2009 1:09 am
by Chupaka
SO that's why proxy is not an option.
?..