Layer 7 protocols not working

kgninfos · Fri Jan 11, 2013 3:57 pm

Hello
i was using layer 7 based traffic prioritization on ros v 5.22 and was working fine
but in ROS v6 rc6 it's not working

i used the guide at
http://wiki.mikrotik.com/wiki/Basic_tra ... _protocols

Mon Jan 14, 2013 6:42 pm

You have to specify used pattern at least, however note that most of l7 protocol does not provide 100% effect for marking traffic.

kgninfos · Tue Jan 15, 2013 5:57 am

the pattern is already specified in the example

and also it was working in v 5.22

Tue Jan 15, 2013 3:17 pm

Example has too much layer7 patterns. Please be more specific about pattern that does not work.

kgninfos · Tue Jan 15, 2013 6:48 pm

none of the pattern are working as of now
that is why i told "Layer 7 protocols filter not working"

Wed Jan 16, 2013 3:34 pm

I've used default patter for HTTP,

/ip firewall layer7-protocol> print detail
0 ;;; http
name="http" regexp="http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -
~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -
~]* http/[01]\.[019]"

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=forward action=log layer7-protocol=http log-prefix=""
[admin@MikroTik] /ip firewall filter> print d

/ip firewall filter> print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
1 forward log 44 920 191

/system package print detail
5 name="system" version="6.0rc7" build-time=jan/09/2013 14:32:00
scheduled=""

kgninfos · Wed Jan 16, 2013 3:59 pm

ok i deleted all entry and created again
and surprisingly it worked

Thank you all

cthompson · Wed Jul 29, 2015 3:22 pm

revival of a dead thread.

I have blocked FB via a drop rule in the forward chain as FB does not play as well as I had hoped with layer 7 packet matching and blocks other sites required for business here.

I have added an exception for my machine at the top of the chain.

      chain=forward action=accept protocol=tcp src-address=192.168.20.196 src-port=80,443,53 log=no log-prefix=""

the above does not function or allow my traffic through.

however, if I modify this to not have the src-port set, the rule matches and works as expected.

    chain=forward action=accept protocol=tcp src-address=192.168.20.196 log=no log-prefix=""

Now the fun part.

I have a layer 7 rule to match 'twitter'
the regular expression for matching states:

^.+(twitter.com).*$

and it is enabled in the forward chain

39    ;;; BLOCK TWITTER
      chain=forward action=reject reject-with=icmp-host-prohibited layer7-protocol=Twitter log=no log-prefix=""

it is matched and blocks traffic even despite the exception for my specific ip address above.

What am I missing within the configuration here in order to allow exceptions to work for both direct forward chain rules as well as layer 7 rules?

Thank-You,

Layer 7 protocols not working

Layer 7 protocols not working

Re: Layer 7 protocols not working

Re: Layer 7 protocols not working

Re: Layer 7 protocols not working

Re: Layer 7 protocols filter not working

Re: Layer 7 protocols not working

Re: Layer 7 protocols not working

Re: Layer 7 protocols not working