Can PBR use a list

lctn · February 9, 2015, 4:24pm

I need Internet users to bypass our content filter for approved HTTPS sites.

I can create individual rules, such as this to do that:

ip firewall Mangle add chain=prerouting src-address=10.99.0.0/16 content=facebook action=mark-routing new-routing-mark=VBypass

However, I would much prefer a list I can add and remove domains from to avoid multiple, individual rules.

is there a way to do that in Mikrotik?

CCR1036-12G-4S V 6.24 ROS

Feklar · February 9, 2015, 6:48pm

You can use a source address list, but not with content. Also content will not work with HTTPS as the sessions are encrypted. It will match any plain text that has “facebook” in your example. The only thing you can reliably match would be IP addresses.

One other option would be for you to force users to use a DNS server, or the router as their DNS server, and have a static entry for domains that you do not want to allow. This wouldn’t prevent them from going to a proxy however.

lctn · February 9, 2015, 8:17pm

OK.. I created three address list:
/ip firewall address-list> print
Flags: X - disabled, D - dynamic

LIST ADDRESS TIMEOUT

0 Google1 216.58.0.0/16
1 Google2 74.125.0.0/16
2 Google3 173.194.0.0/16
[admin@LCTN-FW] /ip firewall address-list>

What would be the proper syntax for the pre-routing chain that would send all the traffic destined for the three lists out the default gateway, but route everything else through the verizon443 content filter (10.10.1.85)

I tried a number of configurations, with includes and excludes of lists, but not getting it to work. Seems like it either does not traverse the rules, or executes the last one on the list, regardless of preceeding rules.

Feklar · February 9, 2015, 8:53pm

Have the name for each address list the same, so you can reference it with one rule.

/ip firewall address-list add address=216.58.0.0/16 list=Google
/ip firewall address-list add address=74.125.0.0/16 list=Google
/ip firewall address-list add address=173.194.0.0/16 list=Google
/ip firewall mangle chain=prerouting dst-address-list=Google action=mark-routing new-routing-mark=VBypass in-interface=<LAN PORT>

Then you need a routing rule that uses that routing table

/ip route add dst-address=0.0.0.0/0 gateway=10.10.1.85
/ip route add dst-address=0.0.0.0/0 routing-mark=VBypass gateway=<Bypass IP>

lctn · February 9, 2015, 9:00pm

Thank you… I didn’t realize multiple lists could have the same name. Much easier to manage!!.

I will give that a whirl!

lctn · February 9, 2015, 9:25pm

Couldn’t get it to work with the addition of a rule. However, it works with the following (renamed the list):

3 chain=prerouting action=mark-routing new-routing-mark=verizon443
passthrough=yes protocol=tcp src-address=10.99.0.0/16
dst-address-list=!VBypass dst-port=443 log=no log-prefix=“”