I have a NAT-ed network.
I’m trying to forward all or some outgoing web traffic (port 80) for users in a specific address list to an internal web server where I can display some custom messages. It sort of works but not as I’d expect it.
Here is the rule
What it should do is every 100/3 = 33rd connection redirect to internal web server. It does that just fine. But the problem is that it redirects ALL users, not just the ones in Small_user list (firewall/Address lists).
What I have in Address lists is 20-30 Normal_user entries and everyone else defined as 10.0.0.0/8 being Small_user.
What’s wrong with this setup? I only want the unregistered addresses to land on the internal web server.
The problem with the 10.0.0.0/8 would be that would include the router’s own IP address too (10.0.0.1), which is probably why it redirects all the users.
sorry that was a mistake, I was experimenting with src-address and in-interface so that bit was left over. it behaves exactly the same with and without src-address=10.0.0.0/8
Here you go
Please note the rule in question is the first dst-nat rule and it's currently DISABLED
NAT:
#######################################################
I don’t see what the problem is. The router is doing exactly what you’re telling it to, which is to redirect people whose source address matches 10/8 with a chance of 3%. You’re specifically telling it to do that twice, once via a match on src-address and then again with a match on a source address list that contains only 10/8.
If you only want a few people to see the redirect you’ll have to specify a source address list that doesn’t encompass the entire 10/8 space, but rather has many entries for /32s. I don’t understand what you mean by ‘unregistered’ user in your original post. Are you referring to anyone not on ANY ONE of the other address lists (Normal_user, Business_user, Servers)? You could make that work with a custom chain you bail out of:
/ip firewall nat
add action=jump chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=10.0.0.0/8 jump-target=randomRedirect comment="everyone on 10/8 gets investigated on whether they should be redirected"
add action=return chain=randomRedirect src-address-list=Business_user comment="abort if they are on the Business_user list"
add action=return chain=randomRedirect src-address-list=Normal_user comment="abort if they are on the Normal_user list"
add action=return chain=randomRedirect src-address-list=Servers comment="abort if they are on the Servers list"
add action=dst-nat chain=randomRedirect random=3 to-address=10.99.1.99 to-ports=80 comment="everyone still left is unregistered and has a 3% chance of seeing a redirect"
That first rule (the one in the dstnat chain) should again go to the top of everything.
If that still doesn’t help you, please describe in detail what you are trying to achieve.
I think you hit the nail on the head with your custom chain.
Basically I want to redirect everyone who is NOT in the Business, Normal or Server list. So that means Small_users. But I guess my dst-nat rule was just too simple.
Funny but my queue tree works fine with the exact same address list. Business, Normal, Server and Small users get their respective queues with their own bandwidths and priorities. That works just fine. But the dst-nat doesn’t… hmmm?
I’ll implement your custom chain but just by looking at it I suspect it will work just the way I want it. Thank you!
Order matters. In simple queues there’s only one action (rate limit) so if you have more specific entries that match at the top of the list anyone that falls through to the bottom is caught by a very generic entry (such as an address list containing just 10/8) those entries will be caught by that list. Additionally, there’s just one list - the list of queues.
You can’t apply that to a situation where there’s many lists (many chains) and many actions, and particularly not if you put the extremely broad filter (10/8) right at the top instead of putting it at the bottom.
