Hi,
I have some routes like this . Is there any way to Filter or Mangle the dst-address routes based on gateway ip address ?
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
The gateway ip assigned by radius . I want to drop dst-address if gateway ip is in 172.16.30.0/24 ,otherwise accept
Any help appreciated
So are you trying to block IPs from reaching 172.16.30.12 or do you want to block the entire 172.16.30.0/24 network? Further are you trying to block inbound or outbound to that network?
It’s not really clear what you are looking to do based on your question or the information given. If you are recieving routes from RADIUS on your router, as far as I know there is no facility to filter what you recieve short of modifying what is sent to you on the RADIUS server itself. There is a filter process when using OSPF, BGP, etc. though.
If you are looking to block clients from using certain default gateways, the next hop lookup process is not part of the information on the layer3 packet so you cannot prevent traffic based on that. But unless you are filtering a network through a bridge, you wouldn’t be able to block that traffic anyways since the traffic need not flow through the router to get to where it wants to go. If you are acting as a bridge for a transparent firewall, then the best you can do is block or allow based on the destination mac address.
Let me clarify . I want this
If GATEWAY ip is in range 172.16.30.0/24 then
-Don’t allow to route the DST-ADDRESS to gateway
OR
-Drop DST-ADDRESS traffic by firewall
OR
-Any other way to prevent the DST-ADDRESS to use the internet
You correctly got my problem , but unfortunately there is no bridge . Also as you see in sample route that i provided in first post , it is not OSPF or BGP so the filter could not do anything .
The question remians, where are you getting the routes from? Are you manually putting them in? Are you trying to prevent users on the network from using certain default gateways? Are you wanting your router to not use certain gateways?
The only traffic a router can control is traffic that goes over it. If traffic never goes through/to a router, it has no knowldege of it and cannot do anything about it. So if you are trying to prevent users from having different default gateways than your router, you need to lock down the layer2 network in such a way that the only host they can talk to is your router. If a user does not use your router as their next hop, then there is nothing you can do inside of the router to prevent that.
If you are trying to prevent your router from using certain gateways, you need to answer how those routes are being installed and control that. If not through a routing facility, but through something like PPP or RADIUS, then you need to modify the device that is giving you those routes so they match what you want. Otherwise you need to manually add a route that either has a smaller weight, or is more specific than the ones recieved and point it to the gateway you want to use.
I have just one router (with the name ROUTER_A) which users connect to it . The users routes assigned by radius .
In normal situation when a user connected to ROUTER_A we can see this route on ROUTER_A
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 111.112.42.50 1
But when the user contract it expired, the radius assigns following route to that user
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
Note: users are connected with pppoe and the gateway ip is dynamic ip from a pool in radius . If user does not have framed-route assigned , then everything work fine because we have a firewall rule to prevent 172.16.30.0/24 dropped . But if the user has framed-route assigned , then firewall could not see that traffic .
No this is not the problem . All users connect to ROUTER_A , i want to block them in ROUTER_A if the assigned route in the ROUTER_A contains the gateway ip in range 172.16.30.0/24 . So this is the traffic which goes through the ROUTER_A .
Unfortunately changing in radius is not an option but the ppp is ROUTER_A and i want exactly that .
How ? This is what i tried but no success . Creating the routes are based on src-address or dst-address etc which is variable and unknown here . The only known parameter is the gateway ip which assigned to user !!!
to completely block packets via routes with gateway 172.16.30.12 you may try something like
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
yep, kinda perversion…
but I don’t see any good solutions
Ok, it looks like you will need to script something then to get it to work and have a dedicated firewall rule. You can get the dst-address of the route and add that to an address list to block communication from and to that IP address.
:foreach DST in=([/ip route find gateway~"172.16.30."]) do={
:local IP [/ip route get number=$DST dst-address]
/ip firewall address-list add address=$IP list=drop timeout=2h
}
The above code is a good place to start if I’m understanding the addresses you want to drop correctly. It will allow you to drop all communication from or to an address like 111.111.173.4/30 dynamically. You can schedule the script to run every 1-2 hours, or whatever you want. The timeout value means that it needs to be constantly refreshed, but saves you from needing to have the logic within the script to clear out old entries. By running the script every so often the addresses you want to drop will be constantly refreshed.
Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .
I was hoping to find a way other than scripting but it seems you agree with me that there is no other way .
Thanks a lot . I had also rated 3+ for your post .
what do you mean? if you have this routing table, my example blocks all packets to 111.111.173.4/30 - isn’t this what you described?..
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
1 ADS 111.111.173.5/30 172.11.11.11 1
2 ADS 111.111.173.6/30 172.12.12.12 1
I’m sorry i did not get the idea . Misunderstanding happened at my side 
. Thanks a lot .