How to whitelist top level domains?

isaacgrover · October 30, 2018, 10:14pm

Greetings from Wisconsin,

We need to rate limit outbound SSL connections to certain top level domains on an RB750Gr3. The subdomains change somewhat infrequently but frequent enough that maintaining an address list would prove laborsome. Is there a way to check the first connection made to “anysubdomain.anydomain.com” if it matches “.preferredtld.com”, such that I can add a packet mark, then put it into a simple queue? The last two steps I can handle, but how do I accomplish the first without spiking the CPU usage on the RB750Gr3?

Thank you in advance,
Isaac Grover

joegoldman · October 30, 2018, 10:53pm

You should be able to use L7 firewall rules to help create matchers that you can then apply filter/NAT/mangle rules on:

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

This will help you do regex and TLD’s to match what you want. It can be quite CPU intensive (As you are inspecting the packet a lot more) so be aware.

isaacgrover · October 31, 2018, 4:23pm

Hi joegoldman,
Thank you for the proposed solution. For our situation, this is a really big hammer for a very small nail, so we’ll need to approach this from a different direction. =)