nat gmail and yahoo mail

RouterOS General
1

hi
i want nat gmail and yahoo mail.
but them have a lot of ips and subdomains?!!!
how can?

2

That is a bit of a problem.

I wish routeros had a domain field.

What you can try is to create a address list, then set up a filter rule with gmail and yahoo.

Then set the action rule to copy it to the dst-address list.

The problem will be to distinguish between the mail traffic and search engine.

If the users use 3rd party apps to access the mail you can add the dst-port for outgoing in the filter rule.

Doing it this way will add some incorrect dst-addr entries.

3

I know netfilter (what the firewall for Mikrotik is actually using under the hood) lets you specify a domain name, but it doesn’t do what you mean - it simply does a DNS query and places the IP address it gets into the filter. From then on, it’s just that one IP that is in the rule. There’s no way to make this work the way you want without completely crippling the performance of the router.

Remember that the IP header only has the source and destination IP addresses in it. If a router had to do a reverse lookup on the source and destination address on each and every packet… well, imagine the chaos. Also realize that the actual IP addresses often don’t resolve to the same thing as a hostname will, because web servers very commonly have multiple sites hosted, and on many servers in a cluster, so the individual hostnames will often refer to the node name and often the domain name will be the content delivery network’s domain (like akami), so you really can’t use domain names in simple firewall chain rules.

Your suggestion about the IP address list is correct, and you can in fact nat for only email service ports (specify them in the nat rule), but I agree that this is a high-maintenance solution that isn’t practical and is very likely to have large gaping holes in it.

Unfortunately, you really can’t do this…

What’s your actual goal, which you’ve considered to use NAT to solve? There is probably another approach that will actually get the job done, and be easier than maintaining a huge list of IP addresses.

If you’re trying to block the web access or redirect it, remember that you’re dealing with SSL-enabled sites, and any transparent redirection is going to cause certificate alerts.