Greetings from Wisconsin,
We have a 750Gr3 running at a client site configured with a static IP on the external interface, NAT’d to the LAN on the internal bridge interfaces, along with some port forwarding to internal servers and client-to-site VPNs, which is more or less standard across all our client sites.
Inside the LAN the customer’s servers use a cloud-first backup solution that sends data over HTTPS to the various USA data centers and because the customer’s rural Internet connection is at most 20/2, we have manual queues to some of the cloud backup provider’s subnets that are scheduled to throttle starting and finishing just outside their office hours, and we disable those queues after hours so their upload pipe is wide open.
Here’s the challenge. The cloud backup provider isn’t publishing their subnets so it’s up to us to either capture some of their IP addresses in real time and convert them to subnets or throttle all HTTPS traffic to the outside, which affects video conferences and a whole host of other daily use scenarios. It would be more convenient to make quick HTTPS requests to outbound connections, grab the SSL SANs if they exist, and if they match any of the domains we need to throttle, (*.cloudbackup.management, cloudbackup.management ), then add them to a firewall address-list for matching in the simple queues.
I have searched the forum, other articles, and the manual, and I’m coming to the realization that this functionality is beyond the capabilities of RouterOS. Tell me I’m wrong?
Sincerely,
Isaac Grover