Routing traffic for specified domains to a different gateway

RouterOS Beginner Basics
1

Today I was working on running OVPN client on my router so I can route request to visit some special websites to my openvpn provider, then I figured out that OVPN client does not support UDP and SHA512 on routerOS, therefore I had to run ovpn client on a raspberry pi.

Now all I need is routing a list of websites to raspberry pi ip address which is acting as a gateway. How can I configure my MT router to perform this task for me?

P.S:

  • DNS requests are sent to MT router, thus it is aware of domain names.


  • RaspberryPi has ip forwarding enabled and iptables rules set to forward incoming requests to vpn connection


  • I’m a noob, so helping me with actual commands to configure router are welcomed
2

It may be tricky, mainly the part how you identify destination addresses. Websites often download stuff from many other domain, not just from their main domain. And even the main domain can be hosted in some cloud and can have several IP addresses that change all the time.

But let’s say you want to start with something simple, for example this forum. Add destination to list:

/ip firewall address-list
add list=route_to_vpn address=forum.mikrotik.com

Add route to RasPi:

/ip route
add dst-address=0.0.0.0/0 gateway=<RasPi address> routing-mark=to_vpn

Tell router to use that route when destination is in the list:

/ip firewall mangle
add chain=prerouting dst-address-list=route_to_vpn connection-state=new action=mark-connection new-connection-mark=to_vpn passthrough=yes
add chain=prerouting connection-mark=to_vpn action=mark-routing new-routing-mark=to_vpn passthrough=no

This will create asymmetric routing, and if you have default firewall (or custom one that blocks packets with invalid connection state), it won’t work. Simplest way to fix it is to use srcnat:

/ip firewall nat
add chain=srcnat connection-mark=to_vpn action=masquerade

To RasPi it will look like all connections come from router, but it probably shouldn’t be a problem.

3

Thanks
Everything works except the part where CDN has a lot of unlisted subdomains and address-list does not accept regex or wildcards

4

Domain names in the access_list are resolved to IPs, I presume, at which time point does it happen?
Is it re-checked periodically?

5

What I want to do is bypassing block on Youtube. Google uses multiple domains for youtube website which are predictable and known, but actual videos are served on googlevideo.com subdomains which are about 500 records and They may change occasionally. Therefore it doesn’t matter if domains are resolved periodically or not, the issue is that I don’t have access to all the addresses or their IPs.

Maybe if it was possible to use Layer7 instead of AddressList, that would solve the problem.

6

Just created a mangle rule:

chain=prerouting action=add-dst-to-address-list address-list=youtube address-list-timeout=none-dynamic content=googlevideo.com

It works and can route requests to googlevideo.com to RasperryPi but the problem is sometimes it takes more than 30 seconds to load the video.

7

Hostnames in address list are resolved based on their TTL, they are re-resolved when it expires.

Wildcards or regexps can’t be used, because you can’t resolve all possible combinations in advance.

L7 is problematic too, because even though you can see target hostname (using either layer7-protocol or new tls-host option), it’s not in first packet of connection, so when you get it, it’s already too late to redirect it.

What your rule does, is that it breaks the first connection, but when client reconnects to same address, next connection succeeds. Which is far from ideal, but it may be usable. But don’t enjoy it too much, because they are going to break this too, when hostname in TLS gets encrypted.

8

I just created this list in mangle and it works (is getting better and better everytime I watch a new video, it takes the address of server and adds it into the address_list)

 3    ;;; youtube
      chain=prerouting action=add-dst-to-address-list address-list=youtube address-list-timeout=none-dynamic content=googlevideo.com log=no log-prefix="" 

 4    ;;; youtube
      chain=prerouting action=add-dst-to-address-list address-list=youtube address-list-timeout=none-dynamic content=youtube.com log=no log-prefix="" 

 5    ;;; youtube
      chain=prerouting action=add-dst-to-address-list address-list=youtube address-list-timeout=none-dynamic content=ggpht.com log=no log-prefix="" 

 6    ;;; youtube
      chain=prerouting action=add-dst-to-address-list address-list=youtube address-list-timeout=none-dynamic content=ytimg.com log=no log-prefix=""