Some issues with resolve

anjey · December 4, 2009, 10:16am

Hi there.

I’ve got MT 4.3 on RB450G up and running. I need to restrict access to some social network sites. With layer-7 feature i’ve managed to achieve what need, but I want to minimize overhead of L7 usage so I want to ban this sites by IP first. The problem is that some host names have more than one IP address assigned to them and :resolve returns only first of this IPs. Any way to get other IPs? I’ve tried to add them all statically, but list changes from week to week =(

Thx.

Chupaka · December 4, 2009, 11:51am

http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy

anjey · December 4, 2009, 1:39pm

proxy is not an option =(

question still open how to get other ip’s for the host name not only first one

Chupaka · December 4, 2009, 1:55pm

C:\Documents and Settings\Chups>nslookup google.com
Server:  ns1.infolan.by
Address:  192.168.0.8

Non-authoritative answer:
Name:    google.com
Addresses:  74.125.67.100, 74.125.45.100, 74.125.53.100


C:\Documents and Settings\Chups>

anjey · December 4, 2009, 2:01pm

yep with nslookup no problems

the question is how to do this on mikrotik inside a script using resolve or similar command

fewi · December 4, 2009, 2:41pm

You cannot.

dssmiktik · December 4, 2009, 10:19pm

If you have DNS enabled on your RouterOS, the IP it resolves is the same IP the client will get for a given website. Keep in mind, many sites use many servers for a given domain, making it almost impossible to detect an IP, even if you had all IPs for a given domain. Ex. server1.domain.com, server2.domain.com, server3.domain.com.

The built-in web-proxy on RouterOS is a much better solution, as it let’s you restrict *.domain.com.

Chupaka · December 6, 2009, 12:07am

so why proxy is not an option?

anjey · December 7, 2009, 6:51am

we have 2 ISP here so 2 possible routes for real traffic. Now it determines routing table for packet based on client IP address.

The problem is that I do not know how to split client traffic based on criteria mentioned above when using proxy.
Now my configuration looks like this:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="NAT Forward to ISP1" \
    disabled=no new-routing-mark=isp1-rm \
    passthrough=yes src-address-list=nat2isp1
add action=mark-routing chain=prerouting comment="NAT Forward to ISP2" \
    disabled=no new-routing-mark=isp2-rm \
    passthrough=yes src-address-list=nat2isp2


/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=XConfig
add action=src-nat chain=srcnat comment="" disabled=no out-interface=MG routing-mark=isp2-rm to-addresses=xxx.xxx.xxx.xxx

Chupaka · December 7, 2009, 9:43am

even with proxy you can simply do any load-balancing scheme (for example, PCC-based)

anjey · December 7, 2009, 11:07am

it’s not a load balancing just fixed ISP for fixed IPs

Btw if I use proxy how router will see src|dst address? For NAT src address will be router’s address or am I wrong?

Chupaka · December 7, 2009, 11:21am

yes, src-address will be router’s address, and ‘chain’ will be ‘output’

anjey · December 8, 2009, 9:53pm

SO that’s why proxy is not an option.

Still an open question WHY resolve could not return all IPs in list context and WHEN it will be implemented? =)

Chupaka · December 8, 2009, 11:09pm

?..