i have recently configure mikrotik 750 GR3, i have set up two WAN’s and reset ports are bridge. also i have added failover & merge rule.
now i want to add static route. like i want if anyone wants to browse internet all should be using WAN1 and if someone want to browse youtube.com mikrotik redirect only youtube traffic to WAN2.
similarly if someone wants to call (from voip) it should be from WAN2.
help me to set up this route ( please share any video link as i am not very much familiar with mikrotik)
For what it’s worth, this is one of the only things the bum me out about Mikrotik.
You need a proper firewall to do this. Here’s why.
Layer 7 rules will pick up most browser youtube traffic. But mobile device’s app traffic doesn’t get picked up at all. And since it’s encrypted (443) you can only really identify that traffic by its destination. So for some services you can get a list of all the ip addresses for that service and add those to an address list in the FW. Or make your own by running a script that continually resolves the domain names for said service and adds the resulting addresses to the list.
Now, this works for services that use their own servers but it doesn’t work for services that use shared resources like content delivery servers or youtube since it is hosted on google servers. And blocking all the google servers plus all the local cds servers equates to blocking half the internet, introducing a massive cpu overhead into the router from going through endless lists for each and every connection and introduces really strange behavior to your browsing experience. Like half the webpages loading slowly, parts of pages associated with google APIs not working, etc.
Bottom line, at the time of this writing, you either buy a commercial grade firewall or you’re stuck with severely limited options for doing this.
This is what bums me out, users who dont know what the heck they are talking about.
The ability to filter traffic effectively at that level requires very expensive brand name routers with $$$$ subscriptions to access such things as IPS IDS.
Even then with the latest protocols in use now and in the future, the ability for google or youtube etc, to bypass such things is getting better all the time.
So please, dont make this an MT problem when it isnt.
What is true is that the OP should understand the limitations and realize the easiest way to direct users is by existing functionality.
One can use two different subnets, one for those who should use WAN1 and those who should use WAN2.
The same can be done by source address list.
The additional point is that the OP doesnt even express why they want to segregate users by dst site.???
Is it to ensure bandwidth is equal?
something else??
In other words without clear thought out requirements, the OP may be trying to solve an issue with the wrong approach…
I wasn’t making this a Tik problem. Au contraire, I find Mikrotik to be an awesome company, I marvel at how versatile RouterOS has become, how affordable all their products are and I support them every way I can. Especially by buying and recommending their products.
I’ll agree that my phrasing could’ve been better and I also understand that an expanded firewall facility is contrary to Mikrotik’s objectives in that RouterOS is supposed to be a lightweight, no more no less complex OS than to achieve exactly what it’s designed for.
But a guy can dream, right? A limited firewall facility like the one on Ubiquiti’s Dream Machines? Some IDS IPS for the sub enterprise environment with their KISS philosophy and competitive pricing that will enable all those smalltime sysadmins to have SOME functionality in their networks that they can’t afford right now?
I repeat, this isn’t a Mikrotik problem and I wasn’t saying in any way that it is. All I was saying is that it’s a feature that some would really appreciate but I understand that it is hell on earth to develop, the support inbox will overflow, no one will ever be happy enough about its functionality and it makes little financial sense to develop as it probably won’t sway new customers their way. Or maybe it will, if some clients were happy enough about it’s performance to cancel their bigname subscriptions?
edit: and back on topic, my post was meant to expand on kleshki’s and explain why this isn’t a checkbox thing that can be easily instrumented