The NAT is not working Content.

eoleg · May 12, 2015, 7:24am

The NAT is not working Content.
It turns out a bug or it is certainly under any special conditions it work?

В NAT не работает Content.
Получается баг, или всетаки при каких то особых условиях работает?

vasilevkirill · May 12, 2015, 8:39am

What exactly are you trying to filter?

Покажите правило которым вы хотите отфильтровать пакет, а также объясните что хотите поймать!

mrz · May 12, 2015, 10:35am

NAT rules match only the first packet. And TCP SYN packet typically does not have nay content.

ZeroByte · May 12, 2015, 3:01pm

It’s not a bug. What you’ve been trying to do is impossible.
You cannot change NAT after a TCP connection establishes.
TCP must establish before any content can be requested / delivered.
Therefore the content match is useless in NAT rules for protocols that use TCP as their transport.

Your request here is the same as asking a condom company why your girlfriend stays pregnant even after you start using their product.

You’ve been asking about this for a month now - the community has given you some alternative ideas, but you stated that they require too much CPU. Unfortunately, this is just how it is for deep packet inspection. Period. If you need to do this kind of filtering, then buy a box that is built specifically to do deep packet inspection and content filtering.
(our company uses iBoss)

It’s not Mikrotik’s fault that a platform designed for packet forwarding cannot keep up with the load of running a regular expression against the payload of each and every packet that flows through it. The CPU was chosen to be inexpensive but capable of quickly comparing the headers of IP packets against binary lists of routing destinations. String comparisons are vastly more complicated at the CPU level.

eoleg · May 15, 2015, 8:23am

It is necessary to highlight the url something like this - ljre4wem4dygt and redirect to a certain ip

Нужно в url выделить чтото типа этого - ljre4wem4dygt и перенаправить на определенный ip

eoleg · May 15, 2015, 8:28am

“Your request here is the same as asking a condom company why your girlfriend stays pregnant even after you start using their product.”

Well then you do not need to give an opportunity to use a condom!

ну тогда не нужно давать возможность использовать презерватив!

vasilevkirill · May 16, 2015, 8:41pm

Чтобы понимать конкретно чтовы хотите сделать, покажите на примере. “правило студию”

eoleg · May 16, 2015, 8:54pm

/ip firewall nat add action=dst-nat chain=dstnat content=tzhgsvcdtfg to-addresses=999.999.999.999

vasilevkirill · May 18, 2015, 5:53pm

Вы либо что то недоговариваете, либо вы не знаете чего вы хотите.
по ваше правилу вы собираетесь парсить весь трафик, не конктратизируя ТСP или UDP какие порты dst. А также action, просто accept?

eoleg · May 18, 2015, 6:27pm

извините, скопировал не все
вот так правильно
/ip firewall nat add chain=dstnat protocol=tcp content=tzhgsvcdtfg action=dst-nat to-addresses=999.999.999.999
я просто хочу направить абонента на другой ip при попытке посмотреть некоторые ролики youtube у которых в урле есть например tzhgsvcdtfg

mrz · May 21, 2015, 2:50pm

Kak uzhe bilo skazano ranshe, eto njevozmozhno. NAT vidit tolky TCP syn paket, a v etom paketje njetu “content”.

redirekt na drugije http stranici mozhno sdelatjs s web proxy.