two questions.. :-)

Silvermoon · November 1, 2013, 8:08am

I have a 951-2Hnd at home and I need to set this up so if (when) our servers at the office fail
all I have to do is redirect our DNS A Record to point to my static IP address and everything is connected
to our backup servers. Problem is I already have smtp and http pointing to my own server.
Can RouterOS be set up to direct traffic based on the IP address it was meant for ?
ie traffic for mail.mydoain.co.nz goes to port 5 on router and mail.anotherdomain.co.nz goes to bridge port 1-4 ?

Second question.. How the heck do I block a mac address (or two) I can see how to add an access list but not a deny list.
Just want to block one on the kids until her exams are over

SurferTim · November 1, 2013, 9:06am

I don’t know about the first question. You might need two public ips to route that correctly since you already have your own web server there.

The access list works both ways. It can allow or block connections. This blocks a connection to the wireless.

/interface wireless access-list
add mac-address=00:01:02:03:04:05 authentication=no

Silvermoon · November 1, 2013, 9:29am

Sweet, thanks Tim. That was just what I was looking for on Q2

efaden · November 1, 2013, 10:39am

Regarding question one. You “could” do this with Layer 7 although its going to be slow as hell for this purpose on that box. You’d be better of doing it in Apache with virtual hosts.

The reason the router can’t really do it is that the router generally doesn’t look at the “contents” of the package. What you are asking it to do is not routing by IP (which it could do), but really have two different DNS names pointing to the same IP. The client computer converts the name to the IP and all that is in the header of the packet is the IP (which would be the same) in this case. The domain name is still inside of the packet which is what Apache virtual hosts use, but the only way to see that on the router is to use Layer 7.

To do it for SMTP you’d have to use some sort of a proxy or a mail server that can host multiple domains… it works basically the same way apache does.

Silvermoon · December 26, 2013, 10:26am

Thanks Efaden,
I found this, is this what you mean by “doing it by layer 7” ?
How slow would it be?
Looking at the script below it doesn’t seem to care what port do smtp should not be a problem?

/ip firewall layer7-protocol add name=example.com regexp=example.com
/ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=example.com action=mark-connection new-connection-mark=example.com-forward protocol=tcp dst-port=53
/ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=example.com action=mark-connection new-connection-mark=example.com-forward protocol=udp dst-port=53
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=example.com-forward to-addresses=10.0.1.11
/ip firewall nat add action=masquerade chain=srcnat connection-mark=example.com-forward

Just to be clear, ports 2-4 (192.168.1.1(24) ) are my home lan, my mail server is hMailServer running on Windows server 2008 R2, port 5 (10.0.0.1(24)) is only used as a backup for work, backup server running SBS2011. My theory is that I restore the latest exchange backup on the work backup server at my home, change the A record for it and all our stores now get email again…
all this while my own mail server still gets email