I understand, even if its messy it might be a solution. I’ll try tho since those are not the only packets that need to be filtered.
[off]
Yes, you are right. But this is a one off use case. This customer did not want to invest into a more capable devices.
I could list like 3 reasons from the top of my head why we dont usually suggest not to buy mikrotik. More if I really give it a try.
- Missing monitoring features like snmp for bgp and other routing daemons
- Missing ipsec route-based tunnel, only policy-based is supported
- If you need more insight into traffic you are better off buying an actual ngfw where you can see more information about the traffic.
(but since TLS1.3 is getting more common with ESNI, you need a more beefy firewall). - Or atleast have user/group based firewall rules. Maybe read radius accounting packets from other devices and do an ldap lookup for group membership.
[/off]