Community discussions

 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 300
Joined: Mon Jul 09, 2012 9:26 am

Direct specific content through VPN

Wed May 15, 2019 10:57 am

Is there any way to route traffic by specific content through VPN? Not just by domains and/or IPs, but by content of the site?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 969
Joined: Fri Jul 28, 2017 2:53 pm

Re: Direct specific content through VPN

Wed May 15, 2019 2:01 pm

Hey. It is better by IP addresses, because you deal with a router, not specific hardware. Content is a layer 7, so it can be done, but it's very hard to do on a CPU. You should google for topics "layer 7 filtering/marking on mikrotik".
 
Sob
Forum Guru
Forum Guru
Posts: 4182
Joined: Mon Apr 20, 2009 9:11 pm

Re: Direct specific content through VPN

Wed May 15, 2019 2:21 pm

Generally no. You need to be able to identify such content soon enough. It can work with something like udp dns packets, because you can see data immediately in first packet. But anything tcp starts with useless syn packet and any identifiable content comes only later, but it's too late.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
tslytsly
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Oct 27, 2015 6:52 pm
Location: Nottingham
Contact:

Re: Direct specific content through VPN

Thu May 16, 2019 3:30 pm

You could mark based on TLS SNI.
Do this in the mangle pre-routing chain
like this (note the passthrough for the first rule):
/ip firewall mangle
add action=mark-connection chain=prerouting comment="First mark based on TLS SNI" connection-mark=no-mark new-connection-mark=RouteViaVPN passthrough=yes protocol=tcp tls-host=*facebook.com
add action=mark-routing chain=prerouting comment="Mark connections with mark RouterViaVPN with their own routing mark" connection-mark=RouteViaVPN new-routing-mark=RouteViaVPN pasthrough=no
Then have a route in the
/ip route
table that send packets with that routing mark out your vpn:
/ip route
add gateway=VPN routing-mark=RouteViaVPN
There are 10 types of people in this world:
  • Those who understand binary
    Those who don't
    and those that didn't expect me to be using Ternary!
:lol:
 
Sob
Forum Guru
Forum Guru
Posts: 4182
Joined: Mon Apr 20, 2009 9:11 pm

Re: Direct specific content through VPN

Thu May 16, 2019 6:29 pm

You can mark it and you can route it, but the problem is, start of the connection already went elsewhere.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 15 guests