Community discussions

MikroTik App
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 03, 2016 4:58 pm

Hi,

I have some routes like this . Is there any way to Filter or Mangle the dst-address routes based on gateway ip address ?
 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  111.111.173.4/30                   172.16.30.12              1
The gateway ip assigned by radius . I want to drop dst-address if gateway ip is in 172.16.30.0/24 ,otherwise accept

Any help appreciated
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 03, 2016 7:38 pm

So are you trying to block IPs from reaching 172.16.30.12 or do you want to block the entire 172.16.30.0/24 network? Further are you trying to block inbound or outbound to that network?
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 03, 2016 8:38 pm

It's not really clear what you are looking to do based on your question or the information given. If you are recieving routes from RADIUS on your router, as far as I know there is no facility to filter what you recieve short of modifying what is sent to you on the RADIUS server itself. There is a filter process when using OSPF, BGP, etc. though.

If you are looking to block clients from using certain default gateways, the next hop lookup process is not part of the information on the layer3 packet so you cannot prevent traffic based on that. But unless you are filtering a network through a bridge, you wouldn't be able to block that traffic anyways since the traffic need not flow through the router to get to where it wants to go. If you are acting as a bridge for a transparent firewall, then the best you can do is block or allow based on the destination mac address.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Sat Mar 05, 2016 10:03 am

So are you trying to block IPs from reaching 172.16.30.12 or do you want to block the entire 172.16.30.0/24 network? Further are you trying to block inbound or outbound to that network?
Let me clarify . I want this
If GATEWAY ip is in range 172.16.30.0/24 then
-Don't allow to route the DST-ADDRESS to gateway
OR
-Drop DST-ADDRESS traffic by firewall
OR
-Any other way to prevent the DST-ADDRESS to use the internet

It's not really clear what you are looking to do based on your question or the information given. If you are recieving routes from RADIUS on your router, as far as I know there is no facility to filter what you recieve short of modifying what is sent to you on the RADIUS server itself. There is a filter process when using OSPF, BGP, etc. though.

If you are looking to block clients from using certain default gateways, the next hop lookup process is not part of the information on the layer3 packet so you cannot prevent traffic based on that. But unless you are filtering a network through a bridge, you wouldn't be able to block that traffic anyways since the traffic need not flow through the router to get to where it wants to go. If you are acting as a bridge for a transparent firewall, then the best you can do is block or allow based on the destination mac address.
You correctly got my problem , but unfortunately there is no bridge . Also as you see in sample route that i provided in first post , it is not OSPF or BGP so the filter could not do anything .
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Wed Mar 09, 2016 7:24 pm

The question remians, where are you getting the routes from? Are you manually putting them in? Are you trying to prevent users on the network from using certain default gateways? Are you wanting your router to not use certain gateways?

The only traffic a router can control is traffic that goes over it. If traffic never goes through/to a router, it has no knowldege of it and cannot do anything about it. So if you are trying to prevent users from having different default gateways than your router, you need to lock down the layer2 network in such a way that the only host they can talk to is your router. If a user does not use your router as their next hop, then there is nothing you can do inside of the router to prevent that.

If you are trying to prevent your router from using certain gateways, you need to answer how those routes are being installed and control that. If not through a routing facility, but through something like PPP or RADIUS, then you need to modify the device that is giving you those routes so they match what you want. Otherwise you need to manually add a route that either has a smaller weight, or is more specific than the ones recieved and point it to the gateway you want to use.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 10, 2016 11:24 am

The question remians, where are you getting the routes from? Are you manually putting them in? Are you trying to prevent users on the network from using certain default gateways? Are you wanting your router to not use certain gateways?
I have just one router (with the name ROUTER_A) which users connect to it . The users routes assigned by radius .

In normal situation when a user connected to ROUTER_A we can see this route on ROUTER_A
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  111.111.173.4/30                   111.112.42.50              1
But when the user contract it expired, the radius assigns following route to that user
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  111.111.173.4/30                   172.16.30.12              1
Note: users are connected with pppoe and the gateway ip is dynamic ip from a pool in radius . If user does not have framed-route assigned , then everything work fine because we have a firewall rule to prevent 172.16.30.0/24 dropped . But if the user has framed-route assigned , then firewall could not see that traffic .

The only traffic a router can control is traffic that goes over it. If traffic never goes through/to a router, it has no knowldege of it and cannot do anything about it. So if you are trying to prevent users from having different default gateways than your router, you need to lock down the layer2 network in such a way that the only host they can talk to is your router. If a user does not use your router as their next hop, then there is nothing you can do inside of the router to prevent that.
No this is not the problem . All users connect to ROUTER_A , i want to block them in ROUTER_A if the assigned route in the ROUTER_A contains the gateway ip in range 172.16.30.0/24 . So this is the traffic which goes through the ROUTER_A .
If you are trying to prevent your router from using certain gateways, you need to answer how those routes are being installed and control that. If not through a routing facility, but through something like PPP or RADIUS, then you need to modify the device that is giving you those routes so they match what you want.
Unfortunately changing in radius is not an option but the ppp is ROUTER_A and i want exactly that .
Otherwise you need to manually add a route that either has a smaller weight, or is more specific than the ones recieved and point it to the gateway you want to use.
How ? This is what i tried but no success . Creating the routes are based on src-address or dst-address etc which is variable and unknown here . The only known parameter is the gateway ip which assigned to user !!!
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 10, 2016 7:02 pm

to completely block packets via routes with gateway 172.16.30.12 you may try something like
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
yep, kinda perversion...

but I don't see any good solutions
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Thu Mar 10, 2016 7:09 pm

Ok, it looks like you will need to script something then to get it to work and have a dedicated firewall rule. You can get the dst-address of the route and add that to an address list to block communication from and to that IP address.
:foreach DST in=([/ip route find gateway~"172.16.30."]) do={
	:local IP [/ip route get number=$DST dst-address]
	/ip firewall address-list add address=$IP list=drop timeout=2h
 }
The above code is a good place to start if I'm understanding the addresses you want to drop correctly. It will allow you to drop all communication from or to an address like 111.111.173.4/30 dynamically. You can schedule the script to run every 1-2 hours, or whatever you want. The timeout value means that it needs to be constantly refreshed, but saves you from needing to have the logic within the script to clear out old entries. By running the script every so often the addresses you want to drop will be constantly refreshed.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Sat Mar 12, 2016 1:23 pm

to completely block packets via routes with gateway 172.16.30.12 you may try something like
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
yep, kinda perversion...

but I don't see any good solutions
Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .
Ok, it looks like you will need to script something then to get it to work and have a dedicated firewall rule. You can get the dst-address of the route and add that to an address list to block communication from and to that IP address.
:foreach DST in=([/ip route find gateway~"172.16.30."]) do={
	:local IP [/ip route get number=$DST dst-address]
	/ip firewall address-list add address=$IP list=drop timeout=2h
 }
The above code is a good place to start if I'm understanding the addresses you want to drop correctly. It will allow you to drop all communication from or to an address like 111.111.173.4/30 dynamically. You can schedule the script to run every 1-2 hours, or whatever you want. The timeout value means that it needs to be constantly refreshed, but saves you from needing to have the logic within the script to clear out old entries. By running the script every so often the addresses you want to drop will be constantly refreshed.
I was hoping to find a way other than scripting but it seems you agree with me that there is no other way .

Thanks a lot . I had also rated 3+ for your post .
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Mon Mar 14, 2016 5:16 pm

to completely block packets via routes with gateway 172.16.30.12 you may try something like
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
yep, kinda perversion...

but I don't see any good solutions
Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .
what do you mean? if you have this routing table, my example blocks all packets to 111.111.173.4/30 - isn't this what you described?..
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  111.111.173.4/30                   172.16.30.12              1
 1 ADS  111.111.173.5/30                   172.11.11.11              1
 2 ADS  111.111.173.6/30                   172.12.12.12              1
 
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Topic Author
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Firewall or Mangle DST-ADDRESS in ip>route based on gateway ip address

Tue Mar 15, 2016 9:39 am

to completely block packets via routes with gateway 172.16.30.12 you may try something like
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
yep, kinda perversion...

but I don't see any good solutions
Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .
what do you mean? if you have this routing table, my example blocks all packets to 111.111.173.4/30 - isn't this what you described?..
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  111.111.173.4/30                   172.16.30.12              1
 1 ADS  111.111.173.5/30                   172.11.11.11              1
 2 ADS  111.111.173.6/30                   172.12.12.12              1
 
I'm sorry i did not get the idea . Misunderstanding happened at my side :lol: . Thanks a lot .
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer

Who is online

Users browsing this forum: Extrems, markos222, mbovenka, Phorta, xvo, Zacharias and 95 guests