# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
Let me clarify . I want thisSo are you trying to block IPs from reaching 172.16.30.12 or do you want to block the entire 172.16.30.0/24 network? Further are you trying to block inbound or outbound to that network?
You correctly got my problem , but unfortunately there is no bridge . Also as you see in sample route that i provided in first post , it is not OSPF or BGP so the filter could not do anything .It's not really clear what you are looking to do based on your question or the information given. If you are recieving routes from RADIUS on your router, as far as I know there is no facility to filter what you recieve short of modifying what is sent to you on the RADIUS server itself. There is a filter process when using OSPF, BGP, etc. though.
If you are looking to block clients from using certain default gateways, the next hop lookup process is not part of the information on the layer3 packet so you cannot prevent traffic based on that. But unless you are filtering a network through a bridge, you wouldn't be able to block that traffic anyways since the traffic need not flow through the router to get to where it wants to go. If you are acting as a bridge for a transparent firewall, then the best you can do is block or allow based on the destination mac address.
I have just one router (with the name ROUTER_A) which users connect to it . The users routes assigned by radius .The question remians, where are you getting the routes from? Are you manually putting them in? Are you trying to prevent users on the network from using certain default gateways? Are you wanting your router to not use certain gateways?
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 111.112.42.50 1
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
No this is not the problem . All users connect to ROUTER_A , i want to block them in ROUTER_A if the assigned route in the ROUTER_A contains the gateway ip in range 172.16.30.0/24 . So this is the traffic which goes through the ROUTER_A .The only traffic a router can control is traffic that goes over it. If traffic never goes through/to a router, it has no knowldege of it and cannot do anything about it. So if you are trying to prevent users from having different default gateways than your router, you need to lock down the layer2 network in such a way that the only host they can talk to is your router. If a user does not use your router as their next hop, then there is nothing you can do inside of the router to prevent that.
Unfortunately changing in radius is not an option but the ppp is ROUTER_A and i want exactly that .If you are trying to prevent your router from using certain gateways, you need to answer how those routes are being installed and control that. If not through a routing facility, but through something like PPP or RADIUS, then you need to modify the device that is giving you those routes so they match what you want.
How ? This is what i tried but no success . Creating the routes are based on src-address or dst-address etc which is variable and unknown here . The only known parameter is the gateway ip which assigned to user !!!Otherwise you need to manually add a route that either has a smaller weight, or is more specific than the ones recieved and point it to the gateway you want to use.
/interface bridge add name=blackhole protocol-mode=none
/ip ad ad ad=192.0.2.1/30 int=blackhole
/ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
:foreach DST in=([/ip route find gateway~"172.16.30."]) do={
:local IP [/ip route get number=$DST dst-address]
/ip firewall address-list add address=$IP list=drop timeout=2h
}Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .to completely block packets via routes with gateway 172.16.30.12 you may try something likeyep, kinda perversion...Code: Select all/interface bridge add name=blackhole protocol-mode=none /ip ad ad ad=192.0.2.1/30 int=blackhole /ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
but I don't see any good solutions
I was hoping to find a way other than scripting but it seems you agree with me that there is no other way .Ok, it looks like you will need to script something then to get it to work and have a dedicated firewall rule. You can get the dst-address of the route and add that to an address list to block communication from and to that IP address.
The above code is a good place to start if I'm understanding the addresses you want to drop correctly. It will allow you to drop all communication from or to an address like 111.111.173.4/30 dynamically. You can schedule the script to run every 1-2 hours, or whatever you want. The timeout value means that it needs to be constantly refreshed, but saves you from needing to have the logic within the script to clear out old entries. By running the script every so often the addresses you want to drop will be constantly refreshed.Code: Select all:foreach DST in=([/ip route find gateway~"172.16.30."]) do={ :local IP [/ip route get number=$DST dst-address] /ip firewall address-list add address=$IP list=drop timeout=2h }
what do you mean? if you have this routing table, my example blocks all packets to 111.111.173.4/30 - isn't this what you described?..Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .to completely block packets via routes with gateway 172.16.30.12 you may try something likeyep, kinda perversion...Code: Select all/interface bridge add name=blackhole protocol-mode=none /ip ad ad ad=192.0.2.1/30 int=blackhole /ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
but I don't see any good solutions
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 111.111.173.4/30 172.16.30.12 1
1 ADS 111.111.173.5/30 172.11.11.11 1
2 ADS 111.111.173.6/30 172.12.12.12 1
I'm sorry i did not get the idea . Misunderstanding happened at my sidewhat do you mean? if you have this routing table, my example blocks all packets to 111.111.173.4/30 - isn't this what you described?..Thanks . Unfortunately misunderstanding happened . the problem is not 172.16.30.12 , the problem is subnet which routed to it .to completely block packets via routes with gateway 172.16.30.12 you may try something likeyep, kinda perversion...Code: Select all/interface bridge add name=blackhole protocol-mode=none /ip ad ad ad=192.0.2.1/30 int=blackhole /ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1
but I don't see any good solutions
Code: Select all# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADS 111.111.173.4/30 172.16.30.12 1 1 ADS 111.111.173.5/30 172.11.11.11 1 2 ADS 111.111.173.6/30 172.12.12.12 1
. Thanks a lot .