I'm running RouterOS 6.43.8 on x86. Now I'll try to explain my problem:
Let's say we have an IP address 10.10.10.1 in an address-list NO_ACCESS and for this address-list we have a blocking rule and NAT rule which try to redirect blocked users to personal page, like this:
As you may already understood there is a web-server with IP 192.168.20.240 which hosts the personal page. And on that personal page user can go to the payment page, which lays under other IP and Port, like: 192.168.20.245:8080. And on that payment page there is a link which leads to the www.some.paymentsystem.com with public IP, let's say, 220.127.116.11.
Code: Select all
chain=forward action=drop src-address-list=NO_ACCESS out-interface=ether-OUT log=no log-prefix="" chain=dstnat action=dst-nat to-addresses=192.168.20.240 to-ports=80 protocol=tcp src-address-list=NO_ACCESS dst-port=80,443 log=no log-prefix=""
And here is what I need: I need user behind 10.10.10.1 to be able to go to www.some.paymentsystem.com, but not all over the least Internet.
I thought that adding a filter rule which will temporary add the 10.10.10.1 to an address-list, say, PAY_NO_ACCESS when that user tries to reach 192.168.20.245:8080 and creating some accept filter rule for dst-address 18.104.22.168 and PAY_NO_ACCESS address-list, and masquerade NAT rule for that PAY_NO_ACCESS address-list, and placing those rules above the apropriate rejecting rules will solve the problem. But it didn't. Seems, that an IP can not be at 2 address-list for which opposite filter and NAT rules are specified and despite that rules for PAY_NO_ACCESS were placed almost at the top of the filter and NAT list - that didn't help at all. Although I thought the packet will never reach those prohibitive rules.
Any thoughts and suggestions will be greately appreciated.