Help with IP-> Filter needed

Posted: Tue Jul 09, 2019 7:05 pm
by bobr
I'm running RouterOS 6.43.8 on x86. Now I'll try to explain my problem:
Let's say we have an IP address in an address-list NO_ACCESS and for this address-list we have a blocking rule and NAT rule which try to redirect blocked users to personal page, like this:
chain=forward action=drop src-address-list=NO_ACCESS out-interface=ether-OUT log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses= to-ports=80 protocol=tcp src-address-list=NO_ACCESS dst-port=80,443 log=no log-prefix=""
As you may already understood there is a web-server with IP which hosts the personal page. And on that personal page user can go to the payment page, which lays under other IP and Port, like: And on that payment page there is a link which leads to the with public IP, let's say,
And here is what I need: I need user behind to be able to go to, but not all over the least Internet.

I thought that adding a filter rule which will temporary add the to an address-list, say, PAY_NO_ACCESS when that user tries to reach and creating some accept filter rule for dst-address and PAY_NO_ACCESS address-list, and masquerade NAT rule for that PAY_NO_ACCESS address-list, and placing those rules above the apropriate rejecting rules will solve the problem. But it didn't. Seems, that an IP can not be at 2 address-list for which opposite filter and NAT rules are specified and despite that rules for PAY_NO_ACCESS were placed almost at the top of the filter and NAT list - that didn't help at all. Although I thought the packet will never reach those prohibitive rules.

Any thoughts and suggestions will be greately appreciated.

Re: Help with IP-> Filter needed

Posted: Wed Jul 10, 2019 5:38 am
by 2frogs
Create a address-list name=payment_gateway and add and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...

Re: Help with IP-> Filter needed

Posted: Wed Jul 10, 2019 8:43 am
by bobr
Hmmm - that's quite an option to check if the traffic is not going to in prohibitive rules...
Thanks alot for advise!