/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=udp to-addresses=<dns-server> to-ports=53
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=tcp to-addresses=<dns-server> to-ports=53
/ip dns static
add name=download.windowsupdate.com address=127.0.0.1
/ip firewall layer7-protocol
add name=windows-updates regexp=download.windowsupdate.com
/ip firewall filter
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates protocol=udp
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates protocol=tcp
/ip fire add
add list=windows_update address=13.68.87.47
add list=windows_update address=13.68.87.175
add list=windows_update address=13.68.88.129
add list=windows_update address=13.68.93.109
add list=windows_update address=13.74.179.117
add list=windows_update address=13.78.168.230
add list=windows_update address=13.78.177.144
add list=windows_update address=13.78.179.199
add list=windows_update address=13.78.180.50
add list=windows_update address=13.78.180.90
add list=windows_update address=13.78.184.44
add list=windows_update address=13.78.184.186
add list=windows_update address=13.78.186.254
add list=windows_update address=13.78.187.58
add list=windows_update address=13.78.230.134
add list=windows_update address=13.83.148.218
add list=windows_update address=13.83.148.235
add list=windows_update address=13.83.149.5
add list=windows_update address=13.83.149.67
add list=windows_update address=13.83.151.160
add list=windows_update address=13.86.124.174
add list=windows_update address=13.86.124.184
add list=windows_update address=13.86.124.191
add list=windows_update address=13.91.16.64
add list=windows_update address=13.91.16.65
add list=windows_update address=13.91.16.66
add list=windows_update address=13.92.211.120
add list=windows_update address=13.107.4.50
add list=windows_update address=13.107.4.52
add list=windows_update address=13.107.4.254
add list=windows_update address=20.36.218.63
add list=windows_update address=20.36.218.70
add list=windows_update address=20.36.222.39
add list=windows_update address=20.36.252.130
add list=windows_update address=20.41.41.23
add list=windows_update address=20.42.24.29
add list=windows_update address=20.42.24.50
add list=windows_update address=20.44.77.24
add list=windows_update address=20.44.77.45
add list=windows_update address=20.44.77.49
add list=windows_update address=20.44.77.219
add list=windows_update address=20.45.4.77
add list=windows_update address=20.45.4.178
add list=windows_update address=20.54.24.69
add list=windows_update address=20.54.24.79
add list=windows_update address=20.54.24.148
add list=windows_update address=20.54.24.169
add list=windows_update address=20.54.24.231
add list=windows_update address=20.54.24.246
add list=windows_update address=20.54.25.4
add list=windows_update address=20.54.25.16
add list=windows_update address=20.54.89.15
add list=windows_update address=20.54.89.106
add list=windows_update address=20.62.190.184
add list=windows_update address=20.62.190.185
add list=windows_update address=20.62.190.186
add list=windows_update address=20.185.109.208
add list=windows_update address=20.186.48.46
add list=windows_update address=20.188.74.161
add list=windows_update address=20.188.78.184
add list=windows_update address=20.188.78.185
add list=windows_update address=20.188.78.187
add list=windows_update address=20.188.78.188
add list=windows_update address=20.188.78.189
add list=windows_update address=20.190.3.175
add list=windows_update address=20.190.9.86
add list=windows_update address=20.191.46.109
add list=windows_update address=20.191.46.211
add list=windows_update address=23.103.189.125
add list=windows_update address=23.103.189.126
add list=windows_update address=23.103.189.157
add list=windows_update address=23.103.189.158
add list=windows_update address=40.67.248.104
add list=windows_update address=40.67.251.132
add list=windows_update address=40.67.251.134
add list=windows_update address=40.67.252.175
add list=windows_update address=40.67.252.206
add list=windows_update address=40.67.253.249
add list=windows_update address=40.67.254.36
add list=windows_update address=40.67.254.97
add list=windows_update address=40.67.255.199
add list=windows_update address=40.69.216.73
add list=windows_update address=40.69.216.129
add list=windows_update address=40.69.216.251
add list=windows_update address=40.69.218.62
add list=windows_update address=40.69.219.197
add list=windows_update address=40.69.220.46
add list=windows_update address=40.69.221.239
add list=windows_update address=40.69.222.109
add list=windows_update address=40.69.223.39
add list=windows_update address=40.69.223.198
add list=windows_update address=40.70.224.144
add list=windows_update address=40.70.224.145
add list=windows_update address=40.70.224.147
add list=windows_update address=40.70.224.148
add list=windows_update address=40.70.224.149
add list=windows_update address=40.70.229.150
add list=windows_update address=40.77.18.167
add list=windows_update address=40.77.224.8
add list=windows_update address=40.77.224.11
add list=windows_update address=40.77.224.145
add list=windows_update address=40.77.224.254
add list=windows_update address=40.77.226.13
add list=windows_update address=40.77.226.181
add list=windows_update address=40.77.226.246
add list=windows_update address=40.77.226.247
add list=windows_update address=40.77.226.248
add list=windows_update address=40.77.226.249
add list=windows_update address=40.77.226.250
add list=windows_update address=40.77.229.8
add list=windows_update address=40.77.229.9
add list=windows_update address=40.77.229.12
add list=windows_update address=40.77.229.13
add list=windows_update address=40.77.229.16
add list=windows_update address=40.77.229.21
add list=windows_update address=40.77.229.22
add list=windows_update address=40.77.229.24
add list=windows_update address=40.77.229.26
add list=windows_update address=40.77.229.27
add list=windows_update address=40.77.229.29
add list=windows_update address=40.77.229.30
add list=windows_update address=40.77.229.32
add list=windows_update address=40.77.229.35
add list=windows_update address=40.77.229.38
add list=windows_update address=40.77.229.44
add list=windows_update address=40.77.229.45
add list=windows_update address=40.77.229.50
add list=windows_update address=40.77.229.53
add list=windows_update address=40.77.229.62
add list=windows_update address=40.77.229.65
add list=windows_update address=40.77.229.67
add list=windows_update address=40.77.229.69
add list=windows_update address=40.77.229.70
add list=windows_update address=40.77.229.71
add list=windows_update address=40.77.229.74
add list=windows_update address=40.77.229.76
add list=windows_update address=40.77.229.80
add list=windows_update address=40.77.229.81
add list=windows_update address=40.77.229.82
add list=windows_update address=40.77.229.88
add list=windows_update address=40.77.229.118
add list=windows_update address=40.77.229.123
add list=windows_update address=40.77.229.128
add list=windows_update address=40.77.229.133
add list=windows_update address=40.77.229.141
add list=windows_update address=40.77.229.199
add list=windows_update address=40.79.65.78
add list=windows_update address=40.79.65.123
add list=windows_update address=40.79.65.235
add list=windows_update address=40.79.65.237
add list=windows_update address=40.79.66.194
add list=windows_update address=40.79.66.209
add list=windows_update address=40.79.67.176
add list=windows_update address=40.79.70.158
add list=windows_update address=40.91.73.169
add list=windows_update address=40.91.73.219
add list=windows_update address=40.91.75.5
add list=windows_update address=40.91.80.89
add list=windows_update address=40.91.91.94
add list=windows_update address=40.91.120.196
add list=windows_update address=40.91.122.44
add list=windows_update address=40.125.122.151
add list=windows_update address=40.125.122.176
add list=windows_update address=51.103.5.159
add list=windows_update address=51.103.5.186
add list=windows_update address=51.104.162.50
add list=windows_update address=51.104.162.168
add list=windows_update address=51.104.164.114
add list=windows_update address=51.104.167.48
add list=windows_update address=51.104.167.186
add list=windows_update address=51.104.167.245
add list=windows_update address=51.104.167.255
add list=windows_update address=51.105.249.223
add list=windows_update address=51.105.249.228
add list=windows_update address=51.105.249.239
add list=windows_update address=52.142.21.136
add list=windows_update address=52.137.102.105
add list=windows_update address=52.137.103.96
add list=windows_update address=52.137.103.130
add list=windows_update address=52.137.110.235
add list=windows_update address=52.142.21.137
add list=windows_update address=52.142.21.140
add list=windows_update address=52.142.21.141
add list=windows_update address=52.143.80.209
add list=windows_update address=52.143.81.222
add list=windows_update address=52.143.84.45
add list=windows_update address=52.143.86.214
add list=windows_update address=52.143.87.28
add list=windows_update address=52.147.176.8
add list=windows_update address=52.148.148.114
add list=windows_update address=52.152.108.96
add list=windows_update address=52.152.110.14
add list=windows_update address=52.155.95.90
add list=windows_update address=52.155.115.56
add list=windows_update address=52.155.169.137
add list=windows_update address=52.155.183.99
add list=windows_update address=52.155.217.156
add list=windows_update address=52.155.223.194
add list=windows_update address=52.156.144.83
add list=windows_update address=52.158.114.119
add list=windows_update address=52.158.122.14
add list=windows_update address=52.161.15.246
add list=windows_update address=52.164.221.179
add list=windows_update address=52.164.226.245
add list=windows_update address=52.167.222.82
add list=windows_update address=52.167.222.147
add list=windows_update address=52.167.223.135
add list=windows_update address=52.169.82.131
add list=windows_update address=52.169.83.3
add list=windows_update address=52.169.87.42
add list=windows_update address=52.169.123.48
add list=windows_update address=52.175.23.79
add list=windows_update address=52.177.164.251
add list=windows_update address=52.177.247.15
add list=windows_update address=52.178.192.146
add list=windows_update address=52.179.216.235
add list=windows_update address=52.179.219.14
add list=windows_update address=52.183.47.176
add list=windows_update address=52.183.118.171
add list=windows_update address=52.184.152.136
add list=windows_update address=52.184.155.206
add list=windows_update address=52.184.212.181
add list=windows_update address=52.184.213.21
add list=windows_update address=52.184.213.187
add list=windows_update address=52.184.214.53
add list=windows_update address=52.184.214.123
add list=windows_update address=52.184.214.139
add list=windows_update address=52.184.216.174
add list=windows_update address=52.184.216.226
add list=windows_update address=52.184.216.246
add list=windows_update address=52.184.217.20
add list=windows_update address=52.184.217.37
add list=windows_update address=52.184.217.56
add list=windows_update address=52.187.60.107
add list=windows_update address=52.188.72.233
add list=windows_update address=52.226.130.114
add list=windows_update address=52.229.170.171
add list=windows_update address=52.229.170.224
add list=windows_update address=52.229.171.86
add list=windows_update address=52.229.171.202
add list=windows_update address=52.229.172.155
add list=windows_update address=52.229.174.29
add list=windows_update address=52.229.174.172
add list=windows_update address=52.229.174.233
add list=windows_update address=52.229.175.79
add list=windows_update address=52.230.216.17
add list=windows_update address=52.230.216.157
add list=windows_update address=52.230.220.159
add list=windows_update address=52.230.223.92
add list=windows_update address=52.230.223.167
add list=windows_update address=52.232.225.93
add list=windows_update address=52.238.248.1
add list=windows_update address=52.238.248.2
add list=windows_update address=52.238.248.3
add list=windows_update address=52.242.97.97
add list=windows_update address=52.242.101.226
add list=windows_update address=52.242.231.32
add list=windows_update address=52.242.231.33
add list=windows_update address=52.242.231.35
add list=windows_update address=52.242.231.36
add list=windows_update address=52.242.231.37
add list=windows_update address=52.243.153.146
add list=windows_update address=52.248.96.36
add list=windows_update address=52.249.24.101
add list=windows_update address=52.249.58.51
add list=windows_update address=52.250.46.232
add list=windows_update address=52.250.46.237
add list=windows_update address=52.250.46.238
add list=windows_update address=52.250.195.200
add list=windows_update address=52.250.195.204
add list=windows_update address=52.250.195.206
add list=windows_update address=52.250.195.207
add list=windows_update address=52.253.130.84
add list=windows_update address=52.254.106.61
add list=windows_update address=64.4.27.50
add list=windows_update address=65.52.108.29
add list=windows_update address=65.52.108.33
add list=windows_update address=65.52.108.59
add list=windows_update address=65.52.108.90
add list=windows_update address=65.52.108.92
add list=windows_update address=65.52.108.153
add list=windows_update address=65.52.108.154
add list=windows_update address=65.52.108.185
add list=windows_update address=65.55.242.254
add list=windows_update address=66.119.144.157
add list=windows_update address=66.119.144.158
add list=windows_update address=66.119.144.189
add list=windows_update address=66.119.144.190
add list=windows_update address=67.26.27.254
add list=windows_update address=104.45.177.233
add list=windows_update address=111.221.29.40
add list=windows_update address=134.170.51.187
add list=windows_update address=134.170.51.188
add list=windows_update address=134.170.51.190
add list=windows_update address=134.170.51.246
add list=windows_update address=134.170.51.247
add list=windows_update address=134.170.51.248
add list=windows_update address=134.170.53.29
add list=windows_update address=134.170.53.30
add list=windows_update address=134.170.115.55
add list=windows_update address=134.170.115.56
add list=windows_update address=134.170.115.60
add list=windows_update address=134.170.115.62
add list=windows_update address=134.170.165.248
add list=windows_update address=134.170.165.249
add list=windows_update address=134.170.165.251
add list=windows_update address=134.170.165.253
add list=windows_update address=137.135.62.92
add list=windows_update address=157.55.133.204
add list=windows_update address=157.55.240.89
add list=windows_update address=157.55.240.126
add list=windows_update address=157.55.240.220
add list=windows_update address=157.56.77.138
add list=windows_update address=157.56.77.139
add list=windows_update address=157.56.77.140
add list=windows_update address=157.56.77.141
add list=windows_update address=157.56.77.148
add list=windows_update address=157.56.77.149
add list=windows_update address=157.56.96.54
add list=windows_update address=157.56.96.58
add list=windows_update address=157.56.96.123
add list=windows_update address=157.56.96.157
add list=windows_update address=191.232.80.53
add list=windows_update address=191.232.80.58
add list=windows_update address=191.232.80.60
add list=windows_update address=191.232.80.62
add list=windows_update address=191.232.139.2
add list=windows_update address=191.232.139.182
add list=windows_update address=191.232.139.253
add list=windows_update address=191.232.139.254
add list=windows_update address=191.234.72.183
add list=windows_update address=191.234.72.186
add list=windows_update address=191.234.72.188
add list=windows_update address=191.234.72.190
add list=windows_update address=207.46.114.58
add list=windows_update address=207.46.114.61
/ip fire add
add list=windows_telemetry address=13.64.90.137
add list=windows_telemetry address=13.68.31.193
add list=windows_telemetry address=13.69.131.175
add list=windows_telemetry address=13.66.56.243
add list=windows_telemetry address=13.68.82.8
add list=windows_telemetry address=13.68.92.143
add list=windows_telemetry address=13.73.26.107
add list=windows_telemetry address=13.74.169.109
add list=windows_telemetry address=13.78.130.220
add list=windows_telemetry address=13.78.232.226
add list=windows_telemetry address=13.78.233.133
add list=windows_telemetry address=13.88.21.125
add list=windows_telemetry address=13.92.194.212
add list=windows_telemetry address=13.104.215.69
add list=windows_telemetry address=20.44.86.43
add list=windows_telemetry address=20.49.150.241
add list=windows_telemetry address=20.54.110.119
add list=windows_telemetry address=20.60.20.4
add list=windows_telemetry address=20.189.74.153
add list=windows_telemetry address=23.99.49.121
add list=windows_telemetry address=23.102.4.253
add list=windows_telemetry address=23.102.5.5
add list=windows_telemetry address=23.102.21.4
add list=windows_telemetry address=23.103.182.126
add list=windows_telemetry address=40.68.222.212
add list=windows_telemetry address=40.69.153.67
add list=windows_telemetry address=40.70.184.83
add list=windows_telemetry address=40.70.220.248
add list=windows_telemetry address=40.70.221.249
add list=windows_telemetry address=40.77.228.47
add list=windows_telemetry address=40.77.228.87
add list=windows_telemetry address=40.77.228.92
add list=windows_telemetry address=40.77.232.101
add list=windows_telemetry address=40.78.128.150
add list=windows_telemetry address=40.79.85.125
add list=windows_telemetry address=40.88.32.150
add list=windows_telemetry address=40.90.221.9
add list=windows_telemetry address=40.112.209.200
add list=windows_telemetry address=40.115.3.210
add list=windows_telemetry address=40.115.119.185
add list=windows_telemetry address=40.119.211.203
add list=windows_telemetry address=40.119.249.228
add list=windows_telemetry address=40.124.34.70
add list=windows_telemetry address=40.127.240.158
add list=windows_telemetry address=51.104.136.2
add list=windows_telemetry address=51.124.78.146
add list=windows_telemetry address=51.140.40.236
add list=windows_telemetry address=51.140.157.153
add list=windows_telemetry address=51.143.53.152
add list=windows_telemetry address=51.143.111.7
add list=windows_telemetry address=51.143.111.81
add list=windows_telemetry address=51.144.227.73
add list=windows_telemetry address=52.147.198.201
add list=windows_telemetry address=52.138.204.217
add list=windows_telemetry address=52.138.216.83
add list=windows_telemetry address=52.155.94.78
add list=windows_telemetry address=52.155.172.105
add list=windows_telemetry address=52.157.234.37
add list=windows_telemetry address=52.158.208.111
add list=windows_telemetry address=52.164.241.205
add list=windows_telemetry address=52.169.189.83
add list=windows_telemetry address=52.170.83.19
add list=windows_telemetry address=52.174.22.246
add list=windows_telemetry address=52.178.147.240
add list=windows_telemetry address=52.178.151.212
add list=windows_telemetry address=52.178.178.16
add list=windows_telemetry address=52.178.223.23
add list=windows_telemetry address=52.183.114.173
add list=windows_telemetry address=52.184.221.185
add list=windows_telemetry address=52.229.39.152
add list=windows_telemetry address=52.230.85.180
add list=windows_telemetry address=52.230.222.68
add list=windows_telemetry address=52.236.42.239
add list=windows_telemetry address=52.236.43.202
add list=windows_telemetry address=52.255.188.83
add list=windows_telemetry address=65.52.100.7
add list=windows_telemetry address=65.52.100.9
add list=windows_telemetry address=65.52.100.11
add list=windows_telemetry address=65.52.100.91
add list=windows_telemetry address=65.52.100.92
add list=windows_telemetry address=65.52.100.93
add list=windows_telemetry address=65.52.100.94
add list=windows_telemetry address=65.52.161.64
add list=windows_telemetry address=65.55.29.238
add list=windows_telemetry address=65.55.44.51
add list=windows_telemetry address=65.55.44.54
add list=windows_telemetry address=65.55.44.108
add list=windows_telemetry address=65.55.44.109
add list=windows_telemetry address=65.55.83.120
add list=windows_telemetry address=65.55.113.11
add list=windows_telemetry address=65.55.113.12
add list=windows_telemetry address=65.55.113.13
add list=windows_telemetry address=65.55.176.90
add list=windows_telemetry address=65.55.252.43
add list=windows_telemetry address=65.55.252.63
add list=windows_telemetry address=65.55.252.70
add list=windows_telemetry address=65.55.252.71
add list=windows_telemetry address=65.55.252.72
add list=windows_telemetry address=65.55.252.93
add list=windows_telemetry address=65.55.252.190
add list=windows_telemetry address=65.55.252.202
add list=windows_telemetry address=66.119.147.131
add list=windows_telemetry address=104.41.207.73
add list=windows_telemetry address=104.42.151.234
add list=windows_telemetry address=104.43.137.66
add list=windows_telemetry address=104.43.139.21
add list=windows_telemetry address=104.43.139.144
add list=windows_telemetry address=104.43.140.223
add list=windows_telemetry address=104.43.193.48
add list=windows_telemetry address=104.43.228.53
add list=windows_telemetry address=104.43.228.202
add list=windows_telemetry address=104.43.237.169
add list=windows_telemetry address=104.45.11.195
add list=windows_telemetry address=104.45.214.112
add list=windows_telemetry address=104.46.1.211
add list=windows_telemetry address=104.46.38.64
add list=windows_telemetry address=104.210.4.77
add list=windows_telemetry address=104.210.40.87
add list=windows_telemetry address=104.210.212.243
add list=windows_telemetry address=104.214.35.244
add list=windows_telemetry address=104.214.78.152
add list=windows_telemetry address=131.253.6.87
add list=windows_telemetry address=131.253.6.103
add list=windows_telemetry address=131.253.34.230
add list=windows_telemetry address=131.253.34.234
add list=windows_telemetry address=131.253.34.237
add list=windows_telemetry address=131.253.34.243
add list=windows_telemetry address=131.253.34.246
add list=windows_telemetry address=131.253.34.247
add list=windows_telemetry address=131.253.34.249
add list=windows_telemetry address=131.253.34.252
add list=windows_telemetry address=131.253.34.255
add list=windows_telemetry address=131.253.40.37
add list=windows_telemetry address=134.170.30.202
add list=windows_telemetry address=134.170.30.203
add list=windows_telemetry address=134.170.30.204
add list=windows_telemetry address=134.170.30.221
add list=windows_telemetry address=134.170.52.151
add list=windows_telemetry address=134.170.235.16
add list=windows_telemetry address=157.56.74.250
add list=windows_telemetry address=157.56.91.77
add list=windows_telemetry address=157.56.106.184
add list=windows_telemetry address=157.56.106.185
add list=windows_telemetry address=157.56.106.189
add list=windows_telemetry address=157.56.113.217
add list=windows_telemetry address=157.56.121.89
add list=windows_telemetry address=157.56.124.87
add list=windows_telemetry address=157.56.149.250
add list=windows_telemetry address=157.56.194.72
add list=windows_telemetry address=157.56.194.73
add list=windows_telemetry address=157.56.194.74
add list=windows_telemetry address=168.61.24.141
add list=windows_telemetry address=168.61.146.25
add list=windows_telemetry address=168.61.149.17
add list=windows_telemetry address=168.61.161.212
add list=windows_telemetry address=168.61.172.71
add list=windows_telemetry address=168.62.187.13
add list=windows_telemetry address=168.63.100.61
add list=windows_telemetry address=168.63.108.233
add list=windows_telemetry address=191.236.155.80
add list=windows_telemetry address=191.237.218.239
add list=windows_telemetry address=191.239.50.18
add list=windows_telemetry address=191.239.50.77
add list=windows_telemetry address=191.239.52.100
add list=windows_telemetry address=191.239.54.52
add list=windows_telemetry address=207.68.166.254
And what I have wrote?TLS Host matcher doesn't work with TLS1.3+.
I'm also doing this, complete with verified certificate.Your solution is useless because on close future DoH and DoT are used...
I could make a C++ script to do it for me but I'm low on time. :)You always want easy things... :-)
I do not understand this. :(There wasn't a single word about policy routing in the original post.
I'm actually trying to make it so all Windows Update traffic gets redirected to a VPN
This is basically useless to me as I'm using DoH which hides all the DNS from attackers, but you already knew this.only (small) dns packets will be matched against the L7 filter. In this case, the TLS version is unimportant.
Why couldn't I use the L7 method for policy routing, other than the CPU problem?you'd have to use rextended's solution and mark sessions/packets based on an address list and route them via vpn using mangle rules.
Bullshit! Not even the just released Windows 11 pre-release uses DoH or DoT for DNS resolution. It's using the same unencrypted shit that was invented in 1983. You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.This is basically useless to me as I'm using DoH which hides all the DNS from attackers, but you already knew this.
You didn't even come close to what I'm doing. To stop cellular operators from seeing any unencrypted DNS requests, I set up a hairpin NAT rule to redirect all port-53 DNS to the Mikrotik which has its DNS server, and that server uses DoH over the cellular network that the ISP can see. However, in TLS 1-1.2 and HTTP requests, you can still see the domain in packets so I need some way to stop Windows Update ones from getting routed the usual way, so I just need some method to identify them to send to some VPN tunnel.You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=windows_update new-connection-mark=\
c_windows_update passthrough=yes
add action=mark-packet chain=prerouting connection-mark=c_windows_update \
new-packet-mark=p_windows_update passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=VPN packet-mark=p_windows_update passthrough=no
/ip route
add distance=1 gateway=<your-vpn-gateway> routing-mark=VPN
What about L7 in addition to or instead of address-list?You need to have an address-list, like the one crazy-max provides
/ip firewall address-list add list=windows_update address=download.windowsupdate.com
The problem is, this has non-Windows stuff as well (like ad domains) but I only need to masquerade addresses that are a "smoking gun" that there is a Windows machine in the network. I found a few candidates here: https://answers.microsoft.com/en-us/win ... db574d1526there are official Micro$oft list of domains... LINK
/ip fire add
add list=windows_update_dns address=a-0001.a-msedge.net
add list=windows_update_dns address=a-0002.a-msedge.net
add list=windows_update_dns address=a-0003.a-msedge.net
add list=windows_update_dns address=a-0004.a-msedge.net
add list=windows_update_dns address=a-0005.a-msedge.net
add list=windows_update_dns address=a-0006.a-msedge.net
add list=windows_update_dns address=a-0007.a-msedge.net
add list=windows_update_dns address=a-0008.a-msedge.net
add list=windows_update_dns address=a-0009.a-msedge.net
add list=windows_update_dns address=a-msedge.net
add list=windows_update_dns address=a.ads1.msn.com
add list=windows_update_dns address=a.ads2.msads.net
add list=windows_update_dns address=a.ads2.msn.com
add list=windows_update_dns address=a.rad.msn.com
add list=windows_update_dns address=ac3.msn.com
add list=windows_update_dns address=ad.doubleclick.net
add list=windows_update_dns address=adnexus.net
add list=windows_update_dns address=adnxs.com
add list=windows_update_dns address=ads.msn.com
add list=windows_update_dns address=ads1.msads.net
add list=windows_update_dns address=ads1.msn.com
add list=windows_update_dns address=aidps.atdmt.com
add list=windows_update_dns address=aka-cdn-ns.adtech.de
add list=windows_update_dns address=apps.skype.com
add list=windows_update_dns address=az361816.vo.msecnd.net
add list=windows_update_dns address=az512334.vo.msecnd.net
add list=windows_update_dns address=b.ads1.msn.com
add list=windows_update_dns address=b.ads2.msads.net
add list=windows_update_dns address=b.rad.msn.com
add list=windows_update_dns address=bs.serving-sys.com
add list=windows_update_dns address=c.atdmt.com
add list=windows_update_dns address=c.msn.com
add list=windows_update_dns address=ca.telemetry.microsoft.com
add list=windows_update_dns address=cache.datamart.windows.com
add list=windows_update_dns address=cdn.atdmt.com
add list=windows_update_dns address=cds26.ams9.msecn.net
add list=windows_update_dns address=choice.microsoft.com
add list=windows_update_dns address=choice.microsoft.com.nsatc.net
add list=windows_update_dns address=choice.microsoft.com.nstac.net
add list=windows_update_dns address=compatexchange.cloudapp.net
add list=windows_update_dns address=corp.sts.microsoft.com
add list=windows_update_dns address=corpext.msitadfs.glbdns2.microsoft.com
add list=windows_update_dns address=cs1.wpc.v0cdn.net
add list=windows_update_dns address=db3aqu.atdmt.com
add list=windows_update_dns address=db3wns2011111.wns.windows.com
add list=windows_update_dns address=df.telemetry.microsoft.com
add list=windows_update_dns address=diagnostics.support.microsoft.com
add list=windows_update_dns address=ec.atdmt.com
add list=windows_update_dns address=fe2.update.microsoft.com.akadns.net
add list=windows_update_dns address=fe3.delivery.dsp.mp.microsoft.com.nsatc.net
add list=windows_update_dns address=feedback.microsoft-hohm.com
add list=windows_update_dns address=feedback.search.microsoft.com
add list=windows_update_dns address=feedback.windows.com
add list=windows_update_dns address=flex.msn.com
add list=windows_update_dns address=g.msn.com
add list=windows_update_dns address=h1.msn.com
add list=windows_update_dns address=i1.services.social.microsoft.com
add list=windows_update_dns address=i1.services.social.microsoft.com.nsatc.net
add list=windows_update_dns address=lb1.www.ms.akadns.net
add list=windows_update_dns address=live.rads.msn.com
add list=windows_update_dns address=m.adnxs.com
add list=windows_update_dns address=m.hotmail.com
add list=windows_update_dns address=msedge.net
add list=windows_update_dns address=msftncsi.com
add list=windows_update_dns address=msnbot-207-46-194-33.search.msn.com
add list=windows_update_dns address=msnbot-65-55-108-23.search.msn.com
add list=windows_update_dns address=msntest.serving-sys.com
add list=windows_update_dns address=oca.telemetry.microsoft.com
add list=windows_update_dns address=oca.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=pre.footprintpredict.com
add list=windows_update_dns address=preview.msn.com
add list=windows_update_dns address=pricelist.skype.com
add list=windows_update_dns address=rad.live.com
add list=windows_update_dns address=rad.msn.com
add list=windows_update_dns address=redir.metaservices.microsoft.com
add list=windows_update_dns address=reports.wes.df.telemetry.microsoft.com
add list=windows_update_dns address=s.gateway.messenger.live.com
add list=windows_update_dns address=s0.2mdn.net
add list=windows_update_dns address=schemas.microsoft.akadns.net
add list=windows_update_dns address=secure.adnxs.com
add list=windows_update_dns address=secure.flashtalking.com
add list=windows_update_dns address=services.wes.df.telemetry.microsoft.com
add list=windows_update_dns address=settings-sandbox.data.microsoft.com
add list=windows_update_dns address=settings-win.data.microsoft.com
add list=windows_update_dns address=settings.data.microsof.com
add list=windows_update_dns address=sls.update.microsoft.com.akadns.net
add list=windows_update_dns address=sO.2mdn.net
add list=windows_update_dns address=spynet2.microsoft.com
add list=windows_update_dns address=spynetalt.microsoft.com
add list=windows_update_dns address=sqm.df.telemetry.microsoft.com
add list=windows_update_dns address=sqm.telemetry.microsoft.com
add list=windows_update_dns address=sqm.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=ssw.live.com
add list=windows_update_dns address=static.2mdn.net
add list=windows_update_dns address=statsfe1.ws.microsoft.com
add list=windows_update_dns address=statsfe2.update.microsoft.com.akadns.net
add list=windows_update_dns address=statsfe2.ws.microsoft.com
add list=windows_update_dns address=survey.watson.microsoft.com
add list=windows_update_dns address=telecommand.telemetry.microsoft.com
add list=windows_update_dns address=telecommand.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=telemetry.appex.bing.net
add list=windows_update_dns address=telemetry.microsoft.com
add list=windows_update_dns address=telemetry.urs.microsoft.com
add list=windows_update_dns address=ui.skype.com
add list=windows_update_dns address=v10.vortex-win.data.microsoft.com
add list=windows_update_dns address=view.atdmt.com
add list=windows_update_dns address=vortex-bn2.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-cy2.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-sandbox.data.microsoft.com
add list=windows_update_dns address=vortex-win.data.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-win.data.microsoft.com
add list=windows_update_dns address=vortex.data.glbdns2.microsoft.com
add list=windows_update_dns address=vortex.data.microsoft.com
add list=windows_update_dns address=watson.live.com
add list=windows_update_dns address=watson.microsoft.com
add list=windows_update_dns address=watson.ppe.telemetry.microsoft.com
add list=windows_update_dns address=watson.telemetry.microsoft.com
add list=windows_update_dns address=watson.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=web.vortex.data.microsoft.com
add list=windows_update_dns address=wes.df.telemetry.microsoft.com
add list=windows_update_dns address=win10.ipv6.microsoft.com
add list=windows_update_dns address=www.msftncsi.com
add address=activity.windows.com list=windows_telemetry
add address=tile-service.weather.microsoft.com list=windows_telemetry
add address=evoke-windowsservices-tas.msedge.net list=windows_telemetry
add address=cdn.onenote.net list=windows_telemetry
add address=spclient.wg.spotify.com list=windows_telemetry
add address=ctldl.windowsupdate.com list=windows_telemetry
add address=fp.msedge.net list=windows_telemetry
add address=k-ring.msedge.net list=windows_telemetry
add address=b-ring.msedge.net list=windows_telemetry
add address=login.live.com list=windows_telemetry
add address=cs.dds.microsoft.com list=windows_telemetry
add address=dmd.metaservices.microsoft.com list=windows_telemetry
add address=v10.events.data.microsoft.com list=windows_telemetry
add address=v20.events.data.microsoft.com list=windows_telemetry
add list=windows_telemetry
add address=watson.telemetry.microsoft.com list=windows_telemetry
add address=licensing.mp.microsoft.com list=windows_telemetry
add address=inference.location.live.net list=windows_telemetry
add address=maps.windows.com list=windows_telemetry
add address=ssl.ak.dynamic.tiles.virtualearth.net list=windows_telemetry
add address=ssl.ak.tiles.virtualearth.net list=windows_telemetry
add address=dev.virtualearth.net list=windows_telemetry
add address=ecn.dev.virtualearth.net list=windows_telemetry
add address=ssl.bing.com list=windows_telemetry
add address=edge.activity.windows.com list=windows_telemetry
add address=edge.microsoft.com list=windows_telemetry
add address=msedge.api.cdp.microsoft.com list=windows_telemetry
add address=img-prod-cms-rt-microsoft-com.akamaized.net list=\
windows_telemetry
add address=wns.windows.com list=windows_telemetry
add address=storecatalogrevocation.storequality.microsoft.com list=\
windows_telemetry
add address=displaycatalog.mp.microsoft.com list=windows_telemetry
add address=pti.store.microsoft.com list=windows_telemetry
add address=storesdk.dsx.mp.microsoft.com list=windows_telemetry
add address=manage.devcenter.microsoft.com list=windows_telemetry
add address=store-images.s-microsoft.com list=windows_telemetry
add address=www.msftconnecttest.com list=windows_telemetry
add address=outlook.office365.com list=windows_telemetry
add address=blobs.officehome.msocdn.com list=windows_telemetry
add address=officehomeblobs.blob.core.windows.net list=windows_telemetry
add address=blob.core.windows.net list=windows_telemetry
add address=self.events.data.microsoft.com list=windows_telemetry
add address=outlookmobile-office365-tas.msedge.net list=windows_telemetry
add address=roaming.officeapps.live.com list=windows_telemetry
add address=substrate.office.com list=windows_telemetry
add address=oneclient.sfx.ms list=windows_telemetry
add address=g.live.com list=windows_telemetry
add address=logincdn.msauth.net list=windows_telemetry
add address=windows.policies.live.net list=windows_telemetry
add address=api.onedrive.com list=windows_telemetry
add address=skydrivesync.policies.live.net list=windows_telemetry
add address=storage.live.com list=windows_telemetry
add address=settings.live.net list=windows_telemetry
add address=settings.data.microsoft.com list=windows_telemetry
add address=settings-win.data.microsoft.com list=windows_telemetry
add address=pipe.aria.microsoft.com list=windows_telemetry
add address=config.edge.skype.com list=windows_telemetry
add address=config.teams.microsoft.com list=windows_telemetry
add address=wdcp.microsoft.com list=windows_telemetry
add address=wdcpalt.microsoft.com list=windows_telemetry
add address=smartscreen-prod.microsoft.com list=windows_telemetry
add address=definitionupdates.microsoft.com list=windows_telemetry
add address=martscreen.microsoft.com list=windows_telemetry
add address=smartscreen.microsoft.com list=windows_telemetry
add address=checkappexec.microsoft.com list=windows_telemetry
add address=arc.msn.com list=windows_telemetry
add address=ris.api.iris.microsoft.com list=windows_telemetry
add address=mucp.api.account.microsoft.com list=windows_telemetry
add address=prod.do.dsp.mp.microsoft.com list=windows_telemetry
add address=emdl.ws.microsoft.com list=windows_update
add address=dl.delivery.mp.microsoft.com list=windows_update
add address=delivery.mp.microsoft.com list=windows_update
add address=update.microsoft.com list=windows_update
add address=adl.windows.com list=windows_update
add address=tsfe.trafficshaping.dsp.mp.microsoft.com list=windows_update
add address=dlassets-ssl.xboxlive.com list=windows_telemetry
add address=www.xboxab.com list=windows_telemetry
(watson|telemetry|windows|smartscreen|maps|activity|choice|download|update|diagnostics|feedback|spynet|telecommand|ipv6|vortex).*(data|support|microsoft|windows|bing|windowsupdate|live)
I hope you understand that any method that works by identifying the traffic at TLS level (e.g. "tls host" or plain L7) can never be used to send the traffic through a VPN tunnel, no matter how well the identification works.You didn't even come close to what I'm doing. To stop cellular operators from seeing any unencrypted DNS requests, I set up a hairpin NAT rule to redirect all port-53 DNS to the Mikrotik which has its DNS server, and that server uses DoH over the cellular network that the ISP can see. However, in TLS 1-1.2 and HTTP requests, you can still see the domain in packets so I need some way to stop Windows Update ones from getting routed the usual way, so I just need some method to identify them to send to some VPN tunnel.You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.
Technically true, but HTTP(S) has a native 1/RTT feature that automatically restarts the connection if the path changes. And, if it doesn't work, then no data of value would be lost anyway since all I'm matching against is Windows/Apple telemetry and updates.When you catch that, it is too late to setup the TCP session via another path.
I already added the destination address to the address list, but I can't think of a good way to send a TCP RST. Is there some feature or hack in ROS that can do this?you would have to reject that packet with a TCP RST reply and also add the destination address to your address list.
/ip firewall mangle
add action=jump chain=prerouting comment=*xbox*.com dst-port=80,443 jump-target=tls protocol=tcp tls-host=*xbox*.com
add action=jump chain=prerouting comment=*a-msedge.net dst-port=80,443 jump-target=tls protocol=tcp tls-host=*a-msedge.net
add action=return chain=tls comment="return packets if the hosts are already marked" dst-address-list=tls_dst_host src-address-list=tls_src_host
add action=add-src-to-address-list address-list=tls_src_host address-list-timeout=10m chain=tls
add action=add-dst-to-address-list address-list=tls_dst_host address-list-timeout=10m chain=tls
add action=mark-connection chain=tls new-connection-mark=tls_disconnect passthrough=yes
add action=return chain=tls
add action=mark-routing chain=prerouting dst-address-list=tls_dst_host new-routing-mark=vpn passthrough=no src-address-list=tls_src_host
/ip firewall filter
add action=reject chain=forward comment="reset tcp connections which have just been marked with tls" connection-mark=tls_disconnect protocol=tcp reject-with=tcp-reset
Why should I do it in three steps? If I just mark the connection then mark all the connection's packets, then that's simpler. Also, I noticed in the Mik Wiki they included connection-state=new in the rules that are similar to this. Should I include that as well?route them via vpn like so:Code: Select all/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=windows_update new-connection-mark=\ c_windows_update passthrough=yes add action=mark-packet chain=prerouting connection-mark=c_windows_update \ new-packet-mark=p_windows_update passthrough=yes add action=mark-routing chain=prerouting new-routing-mark=VPN packet-mark=p_windows_update passthrough=no
Sorry to reply to an old thread but I found this a while back that has taken care of most of the DoH and DoT issues:And what I have wrote?TLS Host matcher doesn't work with TLS1.3+.
Your solution is useless because on close future DoH and DoT are used...
Indeed, they already use them...
add action=drop chain=forward comment="Block QUIC" dst-port=80,443 protocol=udp
add action=drop chain=forward comment="Block DoT DNS" dst-port=853 protocol=tcp