Community discussions

MikroTik App
 
F1le
newbie
Topic Author
Posts: 29
Joined: Tue Nov 21, 2017 1:35 am

Suddenly firewall rule stopped adding IP addresses to a LIST

Sun May 28, 2023 1:29 am

I'm not sure if after 7.9.1 update suddenly my mangle rules stopped working. I have 2xWANs and there are some IPs I want to route through 2nd WAN. Normally I used this config to add specific CONTENT name using prerouting to a LIST and later mark routing to second WAN, it was working 100% fine and suddenly it stopped (no changes were made). Anybody has a clue about that?

Mangle rule doesn't add to specific LIST IP addresses defined in CONTENT.

Image
Image
Image
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 10:41 am

1. Ip-firewall - Filter rules tab, fastrack rule should be disabled!
2. Your mangle rule with adding to address list better works since v7 as RAW rule. Simply do same at the Raw tab.
3. Why do you use address list ? If you want to access some blocked sites by ISP in your region, redirecting foreign traffic thru another wan connection (wireguard vpn?), its easier to do with another way.
There is a list generator:
https://mikrotikconfig.com/firewall/
You can generate your local country list.
Then create Mangle rule which compares, if source is your local nenetwork (e.g. 192.168.0.1/24) and the destination is NOT in IP list of your country - then mark routing thru wireguard vpn.
Important! Do not forget to add to this list:
1.ip of your wireguard vpn, to access it directly, as if it is local.
2. ip range of your local network, e.g. 192.168.0.1/24, to access local network directly, not trying to route thru vpn.

Mid range devices like hex s, or 750 gr3 or hap ac2 make this comparison thru approx 8000 records with no significant cpu usage!

Im using this approach over 1 year, speed over 100 mbit works fine.

Your approach of finding content is very slow.
If you add approx 10 rules, cpu wull be 100%.

*since tls 1.3 this doesnot work anymore*:
If you still want to make it by content, much faster way is to lookup tls header.
See "TLS Host" field, your picture #2.
Fortunately ALL the sites use tls nowdays.
The only drawback - first time you access the site, you must use httpS://


Ps - select protocol at your picture #1 as "6 (tcp)".
Searching the rest for your task is useless.
Last edited by sas2k on Tue May 30, 2023 1:00 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 11:55 am

The user already have one reply...

viewtopic.php?p=1004654#p1004689
Sorry, but now (from 8 May...) Youtube use TLS 1.3..... and not only TCP....
All modern browsers and app use TLS 1.3, so you are unable to mark the traffic.
You just noticed it now, and of course you have to blame RouterOS...

Just if you still use some old browser that doesn't support TLS 1.3, but at most 1.2, it can make you match that rule.
The other domain doesn't know what it is, so I haven't checked it, if it still uses http you can still catch it,
but when that too switches to https, your rules won't be of any use.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 12:05 pm

 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 12:54 pm

*occasional dub post*
Last edited by sas2k on Tue May 30, 2023 12:56 pm, edited 1 time in total.
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 12:55 pm

The user already have one reply...

viewtopic.php?p=1004654#p1004689
Sorry, but now (from 8 May...) Youtube use TLS 1.3..... and not only TCP....
Indeed, just checked up - tls search for *youtube* works unstable now.
But region ip list still works fine :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 1:44 pm

When the lists are updated...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Tue May 30, 2023 10:38 pm

The first MT AI router, it clearly has a mind of its own, quite independent from the config of the admin..............
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Wed May 31, 2023 10:18 am

When the lists are updated...
Will you please make an advise, how can I find updated lists?
Thank you in advance.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Wed May 31, 2023 10:26 am

When the lists are updated...
Will you please make an advise, how can I find updated lists?
Thank you in advance.
Precisely...
The "Triple Vomit"™ symbol was precisely because certain means are ridiculous.
Knowing how you can't even have an updated list is a clear indication that the list should be avoided like the plague,
especially now that IPv4 is finished and there is a continuous exchange of IP blocks between countries,
you risk blocking a service it is legitimate that he bought some IPs that perhaps were previously used in india or russia, for example.
Or allowed IPs that beforre are on your country, for example, are buyed on some terrorist manner on another nation, and you allow that IPs because your list is old...
Setting these types of blocks will only slow down your router permanently, rather than just occasionally having a problem.
The "drop all at the end what is not already allowed" rule makes the list completely useless, unless you want to professionally run, say, a webserver.
But in a professional way the list certainly is not downloaded like this from a little site caught by chance on the internet...
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: Suddenly firewall rule stopped adding IP addresses to a LIST

Wed May 31, 2023 10:53 am


The "drop all at the end what is not already allowed" rule makes the list completely useless
My only goal of using lists: to access local addresses directly + to access foreign addresses thru vpn.
(Local isp block my access to foreign sites + Local sites block foreign access , perhaps due to ddos).
Aint gonna drop anything.

Who is online

Users browsing this forum: TeWe and 78 guests