Mikrotik: small utilities. Part 2

    This is the next batch of small features / implementations in RouterOS.

    Attention Image

    Today I will talk about:
    1) How to close all sites except for one / several
    2) How to receive “human” notifications about VPN connections
    3) An important innovation in v6.36, after which you can forget about L7

    Interesting? Then I ask for cat.



    How to close all sites except one / several


    I must say right away that you need to use the L7 Protocol. It would seem that it’s difficult: just apply the rule “everything except”.

    But no, that doesn't work. If you want, check it out for yourself. What to do? One filter to allow the necessary resources and the second to ban all others.
    Allowing L7 has the form ^. + (Some_site | another some_site). * $ .
    Prohibiting is harder. You can filter everything through ^. + $ . But I would advise filtering the HTTP protocol by URI, that is - ^. + (HTTP \ / [0-2]). + $ .
    Unfortunately, through the terminal, the necessary L7 filters are added with an empty regexp field. Use Winbox instead.
    /ip firewall layer7-protocol add name=Allow regexp="^.+(какой-то_сайт|еще_какой-то_сайт).*$" 
    /ip firewall layer7-protocol add name=Deny regexp="^.+(HTTP\/[0-2]).+$" 
    

    Adding the filters themselves, 2 on 'allow' and 'deny' according to the Mikrotik wiki
    /ip firewall filter add chain=forward protocol=tcp out-interface=ваш_интерфейс layer7-protocol=Allow action=accept
    /ip firewall filter add chain=forward protocol=tcp in-interface=ваш_интерфейс layer7-protocol=Allow action=accept
    /ip firewall filter add chain=forward protocol=tcp out-interface=ваш_интерфейс layer7-protocol=Deny action=reject reject-with=tcp-reset
    /ip firewall filter add chain=forward protocol=tcp in-interface=ваш_интерфейс layer7-protocol=Deny action=reject reject-with=tcp-reset
    

    A small clarification for those who still need to allow strictly defined sites: check what other resources are involved on the site. For example, it can be loaded cards. I use Opera to surf the net, as well as DevTools included in it, the “Console” tab for detecting errors.

    An important clarification : in version 6.36 and newer this can be implemented using the 3rd paragraph of the article .


    How to receive human notifications about VPN connections


    Anyone who has encountered Mikrotik notifications in the Logging section knows that notifications are poor and are suitable only for very simple cases. I wanted the notifications to carry as much useful information as possible. It turned out that this is quite simple to implement: scripts are required for connecting / disconnecting for the PPP profile. Below I will give the scripts on On Up and On Down , but first a few pitfalls:
    1) For both scripts there are predefined variables - more about them .
    2) Variables with a hyphen must be specified in quotation marks. For example, $ "caller-id" . Otherwise it does not work!
    3) Mikrotik sends e-mail messages in the text, so no tags, hyperlink to insert only explicitly.
    4) In the body of the message, \ r \ n is used to move the carriage to the beginning of a new line .
    5) At this stage (version 6.33.2) there are problems with the encoding of messages in some mail clients and web-based interfaces.

    The script code is maximally simplified. You have to have the Tools -> Email branch configured to use out of the box.
    Script On Up
    :local email "ваш_адрес_почты"
    ##### Тело скрипта
    /tool e-mail send to=$email subject="Пользователь $user подключился к VPN"  body="Пользователь $user подключился по $[/ppp active get [/ppp active find where name=$user caller-id=$"caller-id" address=$"remote-address"] service] в $[/system clock get time].\r\nIP-адрес клиента - $"caller-id".\r\nИнфо об IP клиента - http://apps.db.ripe.net/search/query.html?searchtext=$"caller-id""
    

    Notification Type



    Script On Down
    :local email "ваш_адрес_почты"
    ##### Тело скрипта
    /tool e-mail send to=$email subject="Пользователь $user отключился от VPN"  body="Пользователь $user отключился в $[/system clock get time]."
    

    Notification Type



    If you use different profiles for different connections (which I highly recommend), then you can style scripts for virtually every client. It’s convenient, for example, to put a check on time so as not to receive notifications of planned VPN breaks.


    Domain names in address lists


    And for dessert: starting with version v6.36, domain names can be added to address lists!
    *) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);

    If you are still not jumping for joy like me, then it's time to start. This feature allows you to almost completely get away from using the costly L7 with its limitations.
    As an example, I’m going to route different sites to different gateways. This is relevant in connection with the reality in our country. We will wrap up the web interfaces of the mail.google.com and e.mail.ru mail servers. We will go to Google mail via OVPN, and to Mail via L2TP.
    /ip firewall address-list add list=ovpn address=mail.google.com
    /ip firewall address-list add list=l2tp address=e.mail.ru
    /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=ovpn action=mark-routing new-routing-mark=ovpn-route
    /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=l2tp action=mark-routing new-routing-mark=l2tp-route
    /ip route add dst-address=0.0.0.0/0 gateway=ovpn-out1 distance=1 routing-mark=ovpn-route
    /ip route add dst-address=0.0.0.0/0 gateway=l2tp-out1 distance=1 routing-mark=l2tp-route
    

    Thus, when adding the desired name to a specific sheet, we actually determine by which channel the connection will be established.
    Another example that will come in handy for many is to forward all TCP connections to the OVPN gateway, and rkn.gov.ru to the default gateway.
    /ip firewall address-list add list=RKN address=rkn.gov.ru
    /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=RKN action=accept
    /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address=!192.168.0.0/16 action=mark-routing new-routing-mark=ovpn-route
    /ip route add dst-address=0.0.0.0/0 gateway=ovpn-out1 distance=1 routing-mark=ovpn-route
    

    Important note : if you use Fasttrack, then be sure to see its description . Namely:
    Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent = global, ip traffic-flow (restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;

    Which means that connections of this type do not get into the firewall, packet processing, queues, etc.


    Other parts


    Also popular now: