Mikrotik: small utility. Part 2
This is the next portion of small features / implementation in RouterOS.
Today I will talk about:
1) How to close all sites except one / several
2) How to receive "human" notifications about VPN connections
3) Important innovation in v6.36, after which you can forget about L7
Interesting? Then I ask for cat.
I must say that you need to use L7 Protocol. It would seem that something complicated: just apply the rule "everything except."
But no, it does not work. If you want, check for yourself. What to do? One filter to allow the necessary resources and the second to ban all others.
The resolving L7 is of the form ^. + (Some_site | another some_site). * $ .
With prohibiting more difficult. You can filter everything at all through ^. + $ . But I would advise to filter the HTTP protocol by URI, that is, so - ^. + (HTTP \ / [0-2]). + $ .
Unfortunately, through the terminal, the necessary L7 filters are added with an empty regexp field. Use Winbox instead.
Add filters themselves, 2 each for 'allow' and 'forbid' according to wiki Mikrotik
A small clarification for those who still need to allow strictly specific sites: check what other resources are involved on the site. For example, it can be loaded cards. I use Opera to surf the net, as well as the DevTools tab included in it, the “Console” tab for error detection.
Important clarification : in version 6.36 and newer, this can be implemented using item 3 of the article .
Who faced with notifications Mikrotik in the section Logging, he knows that the notifications are poor and are suitable only for very simple cases. I also wanted notifications to carry as much useful information as possible. It turned out that it is quite simple to implement: you need connection / disconnection scripts for a PPP profile. Below I will give the scripts for On Up and On Down , but first some pitfalls:
1) For both scripts there are predefined variables - more about them .
2) Variables with a hyphen must be specified in quotes. For example, $ "caller-id" . Otherwise it does not work!
3) Mikrotik sends e-mail messages in the text, so no tags, insert the hyperlink only in an explicit form.
4) In the body of the message, \ r \ n is used to transfer the caret to the beginning of a new line.
5) At this stage (version 6.33.2) there are problems with the encoding of messages in some email clients and web interfaces.
')
Script code is maximally simplified. You must have the Tools -> Email branch configured for use out of the box.
If you use different profiles for different connections (which I highly recommend), then you can style the scripts for virtually every client. It is convenient, for example, to put a check on time so as not to receive notifications about planned VPN breaks.
And for dessert: starting with version v6.36, you can add domain names to address lists!
If you are not jumping for joy like me, then it's time to start. This feature allows you to almost completely avoid the use of costly L7 with its limitations.
As an example, I will cite the routing of different sites to different gateways. This is relevant in connection with the reality in our country. We will wrap web-interfaces of mail servers mail.google.com and e.mail.ru. We’ll go to Google Mail via OVPN, and Mail - via L2TP.
Thus, when you add the desired name to a specific sheet, we actually determine which channel will be connected.
Another example that will come in handy to many is to redirect all TCP connections to the OVPN gateway, and rkn.gov.ru to the default gateway.
Important note : if you use Fasttrack, be sure to see its description . Namely:
Which means that connections of this type do not get into the firewall, packet processing, queues, etc.
Picture to attract attention
Today I will talk about:
1) How to close all sites except one / several
2) How to receive "human" notifications about VPN connections
3) Important innovation in v6.36, after which you can forget about L7
Interesting? Then I ask for cat.
How to close all sites except one / several
I must say that you need to use L7 Protocol. It would seem that something complicated: just apply the rule "everything except."
But no, it does not work. If you want, check for yourself. What to do? One filter to allow the necessary resources and the second to ban all others.
The resolving L7 is of the form ^. + (Some_site | another some_site). * $ .
With prohibiting more difficult. You can filter everything at all through ^. + $ . But I would advise to filter the HTTP protocol by URI, that is, so - ^. + (HTTP \ / [0-2]). + $ .
Unfortunately, through the terminal, the necessary L7 filters are added with an empty regexp field. Use Winbox instead.
/ip firewall layer7-protocol add name=Allow regexp="^.+(-_|_-_).*$" /ip firewall layer7-protocol add name=Deny regexp="^.+(HTTP\/[0-2]).+$" Add filters themselves, 2 each for 'allow' and 'forbid' according to wiki Mikrotik
/ip firewall filter add chain=forward protocol=tcp out-interface=_ layer7-protocol=Allow action=accept /ip firewall filter add chain=forward protocol=tcp in-interface=_ layer7-protocol=Allow action=accept /ip firewall filter add chain=forward protocol=tcp out-interface=_ layer7-protocol=Deny action=reject reject-with=tcp-reset /ip firewall filter add chain=forward protocol=tcp in-interface=_ layer7-protocol=Deny action=reject reject-with=tcp-reset A small clarification for those who still need to allow strictly specific sites: check what other resources are involved on the site. For example, it can be loaded cards. I use Opera to surf the net, as well as the DevTools tab included in it, the “Console” tab for error detection.
Important clarification : in version 6.36 and newer, this can be implemented using item 3 of the article .
How to receive "human" notifications about VPN connections
Who faced with notifications Mikrotik in the section Logging, he knows that the notifications are poor and are suitable only for very simple cases. I also wanted notifications to carry as much useful information as possible. It turned out that it is quite simple to implement: you need connection / disconnection scripts for a PPP profile. Below I will give the scripts for On Up and On Down , but first some pitfalls:
1) For both scripts there are predefined variables - more about them .
2) Variables with a hyphen must be specified in quotes. For example, $ "caller-id" . Otherwise it does not work!
3) Mikrotik sends e-mail messages in the text, so no tags, insert the hyperlink only in an explicit form.
4) In the body of the message, \ r \ n is used to transfer the caret to the beginning of a new line.
5) At this stage (version 6.33.2) there are problems with the encoding of messages in some email clients and web interfaces.
')
Script code is maximally simplified. You must have the Tools -> Email branch configured for use out of the box.
Script On Up
:local email "__" ##### /tool e-mail send to=$email subject=" $user VPN" body=" $user $[/ppp active get [/ppp active find where name=$user caller-id=$"caller-id" address=$"remote-address"] service] $[/system clock get time].\r\nIP- - $"caller-id".\r\n IP - http://apps.db.ripe.net/search/query.html?searchtext=$"caller-id"" Type of notice
Script On Down
:local email "__" ##### /tool e-mail send to=$email subject=" $user VPN" body=" $user $[/system clock get time]." Type of notice
If you use different profiles for different connections (which I highly recommend), then you can style the scripts for virtually every client. It is convenient, for example, to put a check on time so as not to receive notifications about planned VPN breaks.
Address List Domain Names
And for dessert: starting with version v6.36, you can add domain names to address lists!
*) firewall - will be added to the specified list;
If you are not jumping for joy like me, then it's time to start. This feature allows you to almost completely avoid the use of costly L7 with its limitations.
As an example, I will cite the routing of different sites to different gateways. This is relevant in connection with the reality in our country. We will wrap web-interfaces of mail servers mail.google.com and e.mail.ru. We’ll go to Google Mail via OVPN, and Mail - via L2TP.
/ip firewall address-list add list=ovpn address=mail.google.com /ip firewall address-list add list=l2tp address=e.mail.ru /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=ovpn action=mark-routing new-routing-mark=ovpn-route /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=l2tp action=mark-routing new-routing-mark=l2tp-route /ip route add dst-address=0.0.0.0/0 gateway=ovpn-out1 distance=1 routing-mark=ovpn-route /ip route add dst-address=0.0.0.0/0 gateway=l2tp-out1 distance=1 routing-mark=l2tp-route Thus, when you add the desired name to a specific sheet, we actually determine which channel will be connected.
Another example that will come in handy to many is to redirect all TCP connections to the OVPN gateway, and rkn.gov.ru to the default gateway.
/ip firewall address-list add list=RKN address=rkn.gov.ru /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address-list=RKN action=accept /ip firewall mangle add chain=prerouting protocol=tcp src-address=192.168.1.0/24 dst-address=!192.168.0.0/16 action=mark-routing new-routing-mark=ovpn-route /ip route add dst-address=0.0.0.0/0 gateway=ovpn-out1 distance=1 routing-mark=ovpn-route Important note : if you use Fasttrack, be sure to see its description . Namely:
Fasttracked packets bypass firewall, connection queue, global queue, global traffic, global traffic control, global traffic control, global traffic control, global traffic control fasttrack does not interfere with other configuration;
Which means that connections of this type do not get into the firewall, packet processing, queues, etc.
Other parts
Source: https://habr.com/ru/post/271707/
All Articles